Common use of Obligations of the Business Associate Clause in Contracts

Obligations of the Business Associate. Business Associate shall not and shall ensure that its directors, officers, employees, contractors, subcontractors and agents do not use or further use or disclose Protected Health Information in any manner that would constitute a violation of HIPAA Rules other than as permitted or required by this Agreement or as Required By Law. Business Associate acknowledges Business Associate is required by law to use appropriate safeguards and comply with the HIPAA Security Rule at 45 CFR 164 Subpart C. When applicable, Business Associate shall comply with the Business and Academic Partner Network Access Technical Requirements as detailed in Exhibit B if Business Associate has access to Covered Entity network. Business Associate agrees to mitigate, to the extent practicable, any potential business pattern, practice or effect that is known to the Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate agrees, within ten (10) calendar days of becoming aware of any use or disclosure of Protected Health Information not specifically allowed for by this Agreement and in violation of the HIPAA Rules, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, that it will report in writing to Covered Entity any such use or disclosure. In the event that Covered Entity determines a Breach of Unsecured Protected Health Information has occurred, Business Associate agrees to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, Protected Health Information breached and the date or period of time during which the breach occurred, within five (5) business days from the date the Covered Entity determines a Breach of Unsecured Protected Health Information has occurred. Business Associate shall be responsible for any and all costs incurred by Covered Entity related to notification of individuals or next of kin (if the individual is deceased) of any breach of Unsecured Protected Health Information reported by Business Associate to Covered Entity. Business Associate agrees to immediately report to the Covered Entity any security incident of which it becomes aware. Business Associate agrees to ensure that any employee, agent or third party, including but not limited to a subcontractor, to whom the Business Associate provides Protected Health Information received from, created by, or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information. Where Business Associate keeps a Designated Record Set of Protected Health Information, Business Associate agrees to make available Protected Health Information in a designated record set to Covered Entity, within five (5) business days of the request of Covered Entity or, as directed by Covered Entity, to an Individual or an Individual’s designee, as necessary in order to meet the Covered Entity’s obligations under 45 CFR 164.524(c)(2)(ii).; and (3)(ii) with respect to an Individual’s request for an electronic copy of Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to, at the request of Covered Entity or an Individual, in a time and manner necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. Business Associate agrees to document any such use or disclosures of Protected Health Information and information related to such use or disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under 45 CFR Part 164 Subpart E, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, within ten (10) days of the request of the Covered Entity in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA Rules. Business Associate agrees to disclose to Covered Entity its policies, plans and procedures for compliance with regard to applicable HIPAA Rules and this Agreement upon the request of Covered Entity. Business Associate shall maintain at its own expense professional liability insurance or self-insurance coverage in the amount of $1,000,000 per occurrence and $3,000,000 in the annual aggregate for alleged errors or omissions or negligent acts in the performance of professional services rendered or that should have been rendered.

Obligations of the Business Associate. (a) Business Associate shall not and shall ensure that its directors, officers, employees, contractors, subcontractors and agents do not use or further use or disclose Protected Health Information in any manner that would constitute a violation of HIPAA Rules other than as permitted or required by this Agreement or as Required By Law. . (b) Business Associate acknowledges Business Associate is required by law to use appropriate safeguards and comply with the HIPAA Security Rule at 45 CFR 164 Subpart C. C. (c) When applicable, Business Associate shall comply with the Business and Academic Partner Network Access Technical Requirements as detailed in Exhibit B if Business Associate has access to Covered Entity network. . (d) Business Associate agrees to mitigate, to the extent practicable, any potential business pattern, practice or effect that is known to the Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. . (e) Business Associate agrees, within ten (10) calendar days of becoming aware of any use or disclosure of Protected Health Information not specifically allowed for by this Agreement and in violation of the HIPAA Rules, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, that it will report in writing to Covered Entity any such use or disclosure. . (f) In the event that Covered Entity determines a Breach of Unsecured Protected Health Information has occurred, Business Associate agrees to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, Protected Health Information breached and the date or period of time during which the breach occurred, within five (5) business days from the date the Covered Entity determines a Breach of Unsecured Protected Health Information has occurred. Business Associate shall be responsible for any and all costs incurred by Covered Entity related to notification of individuals or next of kin (if the individual is deceased) of any breach of Unsecured Protected Health Information reported by Business Associate to Covered Entity. . (g) Business Associate agrees to immediately report to the Covered Entity any security incident of which it becomes aware. . (h) Business Associate agrees to ensure that any employee, agent or third party, including but not limited to a subcontractor, to whom the Business Associate provides Protected Health Information received from, created by, or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information. . (i) Where Business Associate keeps a Designated Record Set of Protected Health Information, Business Associate agrees to make available Protected Health Information in a designated record set to Covered Entity, within five (5) business days of the request of Covered Entity Entity, or, as directed by Covered Entity, to an Individual or an Individual’s designee, as necessary in order to meet the Covered Entity’s obligations under 45 CFR 164.524(c)(2)(ii).; and (3)(ii) with respect to an Individual’s request for an electronic copy of Protected Health Information. . (j) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to, to at the request of Covered Entity or an Individual, in a time and manner necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. . (k) Business Associate agrees to document any such use or disclosures of Protected Health Information and information related to such use or disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under 45 CFR Part 164 Subpart E, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, within ten (10) days of the request of the Covered Entity in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA Rules. . (n) Business Associate agrees to disclose to Covered Entity its policies, plans and procedures for compliance with regard to applicable HIPAA Rules and this Agreement upon the request of Covered Entity. Business Associate shall maintain at its own expense professional liability insurance or self-insurance coverage in the amount of $1,000,000 per occurrence and $3,000,000 in the annual aggregate for alleged errors or omissions or negligent acts in the performance of professional services rendered or that should have been rendered.

Obligations of the Business Associate. a. Business Associate shall not and shall ensure that its directors, officers, employees, contractors, subcontractors and agents do not use or further use or disclose Protected Health Information in any manner that would constitute a violation of HIPAA Rules other than as permitted or required by this Agreement BAA or as Required By Law. . b. Business Associate acknowledges Business Associate is required by law to use appropriate safeguards and comply with the HIPAA Security Rule at 45 CFR 164 Subpart C. When applicable, Business Associate shall comply with the Business and Academic Partner Network Access Technical Requirements as detailed in Exhibit B if Business Associate has access to Covered Entity network. C. c. Business Associate agrees to mitigate, to the extent practicable, any potential business pattern, practice or effect that is known to the Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. BAA. d. Business Associate agrees, within ten (10) calendar business days of becoming aware of any use or disclosure of Protected Health Information not specifically allowed for by this Agreement BAA and in violation of the HIPAA Rules, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, that it will report in writing to Covered Entity any such use or disclosure. . e. In the event that Covered Entity determines a Breach of Unsecured Protected Health Information has occurred, Business Associate agrees agrees, to the extent known, to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, Protected Health Information breached and the date or period of time during which the breach occurred, within five (5) business days from the date the Covered Entity determines a Breach of Unsecured Protected Health Information has occurred. Business Associate shall be responsible for any and all costs incurred by Covered Entity related to notification of individuals or next of kin (if the individual is deceased) of any breach of Unsecured Protected Health Information reported by Business Associate to Covered Entity. . f. Business Associate agrees to immediately report to the Covered Entity any security incident of which it becomes aware. . g. Business Associate agrees to ensure that any employee, agent or third party, including but not limited to a subcontractor, to whom the Business Associate provides Protected Health Information received from, created by, or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions, conditions and requirements that apply through this Agreement BAA to Business Associate with respect to such information. . h. Where Business Associate keeps a Designated Record Set of Protected Health Information, Business Associate agrees to make available Protected Health Information in a designated record set to Covered Entity, within five (5) business days of the request of Covered Entity or, as directed by Covered Entity, to an Individual or an Individual’s designee, as necessary in order to meet the Covered Entity’s obligations under 45 CFR 164.524(c)(2)(ii).; and (3)(ii) with respect to an Individual’s request for an electronic copy of Protected Health Information. . i. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to, at the request of Covered Entity or an Individual, in a time and manner necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. . j. Business Associate agrees to document any such use or disclosures of Protected Health Information and information related to such use or disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. . k. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under 45 CFR Part 164 Subpart E, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). . l. Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, within ten (10) business days of the request of the Covered Entity in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA Rules. . m. Business Associate agrees to disclose to Covered Entity its policies, plans and procedures for compliance with regard to applicable HIPAA Rules Rules, and this Agreement BAA upon the request of Covered Entity. . n. Business Associate shall maintain at its own expense professional liability insurance or self-insurance coverage in the amount of $1,000,000 per occurrence and $3,000,000 in the annual aggregate for alleged errors or omissions or negligent acts in the performance of professional services rendered or that should have been rendered.