Common use of Obligations of the Business Associate Clause in Contracts

Obligations of the Business Associate. To the extent that a Party is acting as a Business Associate of the PHI Source and is in possession of or has access to PHI, the Business Associate agrees as follows: 2.1 The Business Associate agrees to not use or disclose PHI other than as permitted or required to perform the services (“Services”) described in the Portal Access Agreement and/or this Agreement, as requested by the PHI Source, or as required by law. 2.2 The Business Associate agrees to use appropriate safeguards to comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Agreement and/or the Portal Access Agreement and shall develop, implement, maintain, and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the PHI Source. 2.3 The Business Associate agrees to report to the PHI Source any use or disclosure of PHI not provided for by this Agreement within five (5) days of becoming aware of such use or disclosure, including breaches of unsecured PHI as required by 45 CFR 164.410. 2.4 The Business Associate agrees to report to the PHI Source any Breach of Unsecured Protected Health Information, as defined in 45 CFR 164.402. Following the initial notification of any such Breach, the Business Associate shall provide a report to the PHI Source that includes, to the extent possible: (a) a brief description of what happened, including the date of occurrence and the date of the discovery by the Business Associate; (b) a description of the PHI affected, including the names of any Individuals whose PHI has been or is reasonably believed to have been accessed, acquired or disclosed and the types of PHI involved (such as full name, social security number, date of birth, home address, account numbers, etc.); and (c) a brief description of what the Business Associate has done to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches. The Business Associate also shall provide to the PHI Source any other available information the PHI Source is required to include in its notification to affected Individual(s). 2.5 The Business Associate agrees to mitigate, to the extent possible, any and all harm resulting from a use or disclosure of PHI not provided for by this Agreement, Breach of Unsecured Protected Health Information or any Security Incident resulting in potential harm. 2.6 The Business Associate agrees to ensure that any agent or subcontractor that creates, receives, maintains, or transmits PHI agrees to the same restrictions, conditions, and requirements that apply through this Agreement to the Business Associate with respect to such PHI and agrees to implement reasonable and appropriate safeguards to protect such PHI. Where Quality Corp is acting as the Business Associate, Quality Corp agrees to limit the use of subcontractors, including the Data Services Vendor, providing services under this Agreement to business entities within the United States. However, the Data Services Vendor may utilize its wholly owned and controlled subsidiaries located outside the United States to provide supporting services and functions as long as such subsidiaries fully comply with the provisions of HIPAA in the same manner as the Data Services Vendor. 2.7 The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI reasonably available to the Secretary of the Department of Health and Human Services for purposes of determining the PHI Source’s and Business Associate’s compliance with this Agreement and HIPAA. 2.8 The Business Associate’s reasonable written request, the PHI Source agrees to provide (a) access to PHI maintained in a Designated Record Set to assist the Data Supplier in meeting its obligations under 45 CFR Part 164, (b) make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Data Supplier pursuant to 45 CFR 164.526, (c) make available the information required to provide an accounting of disclosures of PHI made by the Business Associate as necessary to permit the PHI Source to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.

Obligations of the Business Associate. To the extent that a Party is acting as a The Business Associate of the PHI Source and is in possession of or has access to PHI, the Business Associate agrees as followsAssociatewill: 2.1 The Business Associate agrees to (a) not use or further disclose PHI other than as permitted or required to perform the services (“Services”) described herein, in the Portal Access Agreement and/or this any written Agreement, as requested by the PHI Source, or as required by law. 2.2 The Business Associate agrees to (b) use appropriate safeguards to comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use uses or disclosure disclosures of PHI other than as provided for herein or by this Agreement and/or the Portal Access Agreement and shall develop, implement, maintain, and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the PHI Sourceany written Agreement. 2.3 The Business Associate agrees to (c) report to the PHI Source Covered Entity any use or disclosure of PHI not provided for herein or by this any written Agreement within five of which it becomesaware. (5d) days of becoming aware of such use or disclosureensure that any agents, including breaches of unsecured PHI as required by 45 CFR 164.410. 2.4 The Business Associate agrees a subcontractor, to report to the PHI Source any Breach of Unsecured Protected Health Information, as defined in 45 CFR 164.402. Following the initial notification of any such Breach, whom the Business Associate shall provide a report to the provides PHI Source that includes, to the extent possible: (a) a brief description of what happened, including the date of occurrence and the date on behalf of the discovery by the Business Associate; (b) a description of the PHI affected, including the names of any Individuals whose PHI has been or is reasonably believed to have been accessed, acquired or disclosed and the types of PHI involved (such as full name, social security number, date of birth, home address, account numbers, etc.); and (c) a brief description of what the Business Associate has done to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches. The Business Associate also shall provide to the PHI Source any other available information the PHI Source is required to include in its notification to affected Individual(s). 2.5 The Business Associate agrees to mitigate, to the extent possible, any and all harm resulting from a use or disclosure of PHI not provided for by this Agreement, Breach of Unsecured Protected Health Information or any Security Incident resulting in potential harm. 2.6 The Business Associate agrees to ensure that any agent or subcontractor that creates, receives, maintains, or transmits PHI agrees Covered Entity agree to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to the Business Associate with respect to such the PHI (e) within 45 days of receiving a written request from the Covered Entity for a copy of PHI, make the requested PHI available to the Covered Entity to enable the Covered Entity to respond to an individual who seeks to inspect or copy PHI. (f) within 45 days of receiving a written request from the Covered Entity to make PHI available or to amend PHI, make the requested PHI available to the Covered Entity for amendment and agrees incorporate any amendments to implement reasonable and appropriate safeguards PHI directed by the Covered Entity. (g) within 45 days of receiving a written request from the Covered Entity for an accounting of disclosures of PHI about an individual, provide to protect such PHI. Where Quality Corp is acting as the Covered Entity a listing of the persons or entities to which the Business Associate, Quality Corp agrees to limit Associate has disclosed PHI about the use of subcontractors, including the Data Services Vendor, providing services under this Agreement to business entities individual within the United States. Howeverprior 6 years (excluding disclosures for reasons of treatment, payment, and health care operations as defined in the Data Services Vendor may utilize its wholly owned Privacy Rule and controlled subsidiaries located outside the United States excluding disclosures made prior to provide supporting services and functions as long as such subsidiaries fully comply April 14, 2003) along with the provisions dates of, reasons for, and brief descriptions of HIPAA in the same manner as disclosures to enable the Data Services VendorCovered Entity to respond to an individual seeking an accounting of the disclosures of the individual's PHI. 2.7 The Business Associate agrees to (h) make its internal practices, books, and records relating to the use and disclosure of PHI reasonably received from, created by, or received by the Business Associate on behalf of the Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining so that it may evaluate the PHI Source’s and Business AssociateCovered Entity’s compliance with this Agreement and HIPAAthe Privacy Rule. 2.8 The (i) at the termination of any Agreement, or of the uses and/or disclosures of the PHI by the Business Associate’s reasonable written request, the if feasible, return or destroy all PHI Source agrees to provide (a) access to PHI maintained in a Designated Record Set to assist the Data Supplier in meeting its obligations under 45 CFR Part 164received from, (b) make any amendment(s) to PHI in a Designated Record Set as directed created by, or agreed to by the Data Supplier pursuant to 45 CFR 164.526, (c) make available the information required to provide an accounting of disclosures of PHI made received by the Business Associate as necessary on behalf of the Covered Entity that the Business Associate still maintains in any form in connection with this Contract and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this Contract to permit the PHI Source and limit further uses and disclosures to respond to a request by an Individual for an accounting those purposes that make the return or destruction of disclosures of the PHI in accordance with 45 CFR 164.528infeasible.

Obligations of the Business Associate. To the extent that a Party is acting as a Business Associate of the PHI Source and is in possession of or has access to PHI, the Business Associate agrees as follows: 2.1 The Business Associate agrees to not use or disclose PHI other than as permitted or required to perform the services (“Services”) described in the Portal Access Agreement and/or this Agreement, as requested by the PHI Source, or as required by law. 2.2 The Business Associate agrees to use appropriate safeguards to comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Agreement and/or the Portal Access Agreement and shall develop, implement, maintain, and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the PHI Source. 2.3 The Business Associate agrees to report to the PHI Source any use or disclosure of PHI not provided for by this Agreement within five (5) days of becoming aware of such use or disclosure, including breaches of unsecured PHI as required by 45 CFR 164.410. 2.4 The Business Associate agrees to report to the PHI Source any Breach of Unsecured Protected Health Information, as defined in 45 CFR 164.402. Following the initial notification of any such Breach, the Business Associate shall provide a report to the PHI Source that includes, to the extent possible: (a) a brief description of what happened, including the date of occurrence and the date of the discovery by the Business Associate; (b) a description of the PHI affected, including the names of any Individuals whose PHI has been or is reasonably believed to have been accessed, acquired or disclosed and the types of PHI involved (such as full name, social security number, date of birth, home address, account numbers, etc.); and (c) a brief description of what the Business Associate has done to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches. The Business Associate also shall provide to the PHI Source any other available information the PHI Source is required to include in its notification to affected Individual(s). 2.5 The Business Associate agrees to mitigate, to the extent possible, any and all harm resulting from a use or disclosure of PHI not provided for by this Agreement, Breach of Unsecured Protected Health Information or any Security Incident resulting in potential harm. 2.6 The Business Associate agrees to ensure that any agent or subcontractor that creates, receives, maintains, or transmits PHI agrees to the same restrictions, conditions, and requirements that apply through this Agreement to the Business Associate with respect to such PHI and agrees to implement reasonable and appropriate safeguards to protect such PHI. Where Quality Corp is acting as the Business Associate, Quality Corp agrees to limit the use of subcontractors, including the Data Services Vendor, providing services under this Agreement to business entities within the United States. However, the Data Services Vendor may utilize its wholly owned and controlled subsidiaries located outside the United States to provide supporting services and functions as long as such subsidiaries fully comply with the provisions of HIPAA in the same manner as the Data Services Vendor. 2.7 The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI reasonably available to the Secretary of the Department of Health and Human Services for purposes of determining the PHI Source’s and Business Associate’s compliance with this Agreement and HIPAA. 2.8 The At the Business Associate’s reasonable written request, the PHI Source agrees to provide (a) access to PHI maintained in a Designated Record Set to assist the Data Supplier in meeting its obligations under 45 CFR Part 164, (b) make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Data Supplier pursuant to 45 CFR 164.526, (c) make available the information required to provide an accounting of disclosures of PHI made by the Business Associate as necessary to permit the PHI Source to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.