Common use of Obligations of Business Associate Clause in Contracts

Obligations of Business Associate. 2.1. In order that each party may achieve and maintain compliance with the requirements of HIPAA, Business Associate agrees: a. To only use and disclose PHI as permitted by this HIPAA Addendum or as Required By Law. Business Associate may: i. use and disclose PHI to perform its obligations as set forth in the Terms and Conditions; ii. use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; iii. disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; iv. use PHI to provide data aggregation services relating to your health care operations; v. use or disclose PHI to report violations of the law to law enforcement enforcement, consistent with 45 C.F.R. § 164.502(j)(1); and vi. use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations. b. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request. c. To use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI in compliance with the Regulations. d. To ensure that all of Business Associate’s employees, subsidiaries and affiliates that receive, use or have access to PHI will adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum. e. To require all of its subcontractors and agents that receive, use or have access to PHI to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum. f. Upon reasonable notice and prior written request, to make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining your compliance with the Regulations, subject to attorney-client and other applicable legal privileges. g. To make available information regarding any disclosures by Business Associate that would be required to provide an accounting of disclosures to an Actindividual in accordance with 45 C.F.R. § 164.528 and the 42 U.S.C. § 17935(c), within five (5) business days of receipt of a request from you. h. If, and to the extent that Business Associate possesses an applicable Designated Record Set, within five (5) business days of receipt of a request from you for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall make available such information to you for amendment and shall also incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526. i. To make available an individual’s PHI upon that individual’s request no later than thirty (30) days after receipt of the request, in accordance with 45 C.F.R. § 164.524. j. Subject to Section 3.4 of this HIPAA Addendum, return to you or destroy, within thirty (30) days of the termination of this HIPAA Addendum, any and all PHI in its possession and retain no copies (which for purposes of this HIPAA Addendum shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI). k. To mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum. l. Business Associate agrees to notify your designated Privacy Official of any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum, any Security Incident involving electronic PHI, and any breach of unsecured Protected Health Information, of which the Business Associate is aware. m. To the extent, if any, that Business Associate will carry out one or more of your obligation(s) under 45 C.F.R. Part 164, Subpart E, then Business Associate shall comply with the requirements of Subpart E that apply to you in the performance of such obligation(s). 2.2. Business Associate agrees to promptly report to you any use or disclosure of Protected Health Information not permitted by this HIPAA Addendum, as well any Security Incident, of which Business Associate becomes aware. 2.3. Business Associate shall provide the following information to you within five (5) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to you the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach: a. the date of the breach; b. the date of the discovery of the breach; c. a description of the types of unsecured PHI that were involved; d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and e. any other details necessary to complete an assessment of the risk of harm to the individual. 2.4. You will be responsible to provide notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by 42 U.S.C. § 17932. 2.5. Business Associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to you in the time and manner reasonably requested by you.

Obligations of Business Associate. 2.1. In order that each party may achieve and maintain The Business Associate, as a business associate of the Department, must: a. use or disclose PHI, including E-PHI, only as is permitted or required by this Agreement, in compliance with the requirements Department's minimum necessary standard policies and procedures, or by applicable law inclusive of HIPAA45 CFR Parts 160, Business Associate agrees:162 and 164; a. To only b. use appropriate safeguards to prevent use or disclosure of PHI and disclose E-PHI other than as permitted provided for by this HIPAA Addendum Agreement or as Required By Law. Business Associate may: i. use and disclose PHI to perform its obligations as set forth in the Terms and Conditions; ii. use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; iii. disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; iv. use PHI to provide data aggregation services relating to your health care operations; v. use or disclose PHI to report violations of the law to law enforcement enforcement, consistent with 45 C.F.R. § 164.502(j)(1); and vi. use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations. b. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.law; c. To use implement appropriate administrative, physical and technical security safeguards to as set forth in § 164.306, § 164.308, and § 164.312, that reasonably and appropriate protect the confidentiality, integrity integrity, and availability of PHI and prevent use or disclosure of the PHI in compliance with the Regulations.other than as provided for by this Agreement; d. To ensure that all of Business Associate’s employees, subsidiaries and affiliates that receive, use or have access to PHI will adhere mitigate to the same restrictions extent practicable and conditions on as may be directed by the Department any harmful effect that is known to the Business Associate of a use or disclosure of PHI that apply to by the Business Associate pursuant to that is in violation of the requirements of this HIPAA Addendum.Agreement; e. To require all of its subcontractors report in a timely manner as required by law and agents that receive, use or have access to PHI to agree, in writing, to adhere this Agreement to the same restrictions and conditions on the Department any use or disclosure of the PHI not provided for by this Agreement inclusive of uses and disclosures of information that apply are not in compliance with the minimum necessary standard; f. report to the Department any security incident of which it becomes aware, and at the request of the Department must identify: i) the date of the security incident, ii) the scope of the security incident, iii) the Business Associate's response to the security incident, and iv) the identification of the party responsible for causing the security incident, if known; g. enter, as required by 45 CFR § 164.504, into Business Associate pursuant Agreements containing the terms and conditions as required by the HIPAA and HITECH Acts and the implementing regulations and as are stated in this Agreement, with any subcontractors performing services in relation to this HIPAA Addendum.the services being provided by the Business Associate for the Department that involve PHI; f. Upon reasonable notice and prior written request, to h. make available during normal business hours at Business Associate’s offices all recordsinternal practices, books, agreementsand records, internal practices, including policies and procedures and PHI, relating to the use or and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Department, available to the SecretaryDepartment, or to the Secretary of the Federal Department of Health and Human Services in accordance with 45 CFR § 164.408, in a time and manner prescribed by the Department or designated by the Secretary, for purposes of the Secretary determining your the Department's and the Business Associate's compliance with the RegulationsPrivacy Regulation, subject the Security Regulation, and the HITECH Act; i. document disclosures of PHI and collect information related to attorney-client and other applicable legal privileges. g. To make available information regarding any those disclosures necessary for the Department to respond to a request by Business Associate that would be required to provide a person for an accounting of disclosures to an Actindividual of PHI in accordance with 45 C.F.R. CFR § 164.528 and Section 13405(c) of the 42 U.S.C. § 17935(c)HITECH Act; j. provide to the Department or a person, within five (5) business days of receipt of in time and manner prescribed by the Department, documentation necessary for the Department to respond to a request from you. h. If, and to the extent that Business Associate possesses by a person for an applicable Designated Record Set, within five (5) business days accounting of receipt disclosures of a request from you for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall make available such information to you for amendment and shall also incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526. i. To make available an individual’s PHI upon that individual’s request no later than thirty (30) days after receipt of the request, in accordance with 45 C.F.R. CFR § 164.524. j. Subject to Section 3.4 of this HIPAA Addendum164.528. Notwithstanding 45 CFR § 164.528(a)(1)(i), return to you or destroy, within thirty (30) days of the termination of this HIPAA Addendum, any and all PHI in its possession and retain no copies (which for purposes of this HIPAA Addendum shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI). k. To mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum. l. Business Associate agrees to notify your designated Privacy Official of any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum, any Security Incident involving electronic PHI, and any breach of unsecured Protected Health Information, of which the Business Associate must document disclosures of PHI made through an electronic health record to carry out treatment, payment or health care operations as provided by 45 CFR § 164.506 in the six years prior to the date on which the accounting is aware.requested, and to collect information related to such disclosures as required by the Secretary in regulation pursuant to Section 13405(c)(2) of the HITECH Act; m. To k. implement a response program, in compliance with Section 13402 of the extentHITECH Act and implementing regulations, if any, and Subpart D of 45 CFR Part 164 that specifies the actions to be taken when the Business Associate will carry out one detects or more becomes aware of your obligation(sunauthorized access to information systems. The response program must include the following features: (i) under 45 C.F.R. Part 164, Subpart E, then The Business Associate shall comply with must notify the requirements Department, by facsimile or telephone, of Subpart E that apply any breach or suspected breach of its security related to you areas, locations, or computer system which contain unsecured PHI, including, without limitation, any instance of theft, unauthorized access by fraud, deception, or other malfeasance or inadvertent access (an "incident") in the performance of such obligation(s). 2.2. Business Associate agrees accordance to promptly report to you any use or disclosure of Protected Health Information not permitted by this HIPAA Addendum45 CFR § 164.410, as well promptly as possible, upon having reason to suspect that an incident may have occurred or determining the scope of any Security Incident, of which Business Associate becomes aware. 2.3. Business Associate shall provide the following information to you within five (5) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to you the following information as soon as possible and without unreasonable delayincident, but in no event later than thirty two (302) calendar days from upon having reason to suspect that an incident may have occurred; (ii) In the date event of discovery of a breach: a. any incident, the date Business Associate must provide to the Department, in writing, those details concerning the incident as the Department may request, and must cooperate with the Department, its regulators and law enforcement to assist in regaining possession of the breach;unsecured PHI and in preventing its further unauthorized use, and take any necessary remedial actions as may be required by the Department to prevent other or further incidents; b. (iii) If the date Department determines that it may need to notify any person(s) as a result of such incident that is attributable to the Business Associate's breach of its obligations under this Agreement, the Business Associate must bear all reasonable direct and indirect costs associated with the determination, including, without limitation, the costs associated with providing notification to the affected person, providing fraud monitoring or other services to affected persons and any forensic analysis required to determine the scope of the discovery incident; (iv) The Business Associate, working in cooperation with the Department, must update the notice provided to the Department under this Agreement of the breach; c. a description of incident to include, to the types of unsecured PHI that were involved; d. extent possible and as soon as possible, the identification of each individual person whose unsecured PHI has been, or is reasonably believed by the Business Associate or the Department to have been, been accessed, acquired, used or disclosed; and e. disclosed during the incident and must provide any other details necessary to complete an assessment of the risk of harm following information the Department is required to include in its notice to the individual.person pursuant to 45 CFR § 164.404(c): 2.4. You will be responsible to provide notification to individuals whose (A) A brief description of what happened, including the date of the incident and the date of the discovery of the incident, if known; (B) A description of the types of unsecured PHI has been disclosedthat were involved in the incident (e.g., as well as Social Security Number, full name, date of birth, address, diagnosis); (C) Any steps the Secretary and person should take to protect themselves from potential harm resulting from the media, as required by 42 U.S.C. § 17932.incident; 2.5. Business Associate agrees to establish procedures (D) A brief description of what is being done to investigate the breachincident, mitigate lossesthe harm, and protect against any future breachesincidents; (E) Contact procedures for persons to ask questions or learn additional information which shall include a toll-free number, an e-mail address, website, or postal address; and (F) This additional information must be submitted to the Department immediately at the time the information becomes available to the Business Associate. (v) limit its use and disclosure of PHI created or received by the Business Associate from or on behalf of the Department to uses or disclosures as are permitted to the Business Associate under the applicable requirements of 45 CFR § 164.504(e) and the HITECH Act and the terms of this Agreement. The Business Associate must also comply with the additional requirements of Subtitle D of the HITECH Act that relate to privacy and that apply to covered entities and to provide the Business Associate as a description of these procedures and business associate; and (vi) respond to a person's request under 45 CFR § 164.522(a)(1)(i)(A) that the specific findings Business Associate restrict the disclosure of the investigation to you in the time and manner reasonably requested by youperson's PHI.

Obligations of Business Associate. 2.1. In order that each party Covered Entity and Business Associate may achieve and maintain compliance with the requirements of HIPAA, Business Associate agrees: a. A. To only use and disclose PHI as permitted by this HIPAA Addendum Agreement or as Required By Law. Business Associate may: i. may 1) use and disclose PHI to perform its obligations as set forth in the Terms and Conditions; ii. Service Agreement; (2) use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; iii. responsibilities; (3) disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; iv. breached; (4) use PHI to provide data aggregation services relating to your the health care operations; v. operations of Covered Entity; (5) use or disclose PHI to report violations of the law to law enforcement enforcement, consistent with 45 C.F.R. § 164.502(j)(1); and vi. ; and (6) use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. § CFR §164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations. b. B. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § CFR 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.; c. C. To use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI in compliance with the Regulations. d. To ensure that all of Business Associate’s employees, subsidiaries and affiliates that receive, use or have access to PHI will adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum. e. D. To require all of its subcontractors and agents that receive, use or have access to PHI to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate pursuant to this HIPAA Addendum.Agreement; f. E. Upon reasonable notice and prior written request, to make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining your the Covered Entity’s compliance with the Regulations, subject to attorney-client and other applicable legal privileges.; g. F. To make available information provide documentation regarding any disclosures by Business Associate that would have to be required to provide included in an accounting of disclosures to an Actindividual in accordance with Individual under 45 C.F.R. § CFR 164.528 (including without limitation a disclosure permitted under 45 CFR 164.512) and the 42 U.S.C. § 17935(c)HITECH Act, within five (5) business days a reasonable amount of time of receipt of a request from you.Covered Entity; h. G. If, and to the extent that Business Associate possesses an applicable Designated Record Set, within five (5) business days a reasonable amount of time of receipt of a request from you the Covered Entity for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall make available provide such information to you the Covered Entity for amendment and shall also incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526. i. To make available an individual’s PHI upon that individual’s request no later than thirty (30) days after receipt of the request, in accordance with 45 C.F.R. § 164.524. j. H. Subject to Section 3.4 III.C.2. of this HIPAA AddendumAgreement, return to you the Covered Entity or destroy, within thirty (30) days of the termination of this HIPAA AddendumAgreement, any and all PHI in its possession and retain no copies (which for purposes of this HIPAA Addendum Agreement shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI). k. I. To mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this HIPAA AddendumAgreement. l. J. Business Associate agrees to notify your the designated Privacy Official of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this HIPAA AddendumAgreement, any Security Incident involving electronic PHI, and any breach Breach of unsecured Protected Health Information, of which the Business Associate is aware. m. To the extent, if any, that Business Associate will carry out one or more of your obligation(s) under 45 C.F.R. Part 164, Subpart E, then Business Associate shall comply with the requirements of Subpart E that apply to you in the performance of such obligation(s). 2.2. Business Associate agrees to promptly report to you any use or disclosure of Unsecured Protected Health Information not permitted by this HIPAA Addendum, as well any Security Incident, of which Business Associate becomes awarewithin five (5) business days. 2.31. Business Associate shall provide the following information to you Covered Entity within five ten (510) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to you Covered Entity the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach: a. the date of the breach;breach; b. the date of the discovery of the breach;breach; c. a description of the types of unsecured PHI that were involved;involved; d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; disclosed; and e. any other details necessary to complete an assessment of the risk of harm to the individual. 2.42. You Covered Entity will be responsible to provide notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by 42 U.S.C. Sec. 13402 of the XXXXXX Xxx, 00 X.X.X.X. § 1793200000; 3. Business associate agrees to pay actual costs for notification and of any associated mitigation incurred by Covered Entity, such as credit monitoring, if Covered Entity determines that the breach is significant enough to warrant such measures. 2.54. Business Associate associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to you Covered Entity in the time and manner reasonably requested by youCovered Entity. 5. The parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.

Obligations of Business Associate. Business Associate agrees that it will: 2.1. In order that each party may achieve and maintain compliance with the requirements of HIPAAnot use or disclose PHI other than as permitted or required by this Agreement, Service Agreement, or by law or regulation. Business Associate agrees: a. To only may use and disclose PHI as permitted that Business Associate obtains or creates only if such use or disclosure, respectively, is in compliance with each applicable requirement of Section 164.504(e) of Title 45, Code of Federal Regulations. The additional requirements of the HIPAA Rules that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this HIPAA Addendum or as Required By Law. reference hereby are incorporated into the Business Associate mayAgreement. Section 164.504(e)(1)(ii) of Title 45, Code of Federal Regulations, shall apply to Business Associate with respect to compliance with such subsection, in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of Title 45, except that in applying such Section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract. 2.2. use appropriate safeguards, including without limitation administrative, physical, and technical safeguards, to prevent use or disclosure of the PHI other than as provided for by this Agreement and to reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it may receive, maintain, or transmit on behalf of the Covered Entity. Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of Title 45, Code of Federal Regulations, shall apply to Business Associate in the same manner that such sections apply to Covered Entity as required by the HIPAA Rules. 2.3. secure all PHI by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under the HIPAA Rules. For purposes of clarity, in accordance with current standards and guidance: a. For Administrative Safeguards, Business Associate shall: i. use Implement policies and disclose PHI procedures to perform its obligations as set forth in the Terms prevent, detect, contain, and Conditions;correct security violations; ii. use PHI Identify the security official who is responsible for the proper management development and administration implementation of Business Associate or to carry out its legal responsibilities;the policies and procedures required; iii. disclose Implement policies and procedures to ensure that only appropriate members of the workforce have access to PHI; iv. Implement policies and procedures for authorized access to PHI that are consistent with the applicable requirements of the Privacy Rule; v. Implement a security awareness and training program for all members of its workforce (including management); vi. Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that could damage systems that contain PHI; and vii. Perform periodic technical and non-technical evaluations to ensure that standards continue to be met in response to operational and environmental changes. b. For Physical Safeguards, Business Associate shall at least implement policies and procedures to limit physical access to its electronic information systems capable of accessing PHI while ensuring that properly authorized access is allowed. Such policies and procedures shall address facility access, workstation use, workstation security and device and media controls. c. For Technical Safeguards, Business Associate shall: i. Implement technical policies and procedures for electronic information systems that maintain PHI to allow access only to those persons or software programs that have appropriately granted access rights; ii. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI; iii. Implement policies and procedures to protect PHI from improper alteration or destruction; iv. Implement procedures to verify that a person or entity seeking access to PHI is the one claimed; and v. Implement technical security measures (including encryption) to guard against unauthorized access to PHI that is being transmitted over an electronic communications network. d. For Policies and Procedures and Documentation Requirements, Business Associate shall: i. Maintain policies and procedures and suitable documentation in written form; ii. Retain the documentation and PHI for six (6) years from date of creation or effect; iii. Make such documentation and policies and procedures available to persons responsible for implementing and amending them; and iv. Review the proper management policies and administration of procedures periodically and update as needed. e. To render PHI unusable, unreadable or indecipherable to unauthorized individuals, Business Associate shall refer to the current Guidance issued by the U.S. Department of Health and Human Services, which currently identifies the use of encryption and destruction as the two acceptable methods of rendering PHI unusable, unreadable or indecipherable and provides specific guidance relating to carry out its legal responsibilitiesthe state of the PHI, such as if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidentialis in transmission, in use, or simply in storage. 2.4. not use or further disclose PHI other than as specifically set forth in this Agreement or other signed Agreement between the PHI only as required by law or for parties and the purpose for which it was disclosed laws and regulations pertaining to the recipient, and notify Business Associate disclosure of any instances of which it is aware in which the confidentiality of the PHI has been breached;PHI; iv2.5. use PHI to provide data aggregation services relating to your health care operations; v. not use or further disclose PHI to report violations of the law to law enforcement enforcement, consistent with 45 C.F.R. § 164.502(j)(1); and vi. use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations. b. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to manner that would violate the requirements of 45 C.F.R. § 164.502(b)state or federal law including the provisions of the HIPAA Regulations; 2.6. use appropriate safeguards to prevent use or disclosure of PHI other than as provided for in this Agreement; 2.7. report to COVERED ENTITY any use or disclosure of PHI not provided for by this Agreement of which BUSINESS ASSOCIATE becomes aware; 2.8. ensure that any of its agents, including subcontractors, to the minimum amount of whom BUSINESS ASSOCIATE provides PHI necessary to accomplish the intended purpose of the use, disclosure or request. c. To use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI in compliance with the Regulations. d. To ensure that all of Business Associate’s employees, subsidiaries and affiliates that receive, use or have access to PHI will adhere agree to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant BUSINESS ASSOCIATE with respect to this HIPAA Addendum.such PHI; e. To require all 2.9. agree to provide access, at the request of its subcontractors and agents that receiveCovered Entity, use or have access to PHI to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum. f. Upon reasonable notice and prior written request, to make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining your compliance with the Regulations, subject to attorney-client and other applicable legal privileges. g. To make available information regarding any disclosures by Business Associate that would be required to provide an accounting of disclosures to an Actindividual in accordance with 45 C.F.R. § 164.528 and the 42 U.S.C. § 17935(c), within five (5) business days of receipt of a request from you. h. If, and to the extent that Business Associate possesses an applicable Designated Record Set, within five to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 CFR 164.524 (5) business days of receipt of a request from you for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall i.e. allow individuals access to their own PHI); 2.10. make available such information to you PHI in accordance with the HIPAA Regulations; 2.11. make available PHI for amendment and shall also incorporate any such amendments in the to PHI maintained by Business Associate as required by 45 C.F.R. § 164.526. i. To make available an individual’s PHI upon that individual’s request no later than thirty (30) days after receipt of the request, in accordance with 45 C.F.R. § 164.524.the HIPAA Regulations; j. Subject to Section 3.4 of this HIPAA Addendum, return to you or destroy, within thirty (30) days of the termination of this HIPAA Addendum, any and all PHI in its possession and retain no copies (which for purposes of this HIPAA Addendum shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI). k. To 2.12. mitigate, to the extent practicable, any harmful effects from any effect that is known to Business Associate of a use or disclosure of PHI by Business Associate not permitted by in violation of the requirements of this HIPAA Addendum.Agreement; l. Business Associate agrees 2.13. report to notify your designated Privacy Official of Covered Entity any use or disclosure of Unsecured PHI not provided for by this Agreement of which it becomes aware or should be aware, or any security incident of which it becomes aware involving Unsecured PHI of the Covered Entity or a security incident within the timeframes specified in Section 13402(d) of the HITECH Act. Business Associate not permitted by this HIPAA Addendumwill report to Covered Entity, promptly after discovery but in no event more than five (5) calendar days following, any Security Incident involving electronic PHI, Breach of Unsecured PHI of Covered Entity. The report and any notice to Covered Entity will contain the information specified in 45 CFR §164.410. With regards to a breach by a subcontractor of unsecured Protected Health Information, of which the Business Associate is aware. m. To the extentAssociate, if any, that Business Associate will carry out one or more of your obligation(s) under 45 C.F.R. Part 164, Subpart E, then require the subcontractor to notify Business Associate shall of a discovered breach of Unsecured PHI or a security incident and Business Associate will, in turn, notify Covered Entity for the purpose of carrying out further notifications as applicable. 2.14. to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to comply with the requirements of Subpart E Privacy Rule and the Security Rule to the same extent as Business Associate, with its direct relationship with Covered Entity and to agree to the same restrictions and conditions that apply through this Agreement to you Business Associate with respect to such information. Subcontractors of Business Associate will automatically become business associates themselves, and Business Associates will be required to obtain “satisfactory assurances” that the subcontractors will appropriately safeguard PHI. When Business Associate uses subcontractors to create, receive, or transmit PHI on its behalf, it will have a written business associate agreement (“BAA”) with each subcontractor, thereby creating a continuous “chain of trust” for PHI. A subcontractor’s permitted uses and disclosures may not be broader than those of Business Associate from whom the subcontractor receives PHI. The subcontractors will be directly liable under HIPAA, and Business Associate will take reasonable steps to cure any breach or terminate a BAA if a subcontractor materially breaches its BAA; 2.15. to provide access, at the request of Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the performance requirements under 45 CFR 164.524 (i.e. allow individuals access to their own PHI); 2.16. to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to at the request of Covered Entity or an Individual, pursuant to 45 CFR 164.526; 2.17. to document disclosures of PHI and information related to such obligation(s). 2.2disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. Business Associate further agrees to promptly report provide Covered Entity or Individual such documentation in accordance with 45 CFR 164.528; 2.18. make its internal practices, books and records relating to you any the use or and disclosure of Protected PHI available to the Secretary of Health Information not permitted by and Human Services for purposes of determining COVERED ENTITY'S compliance with the HIPAA Regulations; 2.19. return or destroy all PHI received from COVERED ENTITY which BUSINESS ASSOCIATE maintains in any form at the termination of this HIPAA Addendum, as well any Security Incident, of which Business Associate becomes aware. 2.3. Business Associate shall provide the following information to you within five (5) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to you the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach: a. the date of the breach; b. the date of the discovery of the breach; c. a description of the types of unsecured PHI that were involved; d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; Agreement; and e. 2.20. incorporate any other details necessary amendments or corrections to complete an assessment of the risk of harm PHI which may be requested pursuant to the individualHIPAA Regulations. 2.4. You will be responsible to provide notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by 42 U.S.C. § 17932. 2.5. Business Associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to you in the time and manner reasonably requested by you.