Obligations of HeL. With regard to its use and/or disclosure of PHI, HeL agrees to: a. Not use or disclose the PHI other than as permitted or required by this Agreement or the Underlying Contracts or as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under the Statewide Policy Guidance, or the Privacy and Security Rules. b. Implement and use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing sentence, HeL will: (i) Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Privacy and Security Rules; (ii) Ensure that any agent, including a subcontractor, to whom HeL provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect Electronic PHI; and (iii) Promptly (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) report to Covered Entity any Security Incident of which HeL becomes aware. Any notice of a Security Incident shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired, or disclosed during such Security Incident as well as any other relevant information regarding the Security Incident, in each case to the extent such information is available to HeL and promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) such information becomes known to HeL. This Section 2.1.b(iii) constitutes notice by HeL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by HeL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on HeL’s firewall, port scans, unsuccessful log-in attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. c. Promptly report to Covered Entity, and mitigate, to the extent practicable, any harmful effect that is known to HeL of any use or disclosure of PHI by HeL in violation of the requirements of this Agreement and/or any Security Incident or Breach, and take steps to avoid any further similar violating uses or disclosures and/or Security Incidents or Breaches. d. Report to Covered Entity any Breach of Unsecured PHI immediately after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) the discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach and provide to Covered Entity notice of all of the elements specified in 45 C.F.R. § 164.404(c) (to the extent such information is available to HeL) promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) such information becomes known to HeL, including, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired or disclosed during such Breach. HeL shall cooperate and assist Covered Entity, at no cost to Covered Entity only to the extent such Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents, in making notification as required by law in the event of a Breach due to HeL. e. HeL shall cooperate and assist Covered Entity in the reasonable investigation of any violation of the requirements of this Agreement and/or any Security Incident or Breach at no cost to Covered Entity to the extent such violation, Security Incident and/or Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents. f. Ensure that all of its subcontractors and agents that receive, use, or have access to PHI agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply through this Agreement to HeL with respect to such information. Covered Entity acknowledges that such writing may differ in form, but will not differ in substance from this Agreement. If HeL becomes aware of a pattern of activity or practice of a subcontractor or agent that would constitute a material breach or violation of the subcontractor's or agent’s obligations under such writing, HeL shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible. g. Upon 10 days’ written notice by Covered Entity, provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet applicable access requirements of the Privacy and Security Rules. If Covered Entity is required to provide access to PHI in a Designated Record Set in a specific format, HeL will provide access to PHI in such format to the extent HeL maintains PHI in such format in accordance with Section 13405(e) of the HITECH Act. HeL will handle direct requests made by Individuals for access to PHI in accordance with HeL’s Policies and Procedures. h. Upon 10 days’ written notice by Covered Entity, make, or make available for, amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual. If an Individual makes a request for an amendment to PHI directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual. i. Subject to attorney-client and any other applicable legal privilege, make its internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his/her designee, in the reasonable time and manner specified by the Secretary, for purposes of the Secretary determining compliance of Covered Entity with the HIPAA Rules. Subject to the legal privileges referred to above and as otherwise permitted by law, HeL shall, within 10 business days after receipt of such request, notify Covered Entity of any request for access by HHS and shall provide Covered Entity with a copy of the HHS request for access and all materials to be disclosed pursuant thereto. j. Document such disclosures of PHI as would be required for Covered Entity to respond, in accordance with the HIPAA Rules, to a request by any Individual for an accounting of disclosures of PHI in accordance with the requirements of the HIPAA Rules. k. Upon 10 days’ written notice by Covered Entity, make available or provide to Covered Entity or the Individual information collected in accordance with Section 2.1(j), to permit Covered Entity to respond, in accordance with the HIPAA Rules, to a request by an Individual for an accounting of disclosures of PHI. If an Individual makes a request for an accounting directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual. l. Upon written notice by Covered Entity that the Underlying Contract will be terminated for any reason (including, for example, by virtue of Covered Entity’s dissolution), return to Covered Entity or destroy and, unless return or destruction is infeasible, certify to Covered Entity in writing of any such destruction, within thirty (30) days of HeL’s receipt of such notice, all PHI obtained from Covered Entity or created or obtained by HeL on behalf of Covered Entity with respect to the Underlying Contract, including such PHI that is in the possession of HeL’s subcontractors and agents, and retain no copies if it is feasible to do so; provided, however, that prior to destroying or returning PHI, the Parties will meet and confer in order to reach a mutually satisfactory resolution with respect to the feasibility of destroying or returning the PHI and HeL’s right to continued use and disclosure of the PHI. If return or destruction of the PHI is infeasible as reasonably determined HeL, HeL shall extend all protections contained in this Agreement to HeL’s use and/or disclosure of any retained PHI, and limit any further uses and/or disclosures to the purposes set forth in Section 2.2 of this Agreement. This Provision shall apply to PHI that is in the possession of subcontractors or agents of HeL. m. Comply with HITECH as applicable to HeL. n. To the extent HeL is required to carry out Covered Entity’s obligations under 45 C.F.R. subpart E, comply with the requirements of such subpart that apply to Covered Entity in the performance of such obligations, including, but not limited to, minimum necessary and document retention standards. o. In receiving, storing, processing, or otherwise dealing with any “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11, from an alcohol/drug abuse “program,” as defined in 42 C.F.R. § 2.11, that is federally assisted in a manner described in 42 C.F.R. § 2.12(b), and that is operated by Covered Entity, to be fully bound by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2. p. Resist in judicial proceedings any efforts to obtain access to “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11 and as maintained by HeL, other than as permitted by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2. q. Comply with all applicable federal and state laws and regulations governing the confidentiality of information provided by Covered Entity including, without limitation, New York Public Health Law §§ 18 (Access to Patient Information) & 2780 et seq.; New York Mental Hygiene Law §§ 22.05 & 33.13; New York Civil Rights Law § 79-l; New York General Business Law §§ 399-dd (Confidentiality of Social Security Account Number), 399-h, & 899-aa; New York Civil Practice Law and Rules (CPLR) §§ 2302(a), 4504, 4507, 4508, & 4510 and CPLR R. 3122(a); chapter 5 of title 10 of the Official Compilation of Codes, Rules, and Regulations of the State of New York (NYCRR); 10 NYCRR § 63.6(k); Federal Rules of Evidence R. 501; and 21 C.F.R. § 1304.24(d). r. Pursuant to New York General Business Law § 899-aa(2)&(3) and in conformity with paragraph 2.1(a) of this Agreement, within 15 days’ after discovery thereof, notify Covered Entity of any “breach of the security of the system,” as defined in New York General Business Law § 899-aa(1)(c), that involves PHI containing individuals’ “private information,” as defined in New York General Business Law § 899-aa(1)(b), that was, or was reasonably believed to be, acquired from HeL by a person without valid authorization. s. In the event HeL chooses to destroy the PHI in its possession in compliance with paragraph 2.1(l) of this Agreement, and that PHI contains “personal identifying information” as defined in New York General Business Law § 399-h(1)(d), dispose of such information in conformity with New York General Business Law § 399-h(2).
Appears in 3 contracts
Samples: Business Associate Agreement, Business Associate Agreement, Business Associate Agreement
Obligations of HeL. With regard to its use and/or disclosure of PHI, HeL agrees to:
a. Not use or disclose the PHI other than as permitted or required by this Agreement or the Underlying Contracts or as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under the Statewide Policy Guidance, or the Privacy and Security Rules.
b. Implement and use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing sentence, HeL will:
(i) Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Privacy and Security Rules;
(ii) Ensure that any agent, including a subcontractor, to whom HeL provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect Electronic PHI; and
(iii) Promptly (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) report to Covered Entity any Security Incident of which HeL becomes aware. Any notice of a Security Incident shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired, or disclosed during such Security Incident as well as any other relevant information regarding the Security Incident, in each case to the extent such information is available to HeL and promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) such information becomes known to HeL. This Section 2.1.b(iii) constitutes notice by HeL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by HeL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on HeL’s firewall, port scans, unsuccessful log-in attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
c. Promptly report to Covered Entity, and mitigate, to the extent practicable, any harmful effect that is known to HeL of any use or disclosure of PHI by HeL in violation of the requirements of this Agreement and/or any Security Incident or Breach, and take steps to avoid any further similar violating uses or disclosures and/or Security Incidents or Breaches.
d. Report to Covered Entity any Breach of Unsecured PHI immediately after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) the discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach and provide to Covered Entity notice of all of the elements specified in 45 C.F.R. § 164.404(c) (to the extent such information is available to HeL) promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) such information becomes known to HeL, including, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired or disclosed during such Breach. HeL shall cooperate and assist Covered Entity, at no cost to Covered Entity only to the extent such Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents, in making notification as required by law in the event of a Breach due to HeL.
e. HeL shall cooperate and assist Covered Entity in the reasonable investigation of any violation of the requirements of this Agreement and/or any Security Incident or Breach at no cost to Covered Entity to the extent such violation, Security Incident and/or Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents.
f. Ensure that all of its subcontractors and agents that receive, use, or have access to PHI agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply through this Agreement to HeL with respect to such information. Covered Entity acknowledges that such writing may differ in form, but will not differ in substance from this Agreement. If HeL becomes aware of a pattern of activity or practice of a subcontractor or agent that would constitute a material breach or violation of the subcontractor's or agent’s obligations under such writing, HeL shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.
g. Upon 10 days’ written notice by Covered Entity, provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet applicable access requirements of the Privacy and Security Rules. If Covered Entity is required to provide access to PHI in a Designated Record Set in a specific format, HeL will provide access to PHI in such format to the extent HeL maintains PHI in such format in accordance with Section 13405(e) of the HITECH Act. HeL will handle direct requests made by Individuals for access to PHI in accordance with HeL’s Policies and Procedures.
h. Upon 10 days’ written notice by Covered Entity, make, or make available for, amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual. If an Individual makes a request for an amendment to PHI directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
i. Subject to attorney-client and any other applicable legal privilege, make its internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his/her designee, in the reasonable time and manner specified by the Secretary, for purposes of the Secretary determining compliance of Covered Entity with the HIPAA Rules. Subject to the legal privileges referred to above and as otherwise permitted by law, HeL shall, within 10 business days after receipt of such request, notify Covered Entity of any request for access by HHS and shall provide Covered Entity with a copy of the HHS request for access and all materials to be disclosed pursuant thereto.
j. Document such disclosures of PHI as would be required for Covered Entity to respond, in accordance with the HIPAA Rules, to a request by any Individual for an accounting of disclosures of PHI in accordance with the requirements of the HIPAA Rules.
k. Upon 10 days’ written notice by Covered Entity, make available or provide to Covered Entity or the Individual information collected in accordance with Section 2.1(j), to permit Covered Entity to respond, in accordance with the HIPAA Rules, to a request by an Individual for an accounting of disclosures of PHI. If an Individual makes a request for an accounting directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
l. Upon written notice by Covered Entity that the Underlying Contract will be terminated for any reason (including, for example, by virtue of Covered Entity’s dissolution), return to Covered Entity or destroy and, unless return or destruction is infeasible, certify to Covered Entity in writing of any such destruction, within thirty (30) days of HeL’s receipt of such notice, all PHI obtained from Covered Entity or created or obtained by HeL on behalf of Covered Entity with respect to the Underlying Contract, including such PHI that is in the possession of HeL’s subcontractors and agents, and retain no copies if it is feasible to do so; provided, however, that prior to destroying or returning PHI, the Parties will meet and confer in order to reach a mutually satisfactory resolution with respect to the feasibility of destroying or returning the PHI and HeL’s right to continued use and disclosure of the PHI. If return or destruction of the PHI is infeasible as reasonably determined HeL, HeL shall extend all protections contained in this Agreement to HeL’s use and/or disclosure of any retained PHI, and limit any further uses and/or disclosures to the purposes set forth in Section 2.2 of this Agreement. This Provision shall apply to PHI that is in the possession of subcontractors or agents of HeL.
m. Comply with HITECH as applicable to HeL.
n. To the extent HeL is required to carry out Covered Entity’s obligations under 45 C.F.R. subpart E, comply with the requirements of such subpart that apply to Covered Entity in the performance of such obligations, including, but not limited to, minimum necessary and document retention standards.
o. In receiving, storing, processing, or otherwise dealing with any “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11, from an alcohol/drug abuse “program,” as defined in 42 C.F.R. § 2.11, that is federally assisted in a manner described in 42 C.F.R. § 2.12(b), and that is operated by Covered Entity, to be fully bound by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
p. Resist in judicial proceedings any efforts to obtain access to “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11 and as maintained by HeL, other than as permitted by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
q. Comply with all applicable federal and state laws and regulations governing the confidentiality of information provided by Covered Entity including, without limitation, New York Public Health Law §§ 18 (Access to Patient Information) & 2780 et seq.; New York Mental Hygiene Law §§ 22.05 & 33.13; New York Civil Rights Law § 79-l; New York General Business Law §§ 399-dd (Confidentiality of Social Security Account Number), 399-h, & 899-aa; New York Civil Practice Law and Rules (CPLR) §§ 2302(a), 4504, 4507, 4508, & 4510 and CPLR R. 3122(a); chapter 5 of title 10 of the Official Compilation of Codes, Rules, and Regulations of the State of New York (NYCRR); 10 NYCRR § 63.6(k); Federal Rules of Evidence R. 501; and 21 C.F.R. § 1304.24(d).
r. Pursuant to New York General Business Law § 899-aa(2)&(3) and in conformity with paragraph 2.1(a) of this Agreement, within 15 days’ after discovery thereof, notify Covered Entity of any “breach of the security of the system,” as defined in New York General Business Law § 899-aa(1)(c), that involves PHI containing individuals’ “private information,” as defined in New York General Business Law § 899-aa(1)(b), that was, or was reasonably believed to be, acquired from HeL by a person without valid authorization.
s. In the event HeL chooses to destroy the PHI in its possession in compliance with paragraph 2.1(l) of this Agreement, and that PHI contains “personal identifying information” as defined in New York General Business Law § 399-h(1)(d), dispose of such information in conformity with New York General Business Law § 399-h(2).Section
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of HeL. With regard to its use and/or disclosure of PHI, HeL agrees to:
a. Not use or disclose the PHI other than as permitted or required by this Agreement or the Underlying Contracts or as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under the Statewide Policy Guidance, or the Privacy and Security Rules.
b. Implement and use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing sentence, HeL will:
(i) i. Implement Administrativeadministrative, Physicalphysical, and Technical Safeguards technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Privacy and Security Rules;
(ii) . Ensure that any agent, including a subcontractor, to whom HeL provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect Electronic PHI; and
(iii) . Promptly (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) report to Covered Entity any Security Incident of which HeL becomes aware. Any notice of a Security Incident shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired, or disclosed during such Security Incident as well as any other relevant information regarding the Security Incident, in each case to the extent such information is available to HeL and promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) such information becomes known to HeL. This Section 2.1.b(iii) constitutes notice by HeL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by HeL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on HeL’s firewall, port scans, unsuccessful log-in attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.HeL.
c. Promptly report to Covered Entity, and mitigate, to the extent practicable, any harmful effect that is known to HeL of any use or disclosure of PHI by HeL in violation of the requirements of this Agreement and/or any Security Incident or Breach, and take steps to avoid any further similar violating uses or disclosures and/or Security Incidents or Breaches.
d. Report to Covered Entity any Breach of Unsecured PHI immediately after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) the discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach and provide to Covered Entity notice of all of the elements specified in 45 C.F.R. § 164.404(c) (to the extent such information is available to HeL) promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) such information becomes known to HeL, including, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired or disclosed during such Breach. HeL shall cooperate and assist Covered Entity, at no cost to Covered Entity only to the extent such Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents, in making notification as required by law in the event of a Breach due to HeL.
e. HeL shall cooperate and assist Covered Entity in the reasonable investigation of any violation of the requirements of this Agreement and/or any Security Incident or Breach at no cost to Covered Entity to the extent such violation, Security Incident and/or Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents.
f. Ensure that all of its subcontractors and agents that receive, use, or have access to PHI agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply through this Agreement to HeL with respect to such information. Covered Entity acknowledges that such writing may differ in form, but will not differ in substance from this Agreement. If HeL becomes aware of a pattern of activity or practice of a subcontractor or agent that would constitute a material breach or violation of the subcontractor's or agent’s obligations under such writing, HeL shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.
g. Upon 10 days’ written notice by Covered Entity, provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet applicable access requirements of the Privacy and Security Rules. If Covered Entity is required to provide access to PHI in a Designated Record Set in a specific format, HeL will provide access to PHI in such format to the extent HeL maintains PHI in such format in accordance with Section 13405(e) of the HITECH Act. HeL will handle direct requests made by Individuals for access to PHI in accordance with HeL’s Policies and Procedures.
h. Upon 10 days’ written notice by Covered Entity, make, or make available for, amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual. If an Individual makes a request for an amendment to PHI directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
i. Subject to attorney-client and any other applicable legal privilege, make its internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his/her designee, in the reasonable time and manner specified by the Secretary, for purposes of the Secretary determining compliance of Covered Entity with the HIPAA Rules. Subject to the legal privileges referred to above and as otherwise permitted by law, HeL shall, within 10 business days after receipt of such request, notify Covered Entity of any request for access by HHS and shall provide Covered Entity with a copy of the HHS request for access and all materials to be disclosed pursuant thereto.
j. Document such disclosures of PHI as would be required for Covered Entity to respond, in accordance with the HIPAA Rules, to a request by any Individual for an accounting of disclosures of PHI in accordance with the requirements of the HIPAA Rules.
k. Upon 10 days’ written notice by Covered Entity, make available or provide to Covered Entity or the Individual information collected in accordance with Section 2.1(j), to permit Covered Entity to respond, in accordance with the HIPAA Rules, to a request by an Individual for an accounting of disclosures of PHI. If an Individual makes a request for an accounting directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
l. Upon written notice by Covered Entity that the Underlying Contract will be terminated for any reason (including, for example, by virtue of Covered Entity’s dissolution), return to Covered Entity or destroy and, unless return or destruction is infeasible, certify to Covered Entity in writing of any such destruction, within thirty (30) days of HeL’s receipt of such notice, all PHI obtained from Covered Entity or created or obtained by HeL on behalf of Covered Entity with respect to the Underlying Contract, including such PHI that is in the possession of HeL’s subcontractors and agents, and retain no copies if it is feasible to do so; provided, however, that prior to destroying or returning PHI, the Parties will meet and confer in order to reach a mutually satisfactory resolution with respect to the feasibility of destroying or returning the PHI and HeL’s right to continued use and disclosure of the PHI. If return or destruction of the PHI is infeasible as reasonably determined HeL, HeL shall extend all protections contained in this Agreement to HeL’s use and/or disclosure of any retained PHI, and limit any further uses and/or disclosures to the purposes set forth in Section 2.2 of this Agreement. This Provision shall apply to PHI that is in the possession of subcontractors or agents of HeL.
m. Comply with HITECH as applicable to HeL.
n. To the extent HeL is required to carry out Covered Entity’s obligations under 45 C.F.R. subpart E, comply with the requirements of such subpart that apply to Covered Entity in the performance of such obligations, including, but not limited to, minimum necessary and document retention standards.
o. In receiving, storing, processing, or otherwise dealing with any “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11, from an alcohol/drug abuse “program,” as defined in 42 C.F.R. § 2.11, that is federally assisted in a manner described in 42 C.F.R. § 2.12(b), and that is operated by Covered Entity, to be fully bound by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
p. Resist in judicial proceedings any efforts to obtain access to “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11 and as maintained by HeL, other than as permitted by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
q. Comply with all applicable federal and state laws and regulations governing the confidentiality of information provided by Covered Entity including, without limitation, New York Public Health Law §§ 18 (Access to Patient Information) & 2780 et seq.; New York Mental Hygiene Law §§ 22.05 & 33.13; New York Civil Rights Law § 79-l; New York General Business Law §§ 399-dd (Confidentiality of Social Security Account Number), 399-h, & 899-aa; New York Civil Practice Law and Rules (CPLR) §§ 2302(a), 4504, 4507, 4508, & 4510 and CPLR R. 3122(a); chapter 5 of title 10 of the Official Compilation of Codes, Rules, and Regulations of the State of New York (NYCRR); 10 NYCRR § 63.6(k); Federal Rules of Evidence R. 501; and 21 C.F.R. § 1304.24(d).
r. Pursuant to New York General Business Law § 899-aa(2)&(3) and in conformity with paragraph 2.1(a) of this Agreement, within 15 days’ after discovery thereof, notify Covered Entity of any “breach of the security of the system,” as defined in New York General Business Law § 899-aa(1)(c), that involves PHI containing individuals’ “private information,” as defined in New York General Business Law § 899-aa(1)(b), that was, or was reasonably believed to be, acquired from HeL by a person without valid authorization.
s. In the event HeL chooses to destroy the PHI in its possession in compliance with paragraph 2.1(l) of this Agreement, and that PHI contains “personal identifying information” as defined in New York General Business Law § 399-h(1)(d), dispose of such information in conformity with New York General Business Law § 399-h(2).
Appears in 1 contract
Samples: Business Associate Agreement
Obligations of HeL. With regard to its use and/or disclosure of PHI, HeL XxX agrees to:
a. Not use or disclose the PHI other than as permitted or required by this Agreement or the Underlying Contracts or as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under the Statewide Policy Guidance, or the Privacy and Security Rules.
b. Implement and use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing sentence, HeL will:
(i) Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Privacy and Security Rules;
(ii) Ensure that any agent, including a subcontractor, to whom HeL XxX provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect Electronic PHI; and
(iii) Promptly (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) report to Covered Entity any Security Incident of which HeL becomes aware. Any notice of a Security Incident shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired, or disclosed during such Security Incident as well as any other relevant information regarding the Security Incident, in each case to the extent such information is available to HeL and promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) thereof) such information becomes known to HeL. This Section 2.1.b(iii) constitutes notice by HeL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by HeL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on HeL’s firewall, port scans, unsuccessful log-in attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
c. Promptly report to Covered Entity, and mitigate, to the extent practicable, any harmful effect that is known to HeL of any use or disclosure of PHI by HeL in violation of the requirements of this Agreement and/or any Security Incident or Breach, and take steps to avoid any further similar violating uses or disclosures and/or Security Incidents or Breaches.
d. Report to Covered Entity any Breach of Unsecured PHI immediately after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) the discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach and provide to Covered Entity notice of all of the elements specified in 45 C.F.R. § 164.404(c) (to the extent such information is available to HeL) promptly after (but in no event later than 10 days after discovery (as defined in 45 C.F.R. § 164.410(a)(2)) of such Breach) such information becomes known to HeL, including, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by HeL to have been, accessed, acquired or disclosed during such Breach. HeL shall cooperate and assist Covered Entity, at no cost to Covered Entity only to the extent such Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents, in making notification as required by law in the event of a Breach due to HeL.
e. HeL shall cooperate and assist Covered Entity in the reasonable investigation of any violation of the requirements of this Agreement and/or any Security Incident or Breach at no cost to Covered Entity to the extent such violation, Security Incident and/or Breach is caused by or resulting from the acts or omissions of HeL, its subcontractors or agents.
f. Ensure that all of its subcontractors and agents that receive, use, or have access to PHI agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply through this Agreement to HeL with respect to such information. Covered Entity acknowledges that such writing may differ in form, but will not differ in substance from this Agreement. If HeL becomes aware of a pattern of activity or practice of a subcontractor or agent that would constitute a material breach or violation of the subcontractor's or agent’s obligations under such writing, HeL shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.
g. Upon 10 days’ written notice by Covered Entity, provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet applicable access requirements of the Privacy and Security Rules. If Covered Entity is required to provide access to PHI in a Designated Record Set in a specific format, HeL will provide access to PHI in such format to the extent HeL maintains PHI in such format in accordance with Section 13405(e) of the HITECH Act. HeL will handle direct requests made by Individuals for access to PHI in accordance with HeL’s Policies and Procedures.
h. Upon 10 days’ written notice by Covered Entity, make, or make available for, amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual. If an Individual makes a request for an amendment to PHI directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
i. Subject to attorney-client and any other applicable legal privilege, make its internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his/her designee, in the reasonable time and manner specified by the Secretary, for purposes of the Secretary determining compliance of Covered Entity with the HIPAA Rules. Subject to the legal privileges referred to above and as otherwise permitted by law, HeL shall, within 10 business days after receipt of such request, notify Covered Entity of any request for access by HHS and shall provide Covered Entity with a copy of the HHS request for access and all materials to be disclosed pursuant thereto.
j. Document such disclosures of PHI as would be required for Covered Entity to respond, in accordance with the HIPAA Rules, to a request by any Individual for an accounting of disclosures of PHI in accordance with the requirements of the HIPAA Rules.
k. Upon 10 days’ written notice by Covered Entity, make available or provide to Covered Entity or the Individual information collected in accordance with Section 2.1(j), to permit Covered Entity to respond, in accordance with the HIPAA Rules, to a request by an Individual for an accounting of disclosures of PHI. If an Individual makes a request for an accounting directly to HeL, HeL shall notify Covered Entity of the request within 3 business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
l. Upon written notice by Covered Entity that the Underlying Contract will be terminated for any reason (including, for example, by virtue of Covered Entity’s dissolution), return to Covered Entity or destroy and, unless return or destruction is infeasible, certify to Covered Entity in writing of any such destruction, within thirty (30) days of HeL’s receipt of such notice, all PHI obtained from Covered Entity or created or obtained by HeL on behalf of Covered Entity with respect to the Underlying Contract, including such PHI that is in the possession of HeL’s subcontractors and agents, and retain no copies if it is feasible to do so; provided, however, that prior to destroying or returning PHI, the Parties will meet and confer in order to reach a mutually satisfactory resolution with respect to the feasibility of destroying or returning the PHI and HeL’s right to continued use and disclosure of the PHI. If return or destruction of the PHI is infeasible as reasonably determined HeL, HeL shall extend all protections contained in this Agreement to HeL’s use and/or disclosure of any retained PHI, and limit any further uses and/or disclosures to the purposes set forth in Section 2.2 of this Agreement. This Provision shall apply to PHI that is in the possession of subcontractors or agents of HeL.
m. Comply with HITECH as applicable to HeL.
n. To the extent HeL is required to carry out Covered Entity’s obligations under 45 C.F.R. subpart E, comply with the requirements of such subpart that apply to Covered Entity in the performance of such obligations, including, but not limited to, minimum necessary and document retention standards.
o. In receiving, storing, processing, or otherwise dealing with any “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11, from an alcohol/drug abuse “program,” as defined in 42 C.F.R. § 2.11, that is federally assisted in a manner described in 42 C.F.R. § 2.12(b), and that is operated by Covered Entity, to be fully bound by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
p. Resist in judicial proceedings any efforts to obtain access to “patient identifying information” or “records” as defined in 42 C.F.R. § 2.11 and as maintained by HeL, other than as permitted by the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
q. Comply with all applicable federal and state laws and regulations governing the confidentiality of information provided by Covered Entity including, without limitation, New York Public Health Law §§ 18 (Access to Patient Information) & 2780 et seq.; New York Mental Hygiene Law §§ 22.05 & 33.13; New York Civil Rights Law § 79-l; New York General Business Law §§ 399-dd (Confidentiality of Social Security Account Number), 399-h, & 899-aa; New York Civil Practice Law and Rules (CPLR) §§ 2302(a), 4504, 4507, 4508, & 4510 and CPLR R. 3122(a); chapter 5 of title 10 of the Official Compilation of Codes, Rules, and Regulations of the State of New York (NYCRR); 10 NYCRR § 63.6(k); Federal Rules of Evidence R. 501; and 21 C.F.R. § 1304.24(d).
r. Pursuant to New York General Business Law § 899-aa(2)&(3) and in conformity with paragraph 2.1(a) of this Agreement, within 15 days’ after discovery thereof, notify Covered Entity of any “breach of the security of the system,” as defined in New York General Business Law § 899-aa(1)(c), that involves PHI containing individuals’ “private information,” as defined in New York General Business Law § 899-aa(1)(b), that was, or was reasonably believed to be, acquired from HeL by a person without valid authorization.
s. In the event HeL chooses to destroy the PHI in its possession in compliance with paragraph 2.1(l) of this Agreement, and that PHI contains “personal identifying information” as defined in New York General Business Law § 399-h(1)(d), dispose of such information in conformity with New York General Business Law § 399-h(2).
Appears in 1 contract
Samples: Business Associate Agreement
