Obligations of Business Associate. Business Associate agrees to: i. Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law; ii. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement; iii. Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; iv. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; v. Make available protected health information in a designated record set to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524; vi. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526; vii. To the extent required by regulators, maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528; viii. To the extent the Business Associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and ix. To the extent required by regulators, make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Appears in 18 contracts
Samples: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Obligations of Business Associate. (a) Business Associate agrees to:
i. Not will not use or disclose protected health information PHI other than as permitted or required by the Agreement this Addendum or as required by law;.
ii. Use appropriate safeguards(b) Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Standards, and to prevent use or disclosure of PHI other than as provided for by this Addendum. Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health informationPHI.
(c) Business Associate will mitigate, to prevent the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information other than as provided for PHI by the Agreement;
iii. Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
iv. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf Business Associate in violation of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;of this Addendum.
v. Make available protected health information in a designated record set to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;
vi. Make any amendment(s(d) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;
vii. To the extent required by regulators, maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
viii. To the extent the Business Associate is to carry out one or more of covered entity's obligation(s) Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of 45 CFR Part 164, Subpart E that apply to the covered entity Covered Entity in the performance of such obligation(s); andobligations.
ix. To the extent required (e) Business Associate will report to Covered Entity (i) any use or disclosure of PHI not provided for by regulators, make its internal practices, booksthis Addendum of which Business Associate becomes aware, and (ii) any security incident (as defined in 45 CFR § 164.304) of which it becomes aware. Business Associate will notify Covered Entity of any breach of unsecured PHI, as defined in 45 CFR § 164.402, without unreasonable delay and in no case later than 10 calendar days after Business Associate discovers the breach.
(f) Business Associate will ensure that any agent, including a subcontractor, that receives PHI from Business Associate, or creates, receives, maintains, or transmits PHI on behalf of Business Associate, agrees to the same restrictions, conditions and requirements that apply to Business Associate with respect to such PHI, and agrees to implement reasonable and appropriate safeguards to protect the security and privacy of such PHI, by entering into an agreement with Business Associate that meets the applicable requirements of the HIPAA Standards.
(g) Business Associate will make books and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (“Secretary”) or the Secretary’s designee, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA RulesStandards.
(h) At Covered Entity’s request, Business Associate will make available PHI in Business Associate’s possession to enable Covered Entity to respond to a request by an individual for access to PHI in accordance with 45 CFR § 164.524.
(i) At Covered Entity’s request, Business Associate will make available PHI in Business Associate’s possession for amendment, and will incorporate any amendments to PHI, in accordance with 42 CFR § 164.526.
(j) Business Associate will maintain and will provide to Covered Entity on request such documentation of disclosures of PHI as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Upon receipt of a request for an accounting directly from an individual, Business Associate will provide to the individual an accounting of disclosures made by Business Associate containing the information described in 42 CFR § 164.528.
Appears in 4 contracts
Samples: Pharmacy Services Agreement, Pharmacy Services Agreement, Medical Director Agreement
Obligations of Business Associate. Business Associate With regard to its use and disclosure of PHI, BA agrees tothat:
i. Not a. It will not use or further disclose protected health information PHI other than as permitted or required by the Agreement this BAA or as required by law;.
ii. Use b. It will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, safeguards to prevent use or disclosure of protected health information PHI other than as provided for by the Agreement;this BAA.
iii. Report c. It will report to covered entity Provider any use or disclosure of protected health information not provided for by the PHI in violation of this Agreement of which it BA becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;.
iv. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, d. It will ensure that any subcontractors that createagents, receiveincluding a subcontractor, maintain, or transmit protected health information to whom it provides PHI on behalf of the Business Associate agree Provider, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply to the Business Associate BA with respect to such information;.
v. Make available protected health e. It will document any and all disclosures of PHI by BA or its agents, including subcontractors, as well as any other information in a designated record set related to the covered entity as necessary such disclosures of PHI that would be required for Provider to satisfy covered entityrespond to an Individual’s obligations under 45 CFR 164.524;
vi. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;
vii. To the extent required by regulators, maintain and make available the information required to provide request for an accounting of disclosures in accordance with 45 C.F.R. 164.528 and will make such documentation and disclosure available to the covered entity as necessary Provider.
f. It will, subject to satisfy covered entity’s obligations under 45 CFR 164.528;
viii. To the extent the Business Associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164any applicable privilege, comply following consultation with the requirements of Subpart E that apply Provider, make available to the covered entity in Secretary of the performance U.S. Department of such obligation(s); and
ix. To the extent required by regulators, make its Health and Human Services (“HHS”) any and all internal practices, books, and records available of BA or its agents, including subcontractors, relating to the Secretary use and disclosure of PHI, for purposes of determining Provider’s compliance with the HIPAA Privacy Rule.
g. It will notify Provider of any and all requests by the Secretary of HHS for information prior to any release of information thereunder.
h. It will, as required by the HITECH Act, comply with 45 C.F.R. 164.308, 164.310, 164.312, and 164.316 of the Security Rule.
i. It will, as required by the HITECH Act, determine the Minimum Necessary PHI to be disclosed for uses, disclosures or requests of or for Provider’s PHI, other than those exempt from the Minimum Necessary requirement specified in 45 C.F.R. 164.502(b)(2), in order to accomplish the intended purpose of the use, disclosure, or request, consistent with the terms of the BAA. To the extent practicable and consistent with the terms of the BAA, the Minimum Necessary shall be the information contained in a Limited Data Set, as defined in 45 C.F.R. 164.514(e)(2).
j. As required by the HITECH Act, effective not later than six (6) months after the date on which the Secretary publishes applicable final regulations, BA will not, directly or indirectly, receive remuneration in exchange for Provider’s PHI unless BA or Provider has obtained an authorization from the subject Individual(s), which complies with all applicable requirements, or otherwise permitted by the Rules. BA may not rely on any of the foregoing exceptions without advance notice to Provider describing the types of circumstances and the applicable exceptions to be relied upon by BA.
Appears in 2 contracts
Samples: Business Associate Agreement, Business Associate Agreement
Obligations of Business Associate. Business Associate agrees to:
i. a) Not use or disclose protected health information PHI other than as permitted or as required by the Contractual Agreement or as required by law;.
ii. b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, safeguards to prevent use or disclosure of protected health information the PHI other than as provided for by this BAA. Additionally, Business Associate shall implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the Agreement;
iii. Report to covered entity any use confidentiality, integrity and availability of the PHI that it creates, receives, maintains or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
iv. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information transmits on behalf of the Covered Entity as required by the Security Rule.
c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate agree in violation of the requirements of this BAA or the Privacy Rule and to communicate in writing such procedures to Covered Entity, if so requested.
d) Ensure that any agent, including a subcontractor, to whom it provides PHI received from or created or received by Business Associate on behalf of Covered Entity, agrees, in writing, to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to the Business Associate with respect to such information;information including implementation of reasonable and appropriate safeguards to protect PHI. The access and privileges granted to any such agency shall be the minimum necessary to perform the assigned functions.
v. Make available protected health information e) Provide reasonable access to PHI to Covered Entity, at the request of Covered Entity, in a designated record set Designated Record Set in order to meet the covered entity as necessary to satisfy covered entity’s obligations under requirements of 45 CFR 164.524;. This provision is applicable only if the Business Associated maintains PHI in a Designated Record Set.
vi. f) Make any amendment(s) to protected health information PHI in a designated record set as directed Designated Record Set that the Covered Entity directs or agreed agrees to by the covered entity pursuant to 45 CFR 164.526164.526 at the request of Covered Entity, or take other measures as necessary and within a reasonable time and manner. This provision is applicable only if the Business Associate maintains PHI in a Designated Record Set.
g) Comply with Subpart E of 45 CFR, Part 164, if appropriate, to satisfy covered entity’s obligations under 45 CFR 164.526;
vii. To the extent required by regulators, maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
viii. To the extent the Business Associate is to carry out one or more of covered entity's obligation(sobligations under that provision.
h) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and
ix. To the extent required by regulators, make its Make internal practices, booksbooks and records, including policies and procedures relating to the use and disclosure of PHI, and records any PHI received from or created or received by Business Associate on behalf of Covered Entity, available to the Secretary Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA RulesHIPIAA, the Privacy Rule, the Security Rule, the HITECH Act, and the ARRA.
i) Document disclosures of PHI and information in its possession related to such disclosures and provide Covered Entity with such information, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
j) Charge a reasonable fee for its services in connection with the access, amendment or accounting of PHI as contemplated under this BAA.
k) Report to Covered Entity any use or disclosure of PHI not provided for by this BAA or the Privacy Rule of which it or its officers, employees, agents or subcontractors become aware, including any Security Incident of which it becomes aware, as soon as practicable but no longer than thirty (30) business days after the discovery of such disclosure. Covered Entity agrees that this BAA shall constitute notice and reporting by Business Associate to Covered Entity of unsuccessful Security Incidents which are not reasonably considered by Business Associate to an actual threat to the information system of Business Associate.
l) Notify Covered Entity within five (5) business days after it, or any of its employees or agents, reasonably suspects that a breach of unsecured PHI may have occurred. Business Associate shall exercise reasonable diligence to become aware of whether a breach of unsecured PHI may have occurred and, except as stated to the contrary in this Section, shall otherwise comply with 45 CFR 164.410 in making the required notification to Covered Entity. Business Associate shall cooperate with Covered Entity in the determination as to whether a breach of unsecured PHI has occurred and whether notification to affected individuals of the breach is required by 45 CFR 164.400 et seq., including continuously providing the Covered Entity with additional information related to the suspected breach as it becomes available. In the event that Covered Entity informs Business Associate that (i) Covered Entity has determined that the affected individuals must be notified because a breach has occurred and
Appears in 2 contracts
Samples: Business Associate Agreement, Business Associate Agreement
Obligations of Business Associate. In the event Business Associate agrees tocreates, receives, maintains, or otherwise is exposed to PHI and otherwise meets the definition of Business Associate as defined in HIPAA, Business Associate shall:
i. (a) Comply with the Security Rule (45 C.F.R. Part 160, subpart A and C, and Part 164, subparts A and C), as may be amended, and with the applicable provisions of the Privacy Rule (45 C.F.R. Part 160, subpart A and C, and Part 164, subparts A and E), as may be amended, in carrying out Business Associate’s obligations under the Terms of Use;
(b) Not use or disclose protected health information PHI other than as permitted or required by the Agreement Terms of Use or as required by law;
ii. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
iii. Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
iv. In accordance with 45 CFR 164.502(e)(1)(ii(c) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
v. Make PHI available protected health information in a designated record set to the covered entity Covered Entity as necessary to satisfy covered entityCovered Entity’s obligations to comply with a request by an Individual (as defined in 45 C.F.R. Section 160.103 and including the Individual's personal representative) for access under 45 CFR 164.524;
vi. (d) Make any amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entityCovered Entity’s obligations to comply with an Individual’s request for an amendment under 45 CFR 164.526;
vii. To the extent required by regulators, maintain (e) Maintain and make available the information required to provide an accounting of disclosures to the covered entity Covered Entity as necessary to satisfy covered entityCovered Entity’s obligations to comply with an Individual’s request for an accounting of disclosures of PHI under 45 CFR 164.528;
viii. (f) To the extent the Business Associate is to carry out one or more of covered entityCovered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity Covered Entity in the performance of such obligation(s); and;
ix. To the extent required by regulators, make its (g) Make Business Associate’s internal practices, books, and records available to the Secretary United States Department of Health and Human Services for purposes of determining compliance with regulations promulgated under HIPAA;
(h) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the HIPAA Rules.same restrictions, conditions, and requirements that apply to Business Associate with respect to such information;
(i) Maintain commercially reasonable and appropriate security safeguards for PHI and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by the Terms of Use and protect the confidentiality and integrity of such PHI created, received, used, maintained or transmitted from, or on behalf of the Covered Entity;
(j) Report to Covered Entity any use or disclosure of PHI not provided for by the Terms of Use of which Business Associate becomes aware (including breaches of unsecured PHI as required by 45 CFR 164.410) and any Security Incident of which Business Associate becomes aware, in the time and manner specified under 45 C.F.R.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. Business Associate XXX agrees tothat it will:
i. 1. Not use or further disclose protected health information PHI other than as permitted or required by the this Agreement or as required by law;
ii2. Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 the HIPAA Security Rule with respect to electronic protected health informationinformation (“e-PHI”) and implement appropriate physical, technical and administrative safeguards to prevent use or disclosure of protected health information PHI other than as provided for by the this Agreement;
iii3. Report to covered entity MCEMS any use or disclosure of protected health information PHI not provided for by the this Agreement of which it becomes aware, including any security incident (as defined in the HIPAA Security Rule) and any breaches of unsecured protected health information PHI as required at by 45 CFR §164.410, and . Breaches of unsecured PHI shall be reported to MCEMS without unreasonable delay but in no case later than 60 days after discovery of the breach. EMR is not responsible for any security incident breaches of which it becomes awarethird-party software vendors who store PHI. The covered entity is solely responsible for notifying patients of a breach;
iv4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate EMR agree to the same restrictions, conditions, and requirements that apply to the Business Associate EMR with respect to such information;
v. 5. Make available protected health information PHI in a designated record set available to the covered entity as necessary MCEMS and to satisfy covered entityan individual who has a right of access in a manner that satisfies MCEMS’s obligations under to provide access to PHI in accordance with 45 CFR 164.524§164.524 within 30 days of a request;
vi6. Make any amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526MCEMS, or take other measures as necessary to satisfy covered entityMCEMS’s obligations under 45 CFR §164.526;
vii7. To the extent required by regulators, maintain Maintain and make available the information required to provide an accounting of disclosures to the covered entity MCEMS or an individual who has a right to an accounting within 60 days and as necessary to satisfy covered entityMCEMS’s obligations under 45 CFR §164.528;
viii8. To the extent the Business Associate that EMR is to carry out one or more any of covered entity's obligation(s) MCEMS’s obligations under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, EMR shall comply with the requirements of Subpart E the Privacy Rule that apply to the covered entity in the performance of such obligation(s); andMCEMS when it carries out that obligation;
ix9. To the extent required by regulators, make Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by EMR on behalf of MCEMS, available to the Secretary of the Department of Health and Human Services for purposes of determining EMR and MCEMS’s compliance with HIPAA and the HIPAA HITECH Act;
10. Restrict the use or disclosure of PHI if MCEMS notifies EMR of any restriction on the use or disclosure of PHI that MCEMS has agreed to or is required to abide by under 45 CFR §164.522; and
11. If MCEMS is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.), EMR agrees to assist MCEMS in complying with its Red Flags Rule obligations by: (a) implementing policies and procedures to detect relevant Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary to comply with the policies and procedures of MCEMS’s Identity Theft Prevention Program; (c) ensuring that any agent or third party who performs services on its behalf in connection with covered accounts of MCEMS agrees to implement reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft; and (d) alerting MCEMS of any Red Flag incident (as defined by the Red Flag Rules) of which it becomes aware, the steps it has taken to mitigate any potential harm that may have occurred, and provide a report to MCEMS of any threat of identity theft as a result of the incident.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. Business Associate agrees towill:
i. 1. Not use or further disclose protected health information PHI other than as permitted or required by the this Agreement or as required by law;
ii2. Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 the HIPAA Security Rule with respect to electronic protected health informationinformation (“e‐PHI”) and implement appropriate physical, technical and administrative safeguards to prevent use or disclosure of protected health information PHI other than as provided for by the this Agreement;
iii3. Report to covered entity Covered Entity any use or disclosure of protected health information PHI not provided for by the this Agreement of which it becomes aware, including any security incident (as defined in the HIPAA Security Rule) and any breaches of unsecured protected health information PHI as required at by 45 CFR §164.410, and any security incident . Breaches of which it becomes awareunsecured PHI shall be reported to Covered Entity without unreasonable delay but in no case later than 60 days after discovery of the breach;
iv4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
v. 5. Make available protected health information PHI in a designated record set available to the covered entity as necessary Covered Entity and to satisfy covered entityan individual who has a right of access in a manner that satisfies Covered Entity’s obligations under to provide access to PHI in accordance with 45 CFR 164.524§164.524 within 30 days of a request;
vi6. Make any amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526Covered Entity, or take other measures as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR §164.526;
vii7. To the extent required by regulators, maintain Maintain and make available the information required to provide an accounting of disclosures to the covered entity Covered Entity or an individual who has a right to an accounting within 60 days and as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR §164.528;
viii8. To the extent the that Business Associate is to carry out one or more any of covered entity's obligation(s) Covered Entity’s obligations under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, Business Associate shall comply with the requirements of Subpart E the Privacy Rule that apply to the covered entity in the performance of such obligation(s); andCovered Entity when it carries out that obligation;
ix9. To the extent required by regulators, make Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services for purposes of determining Business Associate’s compliance with HIPAA and the HIPAA HITECH Act;
10. Restrict the use or disclosure of PHI if Covered Entity notifies Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522; and
11. If Covered Entity is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.), Business Associate agrees to assist Covered Entity in complying with its Red Flags Rule obligations by: (a) implementing policies and procedures to detect relevant Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary to comply with the policies and procedures of Covered Entity’s Identity Theft Prevention Program; (c) ensuring that any agent or third party who performs services on its behalf in connection with covered accounts of Covered Entity agrees to implement reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft; and (d) alerting Covered Entity of any Red Flag incident (as defined by the Red Flag Rules) of which it becomes aware, the steps it has taken to mitigate any potential harm that may have occurred, and provide a report to Covered Entity of any threat of identity theft as a result of the incident.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. Business Associate agrees to:
i. 1. Not use or further disclose protected health information PHI other than as permitted or required by the this Agreement or as required by law;
ii2. Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 the HIPAA Security Rule with respect to electronic protected health informationinformation ("e-PHI") and implement appropriate physical, technical and administrative safeguards to prevent use or disclosure of protected health information PHI other than as provided for by the this Agreement;
iii3. Report to covered entity Covered Entity any use or disclosure of protected health information PHI not provided for by the this Agreement of which it becomes aware, including any security incident (as defined in the HIPAA Security Rule) and any breaches of unsecured protected health information PHI as required at by 45 CFR §164.410, and any security incident of which it becomes aware. Breaches of unsecured PHI shall be reported to Covered Entity without unreasonable delay but in no case later than 15 days after discovery of the breach;
iv4. In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(l)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
v. 5. Make available protected health information PHI in a designated record set available to the covered entity as necessary Covered Entity and to satisfy covered entity’s an individual who has a right of access in a manner that satisfies Covered Entity's obligations under to provide access to PHI in accordance with 45 CFR 164.524§164.524 within 30 days of a request;
vi6. Make any amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526Covered Entity, or take other measures as necessary to satisfy covered entity’s Covered Entity's obligations under 45 CFR §164.526;
vii7. To the extent required by regulators, maintain Maintain and make available the information required to provide an accounting of disclosures to the covered entity Covered Entity or an individual who has a right to an accounting within 60 days and as necessary to satisfy covered entity’s Covered Entity's obligations under 45 CFR §164.528;
viii8. To the extent the that Business Associate is to carry out one or more any of covered entityCovered Entity's obligation(s) obligations under the HIPAA Privacy Rule (Subpart E of 45 CFR Part 164), Business Associate shall comply with the requirements of Subpart E the Privacy Rule that apply to the covered entity in the performance of such obligation(s); andCovered Entity when it carries out that obligation;
ix9. To the extent required by regulators, make Make its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services for purposes of determining Business Associate and Covered Entity's compliance with HIPAA and the HIPAA HITECH Act;
10. Restrict the use or disclosure of PHI if Covered Entity notifies Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522; and
11. If Covered Entity is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.), Business Associate agrees to assist Covered Entity in complying with its Red Flags Rule obligations by: (a) implementing policies and procedures to detect relevant Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary to comply with the policies and procedures of Covered Entity's Identity Theft Prevention Program; (c) ensuring that any agent or third party who performs services on its behalf in connection with covered accounts of Covered Entity agrees to implement reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft; and (d) alerting Covered Entity of any Red Flag incident (as defined by the Red Flag Rules) of which it becomes aware, the steps it has taken to mitigate any potential harm that may have occurred, and provide a report to Covered Entity of any threat of identity theft as a result of the incident.
12. Business Associate shall indemnify, defend, and hold harmless the Covered Entity and Covered Entity's affiliates ("Indemnified Parties"), from and against any and all losses, expense, damage, or injury (including, without limitation, all costs and reasonable attorney's fees) that the Indemnified Parties may sustain as a result of, or arising out of (a) a breach of this BAA by Business Associate or its agents or Subcontractors, including but not limited to any unauthorized use, disclosure, or breach of PHI, (b) Business Associate's failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to Section 2.4, or (c) any negligence or wrongful acts or omissions by Business Associate or its agents or Subcontractors, including without limitations, failure to perform Business Associate's obligations under this BAA, the Privacy Rule, or the Security Rule. Notwithstanding the foregoing, nothing in this Section shall limit any rights any of the Indemnified Parties may have to additional remedies under applicable law for any acts or omissions of Business Associate or its agents or Subcontractors.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. The Business Associate agrees to:
i. Not a. use or and disclose protected health information other than PHI only as permitted or required by the Agreement this Addendum or as required by law;.
ii. Use b. implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to regarding electronic protected health information, to prevent use or disclosure of protected health information PHI other than as provided for by in this Addendum. Business Associate must maintain, and provide a copy to the Agreement;Covered Entity within 10 days of a request from the Covered Entity, a comprehensive written information privacy and security program that includes security measures that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI relative to the size and complexity of the Business Associate’s operations and the nature and the scope of its activities.
iii. Report c. report to covered entity the Covered Entity within 24 hours of any use or disclosure of protected health information PHI not provided for by the Agreement this Addendum of which it becomes aware, including breaches of unsecured protected health information Unsecured Protected Health Information as required at by 45 CFR 164.410, and any security incident Security Incident of which it becomes aware;. If the Business Associate is responsible for any unauthorized use or disclosure of PHI, it must promptly act as required by applicable federal and State laws and regulations. Covered Entity and the Business Associate will cooperate in investigating whether a breach has occurred, to decide how to provide breach notifications to individuals, the federal Health and Human Services’ Office for Civil Rights, and potentially the media.
iv. In accordance with d. ensure, according to 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to regarding such information;. Each subcontractor must sign an agreement with the Business Associate containing substantially the same provisions as this Addendum and further identifying the Covered Entity as a third party beneficiary of the agreement with the subcontractor. Business Associate must implement and maintain sanctions against subcontractors that violate such restrictions and conditions and must mitigate the effects of any such violation.
v. Make e. make available protected health information PHI in a designated record set Designated Record Set to the covered entity as necessary Covered Entity within 10 days of a request from the Covered Entity to satisfy covered entitythe Covered Entity’s obligations under 45 CFR 164.524;.
vi. Make any amendment(s) to protected health information f. within ten days of a request from the Covered Entity, amend PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations Designated Record Set under 45 CFR § 164.526;. If any individual requests an amendment of PHI directly from the Business Associate or its agents or subcontractors, the Business Associate must notify the Covered Entity in writing within ten days of the request, and then, in that case, only the Covered Entity may either grant or deny the request.
vii. To g. maintain, and within ten days of a request from the extent required by regulators, maintain and Covered Entity make available the information required to provide an accounting of disclosures enable the Covered Entity to the covered entity as necessary to satisfy covered entity’s fulfill its obligations under 45 CFR § 164.528;
. Business Associate is not required to provide an accounting to the Covered Entity of disclosures : (i) to carry out treatment, payment or health care operations, as set forth in 45 CFR § 164.506; (ii) to individuals of PHI about them as set forth in 45 CFR § 164.502; (iii) under an authorization as provided in 45 CFR § 164.508; (iv) to persons involved in the individual’s care or other notification purposes as set forth in 45 CFR § 164.510; (v) for national security or intelligence purposes as set forth in 45 CFR § 164.512(k)(2); or (vi) to correctional institutions or law enforcement officials as set forth in 45 CFR § 164.512(k)(5); (vii) as part of a limited data set according to 45 CFR 164.514(e); or (viii) that occurred before the compliance date for the Covered Entity. To the extent Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by the Business Associate is to carry out one and its agents or more subcontractors for at least six years before the request, but not before the compliance date of covered entity's obligation(sthe Privacy Rule. At a minimum, such information must include: (i) under Subpart E the date of 45 CFR Part 164disclosure; (ii) the name of the entity or person who received PHI and, comply with if known, the requirements address of Subpart E that apply to the covered entity in the performance or person; (iii) a brief description of such obligation(s)PHI disclosed; and
ix. To the extent required by regulators, make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Appears in 1 contract
Samples: Contract
Obligations of Business Associate. The Business Associate agrees to:
i. Not a. use or and disclose protected health information other than PHI only as permitted or required by the Agreement this Addendum or as required by law;.
ii. Use b. implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to regarding electronic protected health information, to prevent use or disclosure of protected health information PHI other than as provided for by in this Addendum. Business Associate must maintain, and provide a copy to the Agreement;Covered Entity within 10 days of a request from the Covered Entity, a comprehensive written information privacy and security program that includes security measures that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI relative to the size and complexity of the Business Associate’s operations and the nature and the scope of its activities.
iii. Report c. report to covered entity the Covered Entity within 24 hours of any use or disclosure of protected health information PHI not provided for by the Agreement this Addendum of which it becomes aware, including breaches of unsecured protected health information Unsecured Protected Health Information as required at by 45 CFR 164.410, and any security incident Security Incident of which it becomes aware;. If the Business Associate is responsible for any unauthorized use or disclosure of PHI, it must promptly act as required by applicable federal and State laws and regulations. Covered Entity and the Business Associate will cooperate in investigating whether a breach has occurred, to decide how to provide breach notifications to individuals, the federal Health and Human Services’ Office for Civil Rights, and potentially the media.
iv. In accordance with d. ensure, according to 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to regarding such information;. Each subcontractor must sign an agreement with the Business Associate containing substantially the same provisions as this Addendum and further identifying the Covered Entity as a third party beneficiary of the agreement with the subcontractor. Business Associate must implement and maintain sanctions against subcontractors that violate such restrictions and conditions and must mitigate the effects of any such violation.
v. Make e. make available protected health information PHI in a designated record set Designated Record Set to the covered entity as necessary Covered Entity within 10 days of a request from the Covered Entity to satisfy covered entitythe Covered Entity’s obligations under 45 CFR 164.524;.
vi. Make any amendment(s) to protected health information f. within ten days of a request from the Covered Entity, amend PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations Designated Record Set under 45 CFR § 164.526;. If any individual requests an amendment of PHI directly from the Business Associate or its agents or subcontractors, the Business Associate must notify the Covered Entity in writing within ten days of the request, and then, in that case, only the Covered Entity may either grant or deny the request.
vii. To g. maintain, and within ten days of a request from the extent required by regulators, maintain and Covered Entity make available the information required to provide an accounting of disclosures enable the Covered Entity to the covered entity as necessary to satisfy covered entity’s fulfill its obligations under 45 CFR § 164.528;. Business Associate is not required to provide an accounting to the Covered Entity of disclosures : (i) to carry out treatment, payment or health care operations, as set forth in 45 CFR § 164.506; (ii) to individuals of PHI about them as set forth in 45 CFR § 164.502; (iii) under an authorization as provided in 45 CFR § 164.508; (iv) to persons involved in the individual’s care or other notification purposes as set forth in 45 CFR § 164.510; (v) for national security or intelligence purposes as set forth in 45 CFR § 164.512(k)(2); or (vi) to correctional institutions or law enforcement officials as set forth in 45 CFR § 164.512(k)(5); (vii) as part of a limited data set according to 45 CFR 164.514(e); or (viii) that occurred before the compliance date for the Covered Entity. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by the Business Associate and its agents or subcontractors for at least six years before the request, but not before the compliance date of the Privacy Rule. At a minimum, such information must include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of PHI disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. If the request for an accounting is delivered directly to the Business Associate or its agents or subcontractors, the Business Associate must forward it within ten days of the receipt of the request to the Covered Entity in writing.
viii. To h. to the extent the Business Associate is to carry out one or more of covered entity's obligation(s) the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); andCovered Entity when performing those obligations.
ix. To the extent required by regulators, i. make its internal practices, books, and records relating to the Business Associate’s use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. Business Associate must concurrently provide to the Covered Entity a copy of any PHI that the Business Associate provides to the Secretary.
j. retain all PHI throughout the term of the Agreement and for a period of six years from the date of creation or the date when it last was in effect, whichever is later, or as required by law. This obligation survives the termination of the Agreement.
k. implement policies and procedures for the final disposition of electronic PHI and the hardware and equipment on which it is stored, including but not limited to, the removal of PHI before re-use.
l. within ten days after a written request by the Covered Entity, the Business Associate and its agents or subcontractors must allow the Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI under this Addendum for the purpose of determining whether the Business Associate has complied with this Addendum; provided, however, that: (i) the Business Associate and the Covered Entity must mutually agree in advance upon the scope, timing and location of such an inspection; (ii) the Covered Entity must protect the confidentiality of all confidential and proprietary information of the Business Associate to which the Covered Entity has access during the course of such inspection; and (iii) the Covered Entity or the Business Associate must execute a nondisclosure agreement, if requested by the other party. The fact that the Covered Entity inspects, or fails to inspect, or has the right to inspect, the Business Associate’s facilities, systems, books, records, agreements, policies and procedures does not relieve the Business Associate of its responsibility to comply with this Addendum. The Covered Entity’s (i) failure to detect or (ii) detection, but failure to notify the Business Associate or require the Business Associate’s remediation of any unsatisfactory practices, does not constitute acceptance of such practice or a waiver of the Covered Entity’s enforcement rights under this Addendum.
Appears in 1 contract
Samples: Contract
Obligations of Business Associate. Business Associate agrees to:
i. 1. Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;
ii2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
iii3. Report to covered entity Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
iv4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate business associate with respect to such information;
v. 5. Make available protected health information PHI and PII in a designated record set available to the covered entity as necessary Covered Entity and to satisfy covered entityan individual who has a right of access in a manner that satisfies the Covered Entity’s obligations under to provide access to PHI and PII in accordance with 45 CFR 164.524§164.524 within 30 days of a request;
vi6. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR 164.526;
vii7. To the extent required by regulators, maintain Maintain and make available the information required to provide an accounting of disclosures to the covered entity Covered Entity or an individual who has a right to an accounting within 60 days and as necessary to satisfy covered entitythe Covered Entity’s obligations under 45 CFR §164.528;.
viii8. To the extent the Business Associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity Covered Entity in the performance of such obligation(s); and
ix9. To the extent required by regulators, make Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Appears in 1 contract
Samples: Grant Agreement
Obligations of Business Associate. Business Associate DM Medical Xxxxxxxx agrees tothat it will:
i. 1. Not use or further disclose protected health information PHI other than as permitted or required by the this Agreement or as required by law;
ii2. Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 the HIPAA Security Rule with respect to electronic protected health informationinformation (“e-PHI”) and implement appropriate physical, technical and administrative safeguards to prevent use or disclosure of protected health information PHI other than as provided for by the this Agreement;
iii3. Report to covered entity Williamson County any use or disclosure of protected health information PHI not provided for by the this Agreement of which it becomes aware, including any security incident (as defined in the HIPAA Security Rule) and any breaches of unsecured protected health information PHI as required at by 45 CFR §164.410, and any security incident . Breaches of which it becomes awareunsecured PHI shall be reported to Williamson County without unreasonable delay but in no case later than 60 days after discovery of the breach;
iv4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate DM Medical Xxxxxxxx agree to the same restrictions, conditions, and requirements that apply to the Business Associate DM Medical Xxxxxxxx with respect to such information;
v. 5. Make available protected health information PHI in a designated record set available to the covered entity as necessary Williamson County and to satisfy covered entityan individual who has a right of access in a manner and time frame that satisfies Williamson County’s obligations under to provide access to PHI in accordance with 45 CFR 164.524§164.524 within 30 days of a request;
vi6. Make any amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526Williamson County, or take other measures as necessary to satisfy covered entityWilliamson County’s obligations under 45 CFR §164.526;
vii7. To the extent required by regulators, maintain Maintain and make available the information required to provide an accounting of disclosures to the covered entity Williamson County or an individual who has a right to an accounting within 60 days and as necessary to satisfy covered entityWilliamson County’s obligations under 45 CFR §164.528;
viii8. To the extent the Business Associate that DM Medical Xxxxxxxx is to carry out one or more any of covered entity's obligation(s) Williamson County’s obligations under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, DM Medical Xxxxxxxx shall comply with the requirements of Subpart E the Privacy Rule that apply to the covered entity in the performance of such obligation(s); andWilliamson County when it carries out that obligation;
ix9. To the extent required by regulators, make Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by DM Medical Xxxxxxxx on behalf of Williamson County, available to the Secretary of the Department of Health and Human Services for purposes of determining DM Medical Xxxxxxxx and Williamson County’s compliance with HIPAA and the HIPAA RulesHITECH Act;
10. Restrict the use or disclosure of PHI if Williamson County notifies DM Medical Xxxxxxxx of any restriction on the use or disclosure of PHI that Williamson County has agreed to or is required to abide by under 45 CFR §164.522; and
11. If Williamson County is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.), DM Medical Xxxxxxxx agrees to assist Williamson County in complying with its Red Flags Rule obligations by: (a) implementing policies and procedures to detect relevant Red Flags (as defined under 16 C.F.R. §681.2);
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. The Business Associate agrees to:
i. Not a. use or and disclose protected health information other than PHI only as permitted or required by the Agreement this Addendum or as required by law;.
ii. Use b. implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to regarding electronic protected health information, to prevent use or disclosure of protected health information PHI other than as provided for by in this Addendum. Business Associate must maintain, and provide a copy to the Agreement;Covered Entity within 10 days of a request from the Covered Entity, a comprehensive written information privacy and security program that includes security measures that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI relative to the size and complexity of the Business Associate’s operations and the nature and the scope of its activities.
iii. Report c. report to covered entity the Covered Entity within 24 hours of any use or disclosure of protected health information PHI not provided for by the Agreement this Addendum of which it becomes aware, including breaches of unsecured protected health information Unsecured Protected Health Information as required at by 45 CFR 164.410, and any security incident Security Incident of which it becomes aware;. If the Business Associate is responsible for any unauthorized use or disclosure of PHI, it must promptly act as required by applicable federal and State laws and regulations. Covered Entity and the Business Associate will cooperate in investigating whether a breach has occurred, to decide how to provide breach notifications to individuals, the federal Health and Human Services’ Office for Civil Rights, and potentially the media.
iv. In accordance with d. ensure, according to 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to regarding such information;. Each subcontractor must sign an agreement with the Business Associate containing substantially the same provisions as this Addendum and further identifying the Covered Entity as a third party beneficiary of the agreement with the subcontractor. Business Associate must implement and maintain sanctions against subcontractors that violate such restrictions and conditions and must mitigate the effects of any such violation.
v. Make e. make available protected health information PHI in a designated record set Designated Record Set to the covered entity as necessary Covered Entity within 10 days of a request from the Covered Entity to satisfy covered entitythe Covered Entity’s obligations under 45 CFR 164.524;.
vi. Make any amendment(s) to protected health information f. within ten days of a request from the Covered Entity, amend PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations Designated Record Set under 45 CFR § 164.526;. If any individual requests an amendment of PHI directly from the Business Associate or its agents or subcontractors, the Business Associate must notify the Covered Entity in writing within ten days of the request, and then, in that case, only the Covered Entity may either grant or deny the request.
vii. To g. maintain, and within ten days of a request from the extent required by regulators, maintain and Covered Entity make available the information required to provide an accounting of disclosures enable the Covered Entity to the covered entity as necessary to satisfy covered entity’s fulfill its obligations under 45 CFR § 164.528;. Business Associate is not required to provide an accounting to the Covered Entity of disclosures : (i) to carry out treatment, payment or health care operations, as set forth in 45 CFR § 164.506; (ii) to individuals of PHI about them as set forth in 45 CFR § 164.502; (iii) under an authorization as provided in 45 CFR § 164.508; (iv) to persons involved in the individual’s care or other notification purposes as set forth in 45 CFR § 164.510; (v) for national security or intelligence purposes as set forth in 45 CFR § 164.512(k)(2); or (vi) to correctional institutions or law enforcement officials as set forth in 45 CFR § 164.512(k)(5); (vii) as part of a limited data set according to 45 CFR 164.514(e); or (viii) that occurred before the compliance date for the Covered Entity. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by the Business Associate and its agents or subcontractors for at least six years before the request, but not before the compliance date of the Privacy Rule. At a minimum, such information must include:
viii(i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of PHI disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. To If the request for an accounting is delivered directly to the Business Associate or its agents or subcontractors, the Business Associate must forward it within ten days of the receipt of the request to the Covered Entity in writing.
h. to the extent the Business Associate is to carry out one or more of covered entity's obligation(s) the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); andCovered Entity when performing those obligations.
ix. To the extent required by regulators, i. make its internal practices, books, and records relating to the Business Associate’s use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. Business Associate must concurrently provide to the Covered Entity a copy of any PHI that the Business Associate provides to the Secretary.
j. retain all PHI throughout the term of the Agreement and for a period of six years from the date of creation or the date when it last was in effect, whichever is later, or as required by law. This obligation survives the termination of the Agreement.
k. implement policies and procedures for the final disposition of electronic PHI and the hardware and equipment on which it is stored, including but not limited to, the removal of PHI before re-use.
l. within ten days after a written request by the Covered Entity, the Business Associate and its agents or subcontractors must allow the Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI under this Addendum for the purpose of determining whether the Business Associate has complied with this Addendum; provided, however, that: (i) the Business Associate and the Covered Entity must mutually agree in advance upon the scope, timing and location of such an inspection; (ii) the Covered Entity must protect the confidentiality of all confidential and proprietary information of the Business Associate to which the Covered Entity has access during the course of such inspection; and (iii) the Covered Entity or the Business Associate must execute a nondisclosure agreement, if requested by the other party. The fact that the Covered Entity inspects, or fails to inspect, or has the right to inspect, the Business Associate’s facilities, systems, books, records, agreements, policies and procedures does not relieve the Business Associate of its responsibility to comply with this Addendum. The Covered Entity’s (i) failure to detect or (ii) detection, but failure to notify the Business Associate or require the Business Associate’s remediation of any unsatisfactory practices, does not constitute acceptance of such practice or a waiver of the Covered Entity’s enforcement rights under this Addendum.
Appears in 1 contract
Samples: Contract
Obligations of Business Associate. Business Associate agrees to:
i. A. Not use or disclose protected health information Protected Health Information other than as permitted or required by the Agreement BAA, the HIPAA Rules, or as required by other applicable law;
ii. B. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information Protected Health Information other than as provided for by the AgreementBAA or as required by law;
iii. C. Report to covered entity Covered Entity any use or disclosure of protected health information Protected Health Information not provided for by the Agreement BAA of which it becomes aware, including breaches of unsecured protected health information Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
iv. D. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors agents, subcontractors, or employees that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
v. Make E. Within five days of a request by Covered Entity, make available protected health information Protected Health Information in a designated record set to the covered entity Covered Entity as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR 164.524;
vi. F. Make any amendment(s) to protected health information Protected Health Information in a designated record set as directed or agreed to by the covered entity Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR 164.526;
vii. G. Maintain and make available to Covered Entity, within five days of a request by Covered Entity, information relating to any disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting under 45 CFR 164.528 of disclosures of such information;
H. To the extent required by regulators, maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
viii. To the extent the Business Associate is to carry out one or more of covered entity's Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity Covered Entity in the performance of such obligation(s); and;
ix. To the extent required by regulators, make I. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Business Associate. Aptum in its capacity as Business Associate agrees toagrees:
i. Not 3.1. not to use or disclose protected health information Protected Health Information other than as permitted or required by the Agreement or as required by lawRequired By Law;
ii3.2. Use to use appropriate safeguards, and to comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, Protected Health Information to prevent use Use or disclosure Disclosure of protected health information Protected Health Information other than as provided for by the AgreementAgreement or as Required By Law;
iii3.3. Report to covered entity notify Covered Entity of any use Use or disclosure Disclosure of protected health information Protected Health Information not provided for by in the Agreement of which it becomes aware, including breaches Breaches of unsecured protected health information Unsecured Protected Health Information as required at 45 CFR 164.410, 164.410 and any security incident Security Incident of which it becomes aware, as soon as possible after discovery of such violation;
iv3.4. In to fully cooperate, coordinate with and assist Covered Entity in gathering the information necessary to notify affected individuals, if any;
3.5. in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors Subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information during the course of providing Services to Covered Entity on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
v. Make 3.6. to make available protected health information Protected Health Information in a designated record set Designated Record Set to the covered entity Covered Entity as necessary to satisfy covered entity’s its obligations under 45 CFR 164.524;
vi3.7. Make in the event Covered Entity or any requests access to Protected Health Information contained in a Designated Record Set directly from the Business Associate, to forward such request to Covered Entity in a timely manner allowing Covered Entity to respond to the Individual in accordance with 45 CFR 45 164.526;
3.8. to make any amendment(s) to protected health information Protected Health Information in a designated record set Designated Record Set as directed or agreed to by the covered entity Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR 164.526;
vii3.9. To the extent required by regulators, to maintain and make available the information required to provide an accounting of disclosures Disclosures to the covered entity Covered Entity as necessary to satisfy covered entityCovered Entity’s obligations under 45 CFR 164.528;
viii3.10. To to the extent the Business Associate is to carry out one or more of covered entity's Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity Covered Entity in the performance of such obligation(s); and
ix3.11. To the extent required by regulators, to make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA RulesHIPAA.
Appears in 1 contract
Samples: Hipaa Terms and Conditions
Obligations of Business Associate. Business Associate agrees to:
i. : Not use or disclose protected health information the PHI other than as permitted or required by the this Agreement or other arrangement pursuant to 45 C.F.R. § 164.504(e) or as required Required by law;
iiLaw. The Business Associate may not use or disclose PHI in a manner that would violate the requirements of 45 C.F.R. Part 164, if done by the Covered Entity, except for the purposes specified under 45 C.F.R. § 164(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by this Agreement or other arrangement. Access only the PHI of patients who are assigned by Covered Entity to Business Associate. Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart subpart C of 45 CFR C.F.R. Part 164 with respect to electronic protected health informationElectronic PHI, to prevent use or disclosure of protected health information PHI other than as provided for by this Agreement. Comply with the applicable requirements of 45 C.F.R. Part 164. Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary’s determination of Covered Entity’s compliance with the Privacy Rule. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement;
iii. Report to covered entity Covered Entity, within three (3) days of discovery, any use or disclosure of protected health information PHI not provided for by the this Agreement of which Business Associate becomes aware, including, but not limited to, a Breach of Unsecured PHI as required by 45 C.F.R. § 164.410. Report to Covered Entity, within three (3) days of discovery, any Security Incident with respect to Electronic PHI of which it becomes aware, including breaches including, but not limited to, a Breach of unsecured protected health information Unsecured PHI as required at by 45 CFR C.F.R. § 164.410. Report to Covered Entity, and within three (3) days of discovery, any security incident Breach with respect to Electronic PHI of which it becomes aware or which Business Associate should be aware;
iv. In accordance Such report shall include the identity of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach, the circumstances surrounding the Breach, and actions taken by the Business Associate to remediate the Breach. Ensure that all of its Subcontractors and agents that create, receive, maintain, transmit, use or have access to PHI agree, in writing, to safeguard the PHI and comply with 45 CFR 164.502(e)(1)(ii) the same restrictions and 164.308(b)(2), if applicable, ensure conditions on the use and/or disclosure of PHI that apply through this Agreement to Business Associate with respect to such information. Ensure that any subcontractors Subcontractors that create, receive, maintain, or transmit protected health information Electronic PHI on behalf of the Business Associate agree agree, in writing, to the same restrictions, conditions, restrictions and requirements conditions that apply to the Business Associate with respect to such information;
v. Make available protected health information , and agree to comply with the applicable requirements of 45 C.F.R. § 164.314 by entering into a contract or other agreement that complies with that section. At the request of Covered Entity and in the time and manner specified by Covered Entity, provide access to PHI in a designated record set Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual in order to meet applicable access requirements of the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;
viPrivacy Rule. Make any At the request of Covered Entity and in the time and manner specified by Covered Entity, make amendment(s) to protected health information PHI in a designated record set as directed or agreed to by the covered entity Designated Record Set pursuant to 45 CFR C.F.R. § 164.526. Make its internal practices, books and records (including, without limitation, policies and procedures) relating to the use and disclosure of PHI received from, or take other measures created or received by Business Associate on behalf of Covered Entity, available to the Secretary, in the time and manner specified by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Document such disclosures of PHI and information related to such disclosures as necessary would be required for Covered Entity to satisfy covered entity’s obligations under 45 CFR 164.526;
vii. To the extent required respond to a request by regulators, maintain and make available the information required to provide an individual for an accounting of disclosures of PHI in accordance with the requirements of the Privacy Rule. Provide to Covered Entity, in the time and manner specified by Covered Entity, information collected in accordance with Section 2.1.l of this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI. Return to Covered Entity or destroy, within thirty (30) days of the termination or expiration of this Agreement or any Underlying Contract, all PHI obtained from Covered Entity or created or obtained by Business Associate on behalf of Covered Entity with respect to the covered entity as necessary affected Underlying Contract(s), including such PHI that is in the possession of Business Associate’s Subcontractors and agents, and retain no copies if it is feasible to satisfy covered entity’s obligations under 45 CFR 164.528;
viiido so. If return or destruction of the PHI is infeasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible, extend all protections contained in this Agreement to any retained PHI, and limit any further uses and/or disclosures of the PHI to the purposes that make the return or destruction of the PHI infeasible. This Section 2.1.17 shall survive any termination or expiration of this Agreement. Cooperate with Covered Entity during any audits, investigations or actions taken against Covered Entity or Business Associate. To the extent the Business Associate is to carry out one or more of covered entity's obligation(s) a Covered Entity’s obligation under Subpart E of 45 CFR Part 164C.F.R. § 164.502, comply with the requirements of Subpart E this subpart that apply to the covered entity Covered Entity in the performance of such obligation(s); and
ix. To the extent required by regulators, make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rulesobligation.
Appears in 1 contract
Samples: Business Associate Agreement
