Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice. b. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures. c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522. d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI. e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule. f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements. g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 11 contracts
Samples: Recovery Contractual Agreement, Substance Use Disorder Treatment Contractual Agreement, Substance Use Disorder Treatment Contractual Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
b. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain contain, and correct security violations of ePHI. Covered Entity shall make its policies, procedures procedures, and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvidersub Provider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 4 contracts
Samples: Substance Use Disorder Prevention Services Contractual Agreement, Substance Use Disorder Prevention Services Contractual Agreement, Substance Use Disorder Prevention Services Contractual Agreement
Obligations of Covered Entity. a. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Therefore, without limitation:
(a) Covered Entity shall provide notify Business Associate with the Notice of Privacy Practices that any limitation(s) in its notice of privacy practices of Covered Entity produces in accordance with 45 CFR C.F.R. § 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s Use or Disclosure of Protected Health Information.
b. (b) Covered Entity shall provide notify Business Associate with of any changes in, or revocation of, permission by an Individual to use or disclose PHIProtected Health Information, if to the extent that such changes may affect Business Associate’s permitted Use or required uses and disclosuresDisclosure of Protected Health Information.
c. (c) Covered Entity shall notify Business Associate of any restriction to the use Use or disclosure Disclosure of PHI Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR C.F.R. § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change restriction may affect Business Associate’s use Use or disclosure Disclosure of PHIProtected Health Information.
e. (d) Covered entity shall not include Protected Health Information in: (1) information Covered Entity shall use appropriate submits to Business Associate’s support personnel through a technical support request or to Business Associate’s community Business Associate’s support forums; and reasonable safeguards to prevent use (2) Covered Entity’s address book or disclosure of PHIdirectory information. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In additionFurther, Covered Entity shall implement Administrative Safeguardsmay not disclose Protected Health Information to Business Associate by electronic mail, Physical Safeguardsvoicemail, text, or facsimile.
(e) Covered Entity is responsible for implementing appropriate privacy and Technical Safeguards that reasonably and appropriately security safeguards in order to protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s PHI In compliance with HIPAA and this Agreement. Without limitation, Covered Entity will use the Security Rulehighest level of audit logging In connection with the Covered Entity’s use of Business Associate’s cloud platform (“Cloud Offering”), and maintain the maximum retention of logs In connection with the Covered Entity’s use of the Cloud Offering.
f. (f) Business Associate is responsible for enabling the Cloud Offering to support encryption of PHI in the Cloud Offering. The Covered Entity agrees to mitigateis solely responsible for configuring, to and will configure, appropriate privacy and security safeguards in all instances of the extent practicable, any harmful effect Cloud Offering that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by controls, uses, configures and uploads into the Cloud Offering as follows: The Covered Entity must encrypt all PHI stored in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to or transmitted using the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply Cloud Offering in accordance with the administrative requirements set forth in the HIPAA Privacy Rule Part 164Secretary of HHS’s Guidance to Render Unsecured Protected Health information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.
Appears in 2 contracts
Samples: Campuspass Solution License Agreement, Workforce Safety Subscription Agreement
Obligations of Covered Entity. a. Covered Entity shall provide notify Business Associate with of any limitation(s) in the Notice notice of Privacy Practices that privacy practices of Covered Entity produces in accordance with under 45 CFR § 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s use or disclosure of protected health information.
b. Covered Entity shall provide notify Business Associate with of any changes in, in or revocation of, the permission by an Individual individual to use or disclose PHIhis or her protected health information, if to the extent that such changes may affect the Business Associate’s permitted use or required uses and disclosuresdisclosure of protected health information.
c. Covered Entity shall notify Business Associate of any restriction to on the use or disclosure of PHI protected health information that Covered Entity has agreed to in accordance with or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s user or disclosure of protected health information.
d. Covered Entity shall not request Business Associate to use or disclose PHI protected health information in any manner that would not be permissible under the Privacy Rule Subpart E of 45 CFR Part 164 if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate represents and reasonable safeguards to prevent use or warrants it has obtained all necessary patient consents and authorizations for Business Associate’s access, use, and disclosure of PHIPHI as set forth herein. Covered Entity shall comply with the Security Rule’s administrativedefend, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguardsindemnify, and Technical Safeguards that reasonably hold Business Associate and appropriately protect the confidentialityits officers, integritydirectors, and availability employees harmless from and against any third-party claims, suits, liabilities, obligations, judgments, and causes of the ePHI that it creates, receives, maintains, action and associated costs and expenses (including reasonable attorneys’ fees) arising out of or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining resulting from Covered Entity’s compliance with the Security Rulefailure to obtain such consents or authorizations.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 2 contracts
Samples: Master License and Services Agreement, Master License and Services Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice notice of Privacy Practices privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such that notice.
b. Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an Individual individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and Busin disclosures.
c. Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity acknowledges that it shall provide to, or request from, the Business Associate only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
e. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHIexcept as provided herein in accordance with 45 CFR §164.504(e). Covered Entity shall comply with disclose or provide access to Business Associate only the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make minimum PHI necessary for Business Associate to perform its policies, procedures and documentation obligations as required by the Security Privacy Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Ruleand 42 U.S.C. § 17935(b).
f. Covered Entity agrees in performing its obligations and exercising its rights under this Agreement shall use and disclose PHI in compliance with the HIPAA Rules. Notwithstanding the above, Covered Entity acknowledges that it remains responsible for obtaining such consent, authorization or permission that may be required by law or regulation (as opposed to mitigate, individual consents or authorizations that may be required from plan participants in certain circumstances) for Business Associate to provide its services on behalf of Covered Entity and that Covered Entity shall provide Business Associate with advance written notice PHI otherwise permitted herein. Covered Entity acknowledges that Business Associate shall only be required to comply with such changes to its Notice of Privacy Practices which are known to Business Associate and to the extent practicable, any harmful effect that is known to required by applicable law or regulation. Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement shall provide to Business Associate with respect a written list of the names of those individuals in its Workforce that are authorized to receive or access PHI on its behalf, and to provide reasonable prior written notice to Business Associate of any changes to such information.
h. list. In the absence of Covered Entity shall comply providing such list, Business Associate may assume, consistent with 45 CFR §164.504(f), that those individuals that are members of the administrative requirements set forth in the HIPAA Privacy Rule Part 164Workforce of Covered Entity or, if applicable, Plan Sponsor, who request or receive PHI from Business Associate are performing plan administration activities for Covered Entity, and are authorized to receive or access PHI on its behalf.
Appears in 2 contracts
Samples: Application Service Provider Agreement, Application Service Provider Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
b. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvidersubcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 2 contracts
Samples: Medicaid Managed Specialty Supports and Services Agreement, Medicaid Managed Specialty Supports and Services Agreement
Obligations of Covered Entity. a. To the extent applicable, the Covered Entity shall provide notify the Business Associate with of any limitation(s) in the Covered Entity’s Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to the extent that such notice.
b. limitation may affect the Business Associate’s Use or Disclosure of Protected Health Information. The Covered Entity shall provide notify the Business Associate with of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if to the extent that such changes may affect the Business Associate’s permitted Use or required uses and disclosures.
c. Disclosure of Protected Health Information. The Covered Entity shall notify the Business Associate of any restriction to the use Use or disclosure Disclosure of PHI Protected Health Information that the Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. , to the extent that such restriction may affect the Business Associate’s Use or Disclosure of Protected Health Information. The Covered Entity shall not request the Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by the Privacy Rule if made by Covered Entity. Notwithstanding the foregoing language, the Business Associate may Use or Disclose Protected Health Information for Data Aggregation Services to the Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B), the management and administrative activities of the Business Associate or to carry out the legal responsibilities of the Business Associate in accordance with this Agreement, or may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514(b). If Covered Entity is an employer sponsored Health Plan, Covered Entity represents that to the extent applicable, it has ensured and has received certification from the applicable Plan Sponsor that such change may affect the Plan Sponsor has taken the appropriate steps in accordance with 45 C.F.R. § 164.504(f) and 45 C.F.R. § 164.314(b) to enable Business Associate’s use or disclosure Associate on behalf of PHI.
e. Covered Entity shall use appropriate to disclose Protected Health Information to Plan Sponsor, including but not limited to amending its plan documents to incorporate the requirements set forth in 45 C.F.R. § 164.504(f)(2) and reasonable safeguards to prevent use or disclosure of PHI45 C.F.R. § 164.314(b). Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity ensure that only employees authorized under 45 C.F.R. § 164.504(f) shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating have access to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI Protected Health Information disclosed by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such informationPlan Sponsor.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 2 contracts
Samples: Biometric Screening Agreement, Biometric Screening Agreement
Obligations of Covered Entity. a. 14.1 Covered Entity acknowledges and understands that, in general, PHI is not necessary to share with Company as a part of the Services provided under the Agreement and therefore Covered Entity shall only provide Business Associate Company with access to the minimum necessary PHI as noted in Section 8 herein. Covered Entity shall further (i) notify Company of any limitation in Covered Entity’s Notice of Privacy Practices to the extent that Covered Entity produces in accordance with 45 CFR § 164.520such limitation may affect Company's use or disclosure of PHI, as well as any changes to such notice.
b. Covered Entity shall provide Business Associate with (ii) notify Company of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if to the extent that such changes change may affect Business AssociateCompany’s permitted use or required uses and disclosures.
c. Covered Entity shall disclosure of PHI, (iii) notify Business Associate Company of any restriction to on the use or disclosure of PHI that to which Covered Entity has agreed to in accordance with 45 CFR § 164.522HIPAA, to the extent that such restriction may affect Company's use or disclosure of PHI, and (iv) obtain any authorization or consents as may be Required By Law for any of the uses or disclosures of PHI pursuant to the Services. To the extent that Covered Entity elects to opt out of, remove or disable any of the specific Services provided by Company, Company will no longer be liable for any Security Incident and/or Breach due to the opt out, removal or disabling of such Service. Covered Entity agrees to and will be responsible for any Security Incident and/or Breach due to the opt out, removal or disabling of any such Service provided by Company. The obligations of Covered Entity under this Section 14.1 extend to any entities or persons who are authorized by Covered Entity or its affiliates to access any Covered Entity data or programs stored on Company systems.
d. 14.2 Except for the permitted uses and disclosures set forth in Sections 2 and 3, Covered Entity shall will not request Business Associate Company to use or disclose PHI in any manner that would not be permissible under the Privacy Rule violate HIPAA if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 2 contracts
Samples: Software License Agreement, Software License and Hosting Agreement
Obligations of Covered Entity. a. If deemed applicable by Covered Entity, Covered Entity shall shall: provide Business Associate with the a copy of its Notice of Privacy Practices that (“Notice”) produced by Covered Entity produces in accordance with 45 CFR § 164.520, C.F.R. 164.520 as well as any changes to such notice.
b. Covered Entity shall Notice; provide Business Associate with any changes in, or revocation of, permission authorizations by an Individual Individuals relating to the use or disclose and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and and/or disclosures.
c. Covered Entity shall ; notify Business Associate of any restriction to the use or and/or disclosure of PHI that to which Covered Entity has agreed to in accordance with 45 CFR § C.F.R. 164.522.
d. Covered Entity shall , to the extent that such restriction may affect Business Associate’s use or disclosure of PHI; not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule rule if made done by the Covered Entity, entity; notify Business Associate of any amendment to the extent PHI to which Covered Entity has agreed that such change may affect affects a Designated Record Set maintained by Business Associate’s use or disclosure ; if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable its policies and procedures that preventrelated to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and, detect, contain and correct security violations notify individuals of ePHIbreach. [Depending how we negotiate contract if the Covered Entity shall make its policiesor the Business Associate will notify individual of breach. If Business Associate notifies (need Privacy Officer’s approval, procedures also need the form of the notice, evaluation of harm, and documentation required by the Security Rule relating to the Safeguards available to the Secretary who will be responsible for the purpose of determining Covered Entity’s compliance with the Security Rulecost.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.]
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices that of Covered Entity produces in accordance with under 45 CFR § C.F.R. §164.520, as well as and its policies regarding the "minimum necessary" requirements in 45 C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information, and to notify Business Associate of any material changes to such noticethereof.
b. (b) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if such changes may affect Business Associate’s permitted 's Use or required uses and disclosuresDisclosure of Protected Health Information.
c. (c) Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to the use or disclosure of PHI that which Covered Entity has agreed or is required to in accordance with abide by under 45 CFR § C.F.R. §164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.
d. (d) Covered Entity shall not request agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to (i) transmit Protected Health Information to Business Associate; (ii) enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BA Agreement and the Service Agreement; and (iii) allow Business Associate to use transfer patient data to third parties if patients participate in third party programs.
(e) Covered Entity may not ask Business Associate to Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the Privacy Rule HIPAA Rules, if made done by Covered Entity, to the extent except that such change Business Associate may affect Business Associate’s use or disclosure of PHIdisclose Protected Health Information for its proper management and administration, data aggregation, and other activities specifically permitted by this BA Agreement.
e. (f) Covered Entity shall use appropriate and reasonable safeguards will notify Business Associate within twenty-four (24) hours of directing patients to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating contact Business Associate directly for access to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Ruletheir data.
f. (g) Covered Entity agrees to mitigate, notify Business Associate within ten (10) business days of any amendment to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirementspatient records.
g. (h) Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to notify Business Associate with respect to within ten (10) business days of receiving a patient request for an accounting of disclosures and the period covered by such informationrequest.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices that of Covered Entity produces in accordance with under 45 CFR § C.F.R. §164.520, as well as and its policies regarding the "minimum necessary" requirements in 45 C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information, and to notify Business Associate of any material changes to such noticethereof.
b. (b) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if such changes may affect Business Associate’s permitted 's Use or required uses and disclosuresDisclosure of Protected Health Information.
c. (c) Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to the use or disclosure of PHI that which Covered Entity has agreed or is required to in accordance with abide by under 45 CFR § C.F.R. §164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.
d. (d) Covered Entity shall agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit Protected Health Information to Business Associate and to enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BA Agreement and the Terms of Use.
(e) Covered Entity may not request ask Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the Privacy Rule HIPAA Rules, if made done by Covered Entity, to the extent except that such change Business Associate may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate disclose Protected Health Information for its proper management and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrativeadministration, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguardsdata aggregation, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required other activities specifically permitted by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rulethis BA Agreement.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
b. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. A. Covered Entity shall notify Business Associate of any facts or circumstances that affect Business Associate’s use or disclosure of PHI. Such facts and circumstances include, but are not limited to: (i) any limitation or change in Covered Entity’s notice of privacy practices, (ii) any changes in, or withdrawal of, an authorization provided to Covered Entity by an Individual pursuant to 45 CFR §164.508; and (iii) any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § §164.522.
d. B. Covered Entity shall warrants that it will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by or is not otherwise authorized or permitted under this BAA (i.e. for data aggregation, management and administration, and legal responsibilities of BAA).
C. Covered EntityEntity acknowledges and agrees that the Privacy Rules allow the Covered Entity to permit Business Associate to disclose or provide access to PHI, other than Summary Health Information, to the extent Plan Sponsor only after the Plan Sponsor has amended its Plan documents to provide for the permitted and required uses and disclosures of PHI and to require the Plan Sponsor to provide a certification to the Plan that such change certain required provisions have been incorporated into the Plan documents before the Plan may affect disclose, either directly or through a Business Associate’s use or disclosure of , any PHI to the Plan Sponsor. Covered Entity hereby warrants and represents that Plan documents have been so amended and that the Plan has received such certification from the Plan Sponsor.
D. Covered Entity agrees that it will have entered into Business Associate Agreements with any third parties to whom Covered Entity directs and authorizes Business Associate to disclose PHI.
e. E. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI acknowledges that it createsremains responsible for obtaining any consent, receives, maintains, authorization or transmits permission that may be required for Business Associate to provide its services and that it shall maintain not agree to any restrictions or make any changes to its Notice of Privacy Practices that would limit the uses and implement reasonable policies and procedures that prevent, detect, contain and correct security violations disclosures of ePHI. Covered Entity shall make its policies, procedures and documentation required PHI otherwise permitted herein except as mutually agreed by the Security Rule relating parties in a written amendment to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rulethis BAA.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Vision Plan Agreement
Obligations of Covered Entity. a. If deemed applicable by Covered Entity, Covered Entity shall shall: provide Business Associate with the a copy of its Notice of Privacy Practices that (“Notice”) produced by Covered Entity produces in accordance with 45 CFR § 164.520, C.F.R. 164.520 as well as any changes to such notice.
b. Covered Entity shall Notice; provide Business Associate with any changes in, or revocation of, permission authorizations by an Individual Individuals relating to the use or disclose and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and and/or disclosures.
c. Covered Entity shall ; notify Business Associate of any restriction to the use or and/or disclosure of PHI that to which Covered Entity has agreed to in accordance with 45 CFR § C.F.R. 164.522.
d. Covered Entity shall , to the extent that such restriction may affect Business Associate’s use or disclosure of PHI; not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule rule if made done by the Covered Entity, entity; notify Business Associate of any amendment to the extent PHI to which Covered Entity has agreed that such change may affect affects a Designated Record Set maintained by Business Associate’s use or disclosure ; if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable its policies and procedures that preventrelated to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and, detect, contain and correct security violations notify individuals of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose breach of determining Covered Entity’s compliance their Unsecured PHI in accordance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in 45 C.F.R. §164.404. [Depending how we negotiate contract if the HIPAA Covered Entity or the Business Associate will notify individual of breach. If Business Associate notifies (need Privacy Rule Part 164Officer’s approval, also need the form of the notice, evaluation of harm, and who will be responsible for the cost.]
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide represents and warrants to Business Associate with the that it: (1) has included, and will include, in Covered Entity's Notice of Privacy Practices that Covered Entity produces may disclose Protected Health Information for health care operations purposes; and (2) has obtained, and will obtain, from Individuals, consents, authorizations and other permissions necessary or required by all laws applicable to Covered Entity for Business Associate and Covered Entity to fulfill their obligations under the Underlying Agreement and this Agreement.
(b) Covered Entity shall promptly notify Business Associate in writing of any restrictions on the Use and Disclosure of Protected Health Information about Individuals that Covered Entity has agreed to that could reasonably be expected to affect Business Associate's ability to perform its obligations under the Underlying Agreement or this Agreement.
(c) Covered Entity shall notify Business Associate in writing of any limitations in its notice of privacy practices in accordance with 45 CFR § 164.520, as well as any changes 164.520 to such noticethe extent that the limitations may affect Business Associate's Use or Disclosure of Protected Health Information.
b. (d) Covered Entity shall provide promptly notify Business Associate with in writing of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if such changes or revocation could reasonably be expected to affect Business Associate’s permitted 's ability to perform its obligations under the Underlying Agreement or required uses and disclosuresthis Agreement.
c. (e) Covered Entity shall notify utilize Business Associate of any restriction to the use or disclosure of PHI Associate’s services in a way that ensures that Covered Entity has agreed to is in accordance compliance with 45 CFR § 164.522HIPAA and HITECH.
d. (f) Covered Entity shall not request Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule HIPAA or HITECH if made done by Covered Entity, except to the extent that such change may affect Business Associate is Using or Disclosing Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), and/or to the extent that Business Associate is Using or Disclosing Protected Health Information for the proper management and administration of Business Associate’s use or disclosure of PHI.
e. (g) Covered Entity shall use appropriate and reasonable safeguards its best efforts to prevent use or minimize the disclosure of PHI. Covered Entity shall comply with Protected Health Information to Business Associate where the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards disclosure of that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, information is not needed for Business Associate to provide products or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating services to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. (h) Covered Entity agrees to mitigateindemnify and hold harmless Business Associate, to the extent practicableits directors, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agentofficers, shareholders, parents, subsidiaries, affiliates, and agents, from and against all losses, expenses, damages and costs, including reasonable attorneys’ fees, resulting from Covered Entity’s failure to fulfill its obligations under the Underlying Agreement or this Agreement, including without limitation resulting from Covered Entity’s failure to use Business Associate’s services in such a subProvider, manner as to whom it provides PHI agrees to prevent the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such informationunauthorized Disclosure of Protected Health Information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices that of Covered Entity produces in accordance with under 45 CFR § C.F.R. §164.520, as well as and its policies regarding the "minimum necessary" requirements in 45 C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information, and to notify Business Associate of any material changes to such noticethereof.
b. (b) Covered Entity shall provide notify Business Associate with Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if such changes may affect Business Associate’s permitted 's Use or required uses and disclosuresDisclosure of Protected Health Information.
c. (c) Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to the use or disclosure of PHI that which Covered Entity has agreed or is required to in accordance with abide by under 45 CFR § C.F.R. §164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.
d. (d) Covered Entity shall agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit Protected Health Information to Business Associate and to enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BA Agreement and the Service Agreement.
(e) Covered Entity may not request ask Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the Privacy Rule HIPAA Rules, if made done by Covered Entity, to the extent except that such change Business Associate may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate disclose Protected Health Information for its proper management and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrativeadministration, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguardsdata aggregation, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required other activities specifically permitted by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rulethis BA Agreement.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. Covered Entity shall provide notify Business Associate with of any limitation(s) in the Notice notice of Privacy Practices that privacy practices of Covered Entity produces in accordance with under 45 CFR § C.F.R. 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s use or disclosure of Protected Health Information.
b. Covered Entity shall provide notify Business Associate with of any changes in, or revocation of, the permission by an Individual to use or disclose PHIhis or her Protected Health Information, if to the extent that such changes may affect Business Associate’s permitted use or required uses and disclosuresdisclosure of Protected Health Information.
c. Covered Entity shall notify Business Associate of any restriction to on the use or disclosure of PHI Protected Health Information that Covered Entity has agreed to in accordance with or is required to abide by under 45 CFR § C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
d. Except with respect to uses and disclosures by Business Associate of Protected Health Information under Sections 3(e), 3(f) and 3(g), above, Covered Entity shall not request Business Associate to use or disclose PHI Protected Health Information in any manner that would not be permissible under the Privacy Rule Subpart E of 45 C.F.R. Part 164 if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computers, laptops, cell phones, tablets, or other mobile devices in accordance with the HIPAA Security Regulations.
f. To the extent that Covered Entity utilizes services provided by the Business Associate to communicate with patients, Covered Entity is responsible for obtaining and reasonable safeguards documenting authorizations or requests from patients to prevent use or disclosure communicate through this service and to inform patients of PHIrisks associated with such communications as applicable. Covered Entity is responsible for also communicating to patients best practices and requirements for securing their devices, including phones and laptops, to protect their privacy. It shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining be Covered Entity’s responsibility to determine what permissions, authorizations or consents shall be documented and maintained for HIPAA compliance with purposes. Business Associate does not obtain consent, authorization or permission from patients and the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect parties agree that is known not Business Associate’s obligation to Covered Entity of a use do so or disclosure of PHI to document or a Breach of UPHI by Covered Entity in violation of legal requirementsmaintain any consent, authorization or permission obtained from patients.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. A. It is the responsibility of Covered Entity to notify patients of any breach of PHI, including any breach of PHI involving more than 500 individuals. At no time is Business Associate to contact or speak directly to any of Covered Entity’s patients/individuals who are the subject of a breach or to the media regarding any such breach. Business Associate shall cooperate with Covered Entity as necessary to provide notification and any details pertaining to any breach.
B. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such noticeNotice to the extent they may affect Business Associate’s use or disclosure of PHI; Business Associate shall comply with such Notice of Privacy Practices.
b. C. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. . Business Associate shall act promptly upon notification of any such change to ensure that its future uses and disclosures of PHI comply with such a change. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522164.522 to the extent such restriction relates to PHI used or disclosed by Business Associate. Business Associate shall act promptly upon notification of any such restriction to ensure that its future uses or disclosures of PHI comply with such restriction.
d. D. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or the Privacy Rule HITECH standards if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered entity shall notify Business Associate of any:
(i) Limitation(s) in the notice of privacy practices of Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with under 45 CFR § 164.520, as well as any changes to the extent that such notice.limitation may affect Business Associate’s use or disclosure of PHI;
b. Covered Entity shall provide Business Associate with any changes (ii) Changes in, or revocation of, the permission by an Individual individual to use or disclose his or her PHI, if to the extent that such changes may affect Business Associate’s permitted use or required uses and disclosures.disclosure of PHI; or
c. Covered Entity shall notify Business Associate of any restriction to (iii) Restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with or is required to abide by under 45 CFR § 164.522164.522 or applicable federal or state law, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
d. (b) Covered Entity shall ensure and be solely responsible that it, its employees, and its end users use the Services in compliance with HIPAA, this BAA, the Terms of Use, and all instructions provided by Business Associate to Covered Entity in any form. Any use of the Services that does not meet the requirements of this Section 4(b) shall cause the following to occur:
(i) All representations and warranties by Business Associate that the Services will appropriately safeguard PHI and electronic PHI disclosed by or created or received by Business Associate on behalf of Covered Entity or otherwise comply with HIPAA to be null and void;
(ii) Business Associate is not and will not be liable in any manner under any legal theory for any violation of HIPAA or other claim that arises in relation to Covered Entity’s use of the Services; and
(iii) Business Associate may, at its option and without notice, penalty or liability to Business Associate, terminate any and all agreements with Covered Entity.
(c) Covered entity shall not request Business Associate to use collect, use, or disclose PHI in any manner that would not be permissible under the Privacy Rule HIPAA if made done by Covered Entity.
(d) Upon request by Covered Entity, Business Associate may agree to the extent that such change may affect interact with Covered Entity’s proprietary software or selected third-party software, products, or other services (in each case, “Other Software”) as part of Business Associate’s use or disclosure provision of PHI.
e. the Services to Covered Entity. In such case, the parties hereto agree that (i) Covered entity is solely responsible for ensuring that the Other Software is HIPAA-compliant; (ii) Business Associate shall interact with the Other Software as part of its Services to Covered Entity shall use appropriate and reasonable safeguards pursuant to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance written instructions; (iii) Business Associate reserves the right to refuse to interact with the Security Rule.Other Software if doing so would, in Business Associate’s sole discretion, conflicts with the Terms of Use, this BAA, HIPAA, or Business Associate’s policies or protocols;
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to (iii) Business Associate with respect to such informationis not and will not be responsible for the provision, maintenance, or compliance of any Other Software.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice notice of Privacy Practices privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such that notice.
b. . Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an Individual individual (or an individual’s personal representative) to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. . Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. . Covered Entity acknowledges that it shall provide to, or request from, the Business Associate only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHIexcept as provided herein in accordance with 45 CFR §164.504(e). Covered Entity shall comply with disclose or provide access to Business Associate only the Security Rule’s administrative, technical minimum PHI necessary for Business Associate to perform its obligations as required by the Privacy Rule and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI42 U.S.C. § 17935(b). Covered Entity in performing its obligations and exercising its rights under this BAA shall make its policies, procedures use and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s disclose PHI in compliance with the Security Rule.
f. Covered Entity agrees HIPAA Rules. Notwithstanding the above, where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of permit a use or disclosure of PHI or unless it satisfies the requirements of a Breach of UPHI by valid authorization giving Covered Entity in violation of legal requirements.
g. permission to use PHI for purposes other than treatment, payment, or health care operations, or to disclose PHI to a third party specified by the individual. If required, Covered Entity agrees acknowledges that it remains responsible for obtaining such consent, authorization or permission that may be required by law or regulation (as opposed to ensure individual consents or authorizations that may be required from plan participants in certain circumstances) for Business Associate to provide its services on behalf of Covered Entity and that Covered Entity shall provide Business Associate with advance written notice of any agent, including a subProvider, restrictions or changes to whom it provides Covered Entity’s Notice of Privacy Practices that would limit the uses and disclosures of PHI agrees otherwise permitted herein. Covered Entity acknowledges that Business Associate shall only be required to the same restrictions and conditions that apply through this Agreement comply with such changes to its Notice of Privacy Practices which are known to Business Associate with respect and to such information.
h. the extent required by applicable law or regulation. Covered Entity shall comply provide to Business Associate a written list of the names of those individuals in its Workforce that are authorized to receive or access PHI on its behalf, and to provide reasonable prior written notice to Business Associate of any changes to such list. In the absence of Covered Entity providing such list, Business Associate may assume, consistent with 45 CFR §164.504(f), that those individuals that are members of the administrative requirements set forth in the HIPAA Privacy Rule Part 164Workforce of Covered Entity who request or receive PHI from Business Associate are performing plan administration activities for Covered Entity, and are authorized to receive or access PHI on its behalf.
Appears in 1 contract
Samples: Addendum to Agreement
Obligations of Covered Entity. a. 4.1. Covered Entity shall provide shall:
a. Notify Business Associate with the Notice of Privacy Practices that any limitation(s) in its notice of privacy practices of Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes §164.520 to the extent that such noticelimitation may affect Business Associate’s use or disclosure of PHI.
b. Covered Entity shall provide Notify Business Associate with of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if to the extent that such changes may affect Business Associate’s permitted use or required uses and disclosuresdisclosure of PHI.
c. Covered Entity shall notify Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § §164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change restriction may affect Business Associate’s use or disclosure of PHI.
e. d. Protect PHI and electronic PHI (ePHI) from loss, theft, or data breach. In the event of a loss of PHI or ePHI, due to willful misconduct, negligence, or an omission of controls causing a loss of data or data breach by the Covered Entity, the Covered Entity shall use appropriate and reasonable safeguards to prevent use or will be liable for damages for any violation of the HIPAA Security Rule.
e. Limit disclosure of PHI to Business Associate’s employees, contractors, or service providers, including those providing professional services or technical support.
f. Provide HIPAA Compliance training for all staff that have the potential to access, manage, see, or assist with any PHI. Covered Entity shall agrees to conduct annual HIPAA Compliance Training and certify completion by all such staff upon request.
g. Conduct annual HIPAA Compliance Risk Assessments of their policies, procedures, and technical environment to ensure that PHI and ePHI is secure.
h. Remediate risks that have been found in the HIPAA Compliance Risk Assessment within 60 days or notify Business Associate if remediation will take longer.
i. Ensure that the design, development, testing, deployment, maintenance, and behavior of automations created by Covered Entity utilizing Business Associate’s products, if applicable, comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164and Security Rules.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide will notify Business Associate with Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices that of Covered Entity produces under 45 C.F.R. §164.520 and its policies regarding the “minimum necessary” requirements in accordance with 45 CFR § 164.520C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information, as well as and will notify Business Associate of any material changes to such noticethereof.
b. (b) Covered Entity shall provide will notify Business Associate with Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose that person’s Protected Health Information, if such changes may affect Business Associate’s permitted Use or required uses and disclosuresDisclosure of Protected Health Information.
c. (c) Covered Entity shall will notify Business Associate Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to the use or disclosure of PHI that which Covered Entity has agreed or is required to in accordance with abide by under 45 CFR § C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.
d. (d) Covered Entity shall agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit Protected Health Information to Business Associate and to enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BAA and the Terms of Use.
(e) Covered Entity may not request ask Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the Privacy Rule HIPAA Rules, if made done by Covered Entity, to the extent except that such change Business Associate may affect Business Associate’s use Use or disclosure of PHI.
e. Covered Entity shall use appropriate Disclose Protected Health Information for its proper management and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrativeadministration, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguardsdata aggregation, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required other activities specifically permitted by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rulethis BAA.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Addendum
Obligations of Covered Entity. a. Covered Entity shall provide agrees that Covered Entity, its directors, officers, subcontractors, employees, affiliates, agents, and representatives shall: Be responsible for using appropriate Administrative, Physical, and Technical Safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate with the Notice of Privacy Practices that Covered Entity produces pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Privacy Rule, until such PHI is received by Business Associate; Not require Business Associate to use or to disclose PHI in any manner that would violate applicable Federal and State laws if such use or disclosure were done by Covered Entity; Require Business Associate to disclose PHI directly to another party only for the purposes allowed by the Privacy Rule; and Ensure that its notice of privacy practices permits Covered Entity to use and disclose PHI in the manner that Business Associate is authorized to use and disclose PHI under the BA Agreement and the Services Agreement; Obtain any consent, authorization or permission that may be required by the HIPAA Privacy Rule or any other applicable federal, state or local laws and/or regulations prior to furnishing Business Associate the Protected Health Information pertaining to an individual for the Business Associate’s use and/or disclosure as authorized under the BA Agreement and the Services Agreement; Not furnish Business Associate Protected Health Information that is subject to any arrangement permitted or required of Covered Entity, including but not limited to, an arrangement agreed to by Covered Entity under 45 CFR § 164.520, §164.522 that restricts the use and/or disclosure of Protected Health Information by the Business Associate as well as any changes to such notice.
b. Covered Entity shall provide otherwise authorized under this BA Agreement and the Service Agreement(s); and Provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes PHI to the extent it may affect Business Associate’s permitted or required uses and or disclosures.
c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. Covered Entity shall provide Business Associate with the Notice notice of Privacy Practices privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such that notice.
b. Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an Individual individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. Covered Entity shall notify Business Associate Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity acknowledges that it shall provide to, or request from, the Business Associate only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
e. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made done by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHIexcept as provided herein in accordance with 45 CFR §164.504(e). Covered Entity shall comply with disclose or provide access to Business Associate only the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make minimum PHI necessary for Business Associate to perform its policies, procedures and documentation obligations as required by the Security Privacy Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Ruleand 42 U.S.C. § 17935(b).
f. Covered Entity agrees in performing its obligations and exercising its rights under this Agreement shall use and disclose PHI in compliance with the HIPAA Rules. Notwithstanding the above, Covered Entity acknowledges that it remains responsible for obtaining such consent, authorization or permission that may be required by law or regulation (as opposed to mitigate, individual consents or authorizations that may be required from plan participants in certain circumstances) for Business Associate to provide its services on behalf of Covered Entity and that Covered Entity shall provide Business Associate with advance written notice of any restrictions or changes to Covered Entity’s Notice of Privacy Practices that would limit the uses and disclosures of PHI otherwise permitted herein. Covered Entity acknowledges that Business Associate shall only be required to comply with such changes to its Notice of Privacy Practices which are known to Business Associate and to the extent practicable, any harmful effect that is known to required by applicable law or regulation. Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement shall provide to Business Associate with respect a written list of the names of those individuals in its Workforce that are authorized to receive or access PHI on its behalf, and to provide reasonable prior written notice to Business Associate of any changes to such information.
h. list. In the absence of Covered Entity shall comply providing such list, Business Associate may assume, consistent with 45 CFR §164.504(f), that those individuals that are members of the administrative requirements set forth in the HIPAA Privacy Rule Part 164Workforce of Covered Entity or, if applicable, Plan Sponsor, who request or receive PHI from Business Associate are performing plan administration activities for Covered Entity, and are authorized to receive or access PHI on its behalf.
Appears in 1 contract
Obligations of Covered Entity. a. (a) Covered Entity shall provide notify Business Associate with the Notice of Privacy Practices that Covered Entity produces any limitations in its notice(s) of privacy practices in accordance with 45 CFR § 164.520164.520 to the extent that such limitations may affect Business Associate's use or disclosure of PHI, as well as any changes provided such limitation is consistent with Business Associate's capabilities to administer such noticerequest in conformance with Business Associate's HIPAA Privacy policies and procedures which shall be in compliance with the Privacy Rule and does not otherwise conflict with or restrict the performance of services under the Business Associate Services Agreement.
b. (b) Covered Entity shall provide notify Business Associate with of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if to the extent such changes may affect Business Associate’s permitted 's use and disclosure of PHI, provided such change or required uses revocation is consistent with Business Associate's capabilities to administer such request in conformance with Business Associate's HIPAA Privacy policies and disclosuresprocedures which shall be in compliance with the Privacy Rule and does not otherwise conflict with or restrict the performance of services under the Business Associate Services Agreement.
c. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, 164.522 to the extent that such change restriction may affect Business Associate’s 's use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards , provided such restriction is consistent with Business Associate's capabilities to prevent use or disclosure of PHI. Covered Entity shall comply administer such request in conformance with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable Business Associate's HIPAA Privacy policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity which shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s be in compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.and does not otherwise conflict with or restrict the performance of services under the Contract for the State’s RFP Number 0A1049
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. cc. Covered Entity shall provide notify Business Associate with of any limitation(s) in the Notice notice of Privacy Practices that privacy practices of Covered Entity produces in accordance with under 45 CFR § 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s use or disclosure of protected health information.
b. dd. Covered Entity shall provide notify Business Associate with of any changes in, in or revocation of, the permission by an Individual individual to use or disclose PHIhis or her protected health information, if to the extent that such changes may affect the Business Associate’s permitted use or required uses and disclosuresdisclosure of protected health information.
c. ee. Covered Entity shall notify Business Associate of any restriction to on the use or disclosure of PHI protected health information that Covered Entity has agreed to in accordance with or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s user or disclosure of protected health information.
d. ff. Covered Entity shall not request Business Associate to use or disclose PHI protected health information in any manner that would not be permissible under the Privacy Rule Subpart E of 45 CFR Part 164 if made done by Covered Entity, to the extent that such change may affect .
gg. Covered Entity represents and warrants it has obtained all necessary patient consents and authorizations for Business Associate’s use or access, use, and disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHIPHI as set forth herein. Covered Entity shall comply with the Security Rule’s administrativedefend, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguardsindemnify, and Technical Safeguards that reasonably hold Business Associate and appropriately protect the confidentialityits officers, integritydirectors, and availability employees harmless from and against any third-party claims, suits, liabilities, obligations, judgments, and causes of the ePHI that it creates, receives, maintains, action and associated costs and expenses (including reasonable attorneys’ fees) arising out of or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining resulting from Covered Entity’s compliance with the Security Rulefailure to obtain such consents or authorizations.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Obligations of Covered Entity. a. (a) Covered Entity shall provide represents and warrants to Business Associate with the that it: (1) has included, and will include, in Covered Entity's Notice of Privacy Practices that Covered Entity produces may disclose Protected Health Information for health care operations purposes; and (2) has obtained, and will obtain, from Individuals, consents, authorizations and other permissions necessary or required by all applicable laws applicable to Covered Entity for Business Associate and Covered Entity to fulfill their obligations under this Agreement.
(b) Covered Entity shall promptly notify Business Associate in writing of any restrictions on the Use and Disclosure of Protected Health Information about Individuals that Covered Entity has agreed to that could reasonably be expected to affect Business Associate's ability to perform its obligations under this Agreement.
(c) Covered Entity shall notify Business Associate in writing of any limitations in its Notice of Privacy Practices in accordance with 45 CFR § 164.520, as well as any changes 164.520 to such noticethe extent that the limitations may affect Business Associate's Use or Disclosure of Protected Health Information.
b. (d) Covered Entity shall provide promptly notify Business Associate with in writing of any changes in, or revocation of, permission by an Individual to use Use or disclose PHIDisclose Protected Health Information, if such changes or revocation could reasonably be expected to affect Business Associate’s permitted or required uses and disclosures's ability to perform its obligations under this Agreement.
c. (e) Covered Entity shall notify utilize Business Associate of any restriction to the use or disclosure of PHI Associate’s services in a way that ensures that Covered Entity has agreed to is in accordance compliance with 45 CFR § 164.522HIPAA and HITECH.
d. (f) Covered Entity shall not request Business Associate to use Use or disclose PHI Disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule HIPAA or HITECH if made done by Covered Entity, except to the extent that such change may affect Business Associate is Using or Disclosing Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), and/or to the extent that Business Associate is Using or Disclosing Protected Health Information for the proper management and administration of Business Associate’s use or disclosure of PHI.
e. (g) Covered Entity shall use appropriate and reasonable safeguards its best efforts to prevent use or minimize the disclosure of PHI. Covered Entity shall comply with Protected Health Information to Business Associate where the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards disclosure of that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, information is not needed for Business Associate to provide products or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating services to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. (h) Covered Entity agrees to mitigateindemnify and hold harmless Business Associate, to the extent practicableits directors, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agentofficers, shareholders, parents, subsidiaries, affiliates, and agents, from and against all losses, expenses, damages and costs, including reasonable attorneys’ fees, resulting from Covered Entity’s failure to fulfill its obligations under this Agreement, including without limitation resulting from Covered Entity’s failure to use Business Associate’s services in such a subProvider, manner as to whom it provides PHI agrees to prevent the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such informationunauthorized Disclosure of Protected Health Information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. A) Covered Entity shall provide notify Business Associate with the Notice in writing of Privacy Practices that any limitations in its notice of privacy practices of Covered Entity produces in accordance with 45 CFR § §164.520, as well as any changes to such noticethe extent that the limitations may affect Business Associate's use or disclosure of Protected Health Information.
b. B) Covered Entity shall provide notify Business Associate with in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHIProtected Health Information, if such to the extent that the changes or revocation may affect Business Associate’s permitted 's use or required uses and disclosuresdisclosure of Protected Health Information.
c. C) Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § §164.522, to the extent that the restriction may affect Business Associate's use or disclosure of Protected Health Information.
d. D) Covered Entity shall not request Business Associate to use or disclose PHI Protected Health Information in any manner that would not be permissible under the Privacy Rule Rule, the Security Rule, or the HITECH Act if made done by Covered Entity, except to the extent that such change may affect Business Associate is using or disclosing Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), as allowed by Section 4(C) above, and/or to the extent that Business Associate is using or disclosing Protected Health Information for the proper management and administration of Business Associate’s use or disclosure of PHI, as allowed by Section 4(B) above.
e. E) Covered Entity shall use appropriate and reasonable safeguards its best efforts to prevent use or minimize the disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement Protected Health Information to Business Associate with respect where the disclosure of that information is not needed for Business Associate to such informationprovide products or services to Covered Entity.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of Covered Entity. a. (a) Covered Entity shall provide notify Business Associate with the Notice of Privacy Practices that any limitation(s) in a Covered Entity produces Entity’s notice of privacy practices, in accordance with 45 CFR § 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s use or disclosure of PHI.
b. (b) Covered Entity shall provide notify Business Associate with of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if to the extent that such changes may affect Business Associate’s permitted use or required uses and disclosuresdisclosure of PHI.
c. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that a Covered Entity has agreed to or is required to abide by in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate , or as mandated pursuant to use or disclose PHI in any manner that would not be permissible under Section 13405(c) of the Privacy Rule if made by Covered EntityHITECH Act, to the extent that such change restriction may affect Business Associate’s use or disclosure of PHI.
e. (d) Covered Entity agrees to disclose to Business Associate only the minimum amount of PHI necessary to accomplish the services covered in the Business Support Agreement.
(e) Covered Entity understands and agrees that in addition to obligations Required By Law, Business Associate provides services in the Business Support Agreement on the express condition that the Covered Entity fulfills its additional obligations set forth therein.
(f) Covered Entity shall use appropriate obtain all consents and reasonable safeguards authorizations necessary and/or required by law for Business Associate to prevent use provide its services and to engage in uses and disclosures required by the Business Support Agreement and this BAA.
(g) Upon any suspected or actual Breach of Unsecured PHI, unauthorized disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In additionPHI or breach of this BAA, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, meet and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance confer in good faith with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect before notifying affected Individuals, reporting to such informationgovernment agencies, and/or commencing any legal action.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of Covered Entity. a. 4.1 Covered Entity shall provide notify Business Associate with the Notice of Privacy Practices that any limitation(s) of Covered Entity produces in its notice of privacy practices in accordance with 45 CFR § 164.520, as well as any changes to the extent that such noticelimitation may affect Business Associate’s use or disclosure of PHI.
b. 4.2 Covered Entity shall provide notify Business Associate with of any changes in, in or revocation of, of permission by an Individual to use or disclose PHI, if to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
4.3 Covered Entity shall use appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this Agreement, the Contract, and the Privacy Rule, until such PHI is received by Business Associate, pursuant to any specifications set forth in any attachment to the Contract.
4.4 Covered Entity shall manage all users of the services including its qualified access, password restrictions, inactivity timeouts, downloads, and its ability to download and otherwise process PHI.
4.5 The Parties acknowledge that Covered Entity owns and controls its data.
4.6 Covered Entity shall provide Business Associate with a copy of its notice of privacy practices produced in accordance with 45 CFR Section 164.520, as well as any subsequent changes or limitation(s) to such notice, to the extent such changes or limitations may effect Business Associate’s use or disclosure of PHI. Covered Entity shall provide Business Associate with any changes in or revocation of permission to use or disclose PHI, to the extent the changes or revocation may affect Business Associate’s permitted or required uses and or disclosures.
c. . To the extent that the changes or revocations may affect Business Associate’s permitted use or disclosure of PHI, Covered Entity shall notify Business Associate of any restriction to on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § Section 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical may effectuate any and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability all such notices of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining non-private information via posting on Covered Entity’s compliance with the Security Ruleweb site.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Professional Services
Obligations of Covered Entity. a. Covered Entity shall provide agrees that Covered Entity, its directors, officers, subcontractors, employees, affiliates, agents, and representatives shall:
A. Be responsible for using appropriate Administrative, Physical, and Technical Safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate with the Notice of Privacy Practices that Covered Entity produces pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Privacy Rule, until such PHI is received by Business Associate;
B. Not require Business Associate to use or to disclose PHI in any manner that would violate applicable Federal and State laws if such use or disclosure were done by Covered Entity;
C. Require Business Associate to disclose PHI directly to another party only for the purposes allowed by the Privacy Rule; and
D. Ensure that its notice of privacy practices permits Covered Entity to use and disclose PHI in the manner that Business Associate is authorized to use and disclose PHI under the BA Agreement and the Services Agreement;
E. Obtain any consent, authorization or permission that may be required by the HIPAA Privacy Rule or any other applicable federal, state or local laws and/or regulations prior to furnishing Business Associate the Protected Health Information pertaining to an individual for the Business Associate’s use and/or disclosure as authorized under the BA Agreement and the Services Agreement;
F. Not furnish Business Associate Protected Health Information that is subject to any arrangement permitted or required of Covered Entity, including but not limited to, an arrangement agreed to by Covered Entity under 45 CFR § 164.520, §164.522 that restricts the use and/or disclosure of Protected Health Information by the Business Associate as well as any changes to such notice.otherwise authorized under this BA Agreement and the Service Agreement(s); and
b. Covered Entity shall provide G. Provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes PHI to the extent it may affect Business Associate’s permitted or required uses and or disclosures.
c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if made by Covered Entity, to the extent that such change may affect Business Associate’s use or disclosure of PHI.
e. Covered Entity shall use appropriate and reasonable safeguards to prevent use or disclosure of PHI. Covered Entity shall comply with the Security Rule’s administrative, technical and safeguard requirements. In addition, Covered Entity shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits and shall maintain and implement reasonable policies and procedures that prevent, detect, contain and correct security violations of ePHI. Covered Entity shall make its policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for the purpose of determining Covered Entity’s compliance with the Security Rule.
f. Covered Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Covered Entity of a use or disclosure of PHI or a Breach of UPHI by Covered Entity in violation of legal requirements.
g. Covered Entity agrees to ensure that any agent, including a subProvider, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
h. Covered Entity shall comply with the administrative requirements set forth in the HIPAA Privacy Rule Part 164.
Appears in 1 contract
Samples: Business Associate Agreement
