Common use of Obligations of the Business Associate Clause in Contracts

Obligations of the Business Associate. The Business Associate shall comply with, and shall cooperate and assist in compliance with, all requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any and all future regulations, requirements, and writings promulgated there under, including but not limited to, the following: 1. The Business Associate agrees to not use or disclose Protected Health Information other than to perform the services set forth and attached hereto and incorporated herein (the “Services”) in accordance with this Agreement. The Business Associate agrees that it will not further disclose the Protected Health Information other than as permitted or required by this Agreement or as required by law. Protected Health Information, except as otherwise set forth in 45 C.F.R. § 164.501, includes any information collected from an individual, whether oral or recorded, maintained or transmitted, in any form or medium that (i) is created or received by one or both parties to this agreement; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 2. The Business Associate shall maintain the integrity of the Protected Health Information and maintain safeguards as necessary to ensure that all Protected Health Information is used and disclosed only as authorized under HIPAA and this Agreement. The Business Associate agrees to assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current and must include, at a minimum, those requirements outlined in HIPAA and the regulations promulgated there under. 3. The Business Associate shall immediately report to the Covered Entity any unauthorized use or disclosure of any Protected Health Information of which it becomes aware not provided for by this Agreement, but in no event shall the notice be given later than five (5) business days after the Business Associate becomes aware of such use or disclosure. Notice shall be provided in writing to: Privacy Officer 4. The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by, the Business Associate on behalf of the Covered Entity agrees in writing to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. The Business Associate agrees to incorporate into all contracts or subcontracts where any Protected Health Information is transferred by the Business Associate the terms of this Agreement and agrees that it will only enter into such contracts or subcontracts with the consent of the Covered Entity. 5. Upon the written request of the Covered Entity, the Business Associate shall, within ten (10) days of the request, provide access to Protected Health Information in accordance with 45 C.F.R. § 164.524 to the Covered Entity or, as requested by the Covered Entity, to the subject of the Protected Health Information maintained by the Business Associate, for inspection and/or copying. 6. Upon the written request of the Covered Entity, the Business Associate shall make available Protected Health Information for amendment and incorporate any amendments or corrections to Protected Health Information in accordance with 45CFR §64.526 within ten (10) days of receipt of the request. 7. Within twenty (20) days of receipt of a written request by the Covered Entity for an accounting of disclosures of Protected Health Information regarding the subject of that information, the Business Associate shall make available to the Covered Entity such information as is in the Business Associate’s possession and is needed to make the accounting required by 45 C.F.R. § 164.528. At a minimum, the Business Associate shall provide the Covered Entity with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall within two (2) days forward such request to the Covered Entity. 8. The Business Associate shall promptly make available to the secretary of the U.S. Department Health and Human Services and/or the secretary’s authorized representatives, this Agreement, its internal practices, all books, documents, and records relating to the use and disclosure of Protected Health Information received from, or created or received by, the Business Associate on behalf of the Covered Entity for the purposes of determining the Covered Entity’s compliance with 45 C.F.R. Part 164, Subpart E.

Obligations of the Business Associate. The Business Associate shall comply with, and shall cooperate and assist in compliance with, all requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any and all future regulations, requirements, and writings promulgated there under, including but not limited to, the followingwill: 1. The Business Associate agrees to (a) not use or disclose Protected Health Information other than to perform the services set forth and attached hereto and incorporated herein (the “Services”) in accordance with this Agreement. The Business Associate agrees that it will not further disclose the Protected Health Information PHI other than as permitted or required by this Agreement Contract or as required by law. Protected Health Information, except ; (b) use appropriate safeguards to prevent uses or disclosures of PHI other than as otherwise set forth in 45 C.F.R. § 164.501, includes any information collected from an individual, whether oral permitted or recorded, maintained or transmitted, in any form or medium that required by this Contract; (ic) is created or received by one or both parties to this agreement; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 2. The Business Associate shall maintain the integrity of the Protected Health Information and maintain safeguards as necessary to ensure that all Protected Health Information is used and disclosed only as authorized under HIPAA and this Agreement. The Business Associate agrees to assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current and must include, at a minimum, those requirements outlined in HIPAA and the regulations promulgated there under. 3. The Business Associate shall immediately report to the Covered Entity any unauthorized use or disclosure of any Protected Health Information PHI not permitted or required by this Contract of which it becomes aware not provided for by this Agreement, but in no event shall the notice be given later than five aware; (5d) business days after the Business Associate becomes aware of such use or disclosure. Notice shall be provided in writing to: Privacy Officer 4. The Business Associate agrees to ensure that any agentagents, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by, the Business Associate provides PHI on behalf of the Covered Entity agrees in writing agree to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. The Business Associate agrees to incorporate into all contracts or subcontracts where any Protected Health Information is transferred by the Business Associate the terms PHI; (e) within 45days of this Agreement and agrees that it will only enter into such contracts or subcontracts with the consent of receiving a written request from the Covered Entity. 5. Upon Entity for a copy of PHI, make the written request of the Covered Entity, the Business Associate shall, within ten (10) days of the request, provide access to Protected Health Information in accordance with 45 C.F.R. § 164.524 requested PHI available to the Covered Entity or, as requested by to enable the Covered EntityEntity to respond to an individual who seeks to inspect or copy PHI; (f) within 45 days of receiving a written request from the Covered Entity to make PHI available or to amend PHI, make the requested PHI available to the subject of the Protected Health Information maintained by the Business Associate, for inspection and/or copying. 6. Upon the written request of the Covered Entity, the Business Associate shall make available Protected Health Information Entity for amendment and incorporate any amendments or corrections to Protected Health Information in accordance with 45CFR §64.526 PHI directed by the Covered Entity; (g) within ten (10) 45 days of receipt of the request. 7. Within twenty (20) days of receipt of receiving a written request by from the Covered Entity for an accounting of disclosures of Protected Health Information regarding the subject of that informationPHI about an individual, the Business Associate shall make available provide to the Covered Entity such information as is in a listing of the Business Associate’s possession and is needed persons or entities to make the accounting required by 45 C.F.R. § 164.528. At a minimum, which the Business Associate shall provide has disclosed PHI about the individual within the previous six (6) years (excluding disclosures for reasons of treatment, payment, and health care operations as defined in the Privacy Rule and excluding disclosures made prior to April 14, 2003) along with the dates of, reasons for, and brief descriptions of the disclosures to enable the Covered Entity with the following information: (i) the date to respond to an individual seeking an accounting of the disclosure, (ii) the name disclosures of the entity or person who received the Protected Health Information, and if known, the address of such entity or person, individual's PHI; (iiih) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall within two (2) days forward such request to the Covered Entity. 8. The Business Associate shall promptly make available to the secretary of the U.S. Department Health and Human Services and/or the secretary’s authorized representatives, this Agreement, its internal practices, all books, documents, and records relating to the use and disclosure of Protected Health Information PHI received from, or created by, or received by, by the Business Associate on behalf of the Covered Entity for available to the purposes U.S. Department of determining Health and Human Services so that it may evaluate the Covered Entity’s compliance with 45 C.F.R. Part 164the Privacy Rule or Security Rule; and (i) at the termination of the Agreement, Subpart E.or of the uses and/or disclosures of the PHI by the Business Associate, if feasible, return or destroy all PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form in connection with this Contract and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this Contract to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

Obligations of the Business Associate. The Business Associate shall comply with, and shall cooperate and assist in compliance with, all requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any and all future regulations, requirements, and writings promulgated there under, including but not limited to, the followinghereby agrees: 1. The Business Associate agrees a. not to not use or disclose Protected Health Information other than to perform the services set forth and attached hereto and incorporated herein (the “Services”) in accordance with this Agreement. The Business Associate agrees that it will not further disclose the Protected Health Information other than as permitted or required by this Agreement Addendum, the Services Agreement, or as required otherwise Required by law. Law; b. to use appropriate safeguards to prevent the use or disclosure of Protected Health InformationInformation not expressly permitted by this Addendum, except the Services Agreement, or as otherwise set forth in 45 C.F.R. § 164.501, includes any information collected from an individual, whether oral or recorded, maintained or transmitted, in any form or medium that (i) is created or received Required by one or both parties Law; c. to this agreement; and (ii) relates report to the past, present, Client any use or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 2. The Business Associate shall maintain the integrity disclosure of the Protected Health Information and maintain safeguards as necessary to ensure that all Protected Health Information is used and disclosed only as authorized under HIPAA and this Agreement. The Business Associate agrees to assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current and must include, at a minimum, those requirements outlined in HIPAA and the regulations promulgated there under. 3. The Business Associate shall immediately report to the Covered Entity any unauthorized use or disclosure of any Protected Health Information of which it becomes aware not provided for by this Agreement, but in no event shall the notice be given later than five (5) business days after the Business Associate Addendum of which it becomes aware of such use or disclosure. Notice shall be provided in writing to: Privacy Officeraware; 4. The Business Associate agrees d. to ensure that any agent, including a subcontractor, to whom it the Business Associate provides any Protected Health Information received fromfrom the Client, or created or received by, by the Business Associate for or on behalf of the Covered Entity Client, agrees in writing to the same restrictions and conditions that apply through this Agreement Addendum to the Business Associate with respect to such information. The Business Associate agrees the Protected Health Information; e. to incorporate into all contracts or subcontracts where any make available Protected Health Information is transferred by to the Business Associate the terms of this Agreement Client for amendment and agrees that it will only enter into such contracts or subcontracts with the consent of the Covered Entity. 5. Upon the written request of the Covered Entity, the Business Associate shall, within ten (10) days of the request, provide access incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. § 164.524 164.526; f. to make available to the Covered Entity or, as requested by Client the Covered Entity, information required for the Client to provide access to an individual or for the subject of the Protected Health Information maintained by the Business Associate, for inspection and/or copying. 6. Upon the written request of the Covered Entity, the Business Associate shall make available Protected Health Information for amendment and incorporate any amendments or corrections Client to Protected Health Information in accordance with 45CFR §64.526 within ten (10) days of receipt of the request. 7. Within twenty (20) days of receipt of a written request by the Covered Entity for provide an accounting of disclosures of Protected Health Information regarding the subject of that informationin accordance with 45 C.F.R. §§ 164.524, the Business Associate shall 164.528; g. to make available to the Covered Entity such information as is in the Business Associate’s possession and is needed to make the accounting required by 45 C.F.R. § 164.528. At a minimum, the Business Associate shall provide the Covered Entity with the following information: (i) the date Secretary of the disclosure, (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall within two (2) days forward such request to the Covered Entity. 8. The Business Associate shall promptly make available to the secretary of the U.S. Department Health and Human Services and/or the secretary’s authorized representatives, this Agreement, its HHS all internal practices, all booksbooks and records, documents, and records relating to the use and disclosure of Protected Health Information received from, or created or received by, by the Business Associate from or on behalf of, the Client necessary to allow the Secretary to determine whether the Client is in compliance with the Privacy Rule regarding the PHI under this Addendum; h. to provide to the Client, within thirty (30) days of receiving a written request from the Covered Entity Client, information collected pertaining to disclosures of PHI by the Business Associate to permit the Client to respond to a request by an Individual for the purposes an accounting of determining the Covered Entity’s compliance disclosures of PHI in accordance with 45 C.F.R. Part 164§ 164.528; i. to mitigate, Subpart E.to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate that is in violation of this Addendum; and j. to document such disclosures of Protected Health Information and information related to such disclosures of Protected Health Information as would be required for the Client to respond to a request by an Individual for an accounting of disclosures of the Individual’s Protected Health Information in accordance with 45 C.F.R. § 164.528.

Obligations of the Business Associate. The Business Associate shall comply with, and shall cooperate and assist in compliance with, all requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and any and all future regulations, requirements, and writings promulgated there under, including but not limited to, the followinghereby agrees that it shall: 1. The Business Associate agrees to a. not use or disclose Protected Health Information other than to perform the services set forth and attached hereto and incorporated herein (the “Services”) in accordance with this Agreement. The Business Associate agrees that it will not further disclose the Protected Health Information other than as permitted or required by this Agreement Agreement, the Service Agreement, or as required otherwise Required by law. Law; b. use appropriate safeguards to prevent the use or disclosure of Protected Health InformationInformation not expressly permitted by this Agreement, except the Service Agreement, or as otherwise set forth in 45 C.F.R. § 164.501, includes any information collected from an individual, whether oral or recorded, maintained or transmitted, in any form or medium that (i) is created or received Required by one or both parties to this agreement; and (ii) relates Law; c. report to the pastCovered Entity, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is within five (5) days and in a reasonable basis to believe the information can be used to identify the individual. 2. The Business Associate shall maintain the integrity manner, any use or disclosure of the Protected Health Information and maintain safeguards as necessary to ensure that all Protected Health Information is used and disclosed only as authorized under HIPAA and this Agreement. The Business Associate agrees to assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current and must include, at a minimum, those requirements outlined in HIPAA and the regulations promulgated there under. 3. The Business Associate shall immediately report to the Covered Entity any unauthorized use or disclosure of any Protected Health Information of which it becomes aware not provided for by this AgreementAgreement of which it becomes aware, but in no event shall including the notice be given later than five (5) business days after details of any security incident to include the Business Associate becomes aware date, nature, and scope of such use or disclosure. Notice shall be provided in writing to: Privacy Officerthe incident, and response thereto; 4. The Business Associate agrees to d. ensure that any agent, including a subcontractor, to whom it the Business Associate provides any Protected Health Information received fromfrom the Covered Entity, or created or received by, by the Business Associate for or on behalf of the Covered Entity Entity, agrees in writing to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. The the Protected Health Information, and Business Associate agrees shall maintain confidentiality agreements with its agents and subcontractors as necessary to incorporate into all contracts or subcontracts where any perform the services under the Service Agreement; e. make available Protected Health Information is transferred by the Business Associate the terms of this Agreement and agrees that it will only enter into such contracts or subcontracts with the consent of the Covered Entity. 5. Upon the written request of to the Covered Entity, the Business Associate shall, within ten five (105) days of the requestand in a reasonable manner, provide access for amendment and incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. § 164.524 to the Covered Entity or, as requested by the Covered Entity, to the subject of the Protected Health Information maintained by the Business Associate, for inspection and/or copying.164.526; 6. Upon the written request of the Covered Entity, the Business Associate shall make available Protected Health Information for amendment and incorporate any amendments or corrections to Protected Health Information in accordance with 45CFR §64.526 within ten (10) days of receipt of the request. 7. Within twenty (20) days of receipt of a written request by the Covered Entity for an accounting of disclosures of Protected Health Information regarding the subject of that information, the Business Associate shall f. make available to the Covered Entity such information as is Entity, within five (5) days and in the Business Associate’s possession and is needed to make the accounting required by 45 C.F.R. § 164.528. At a minimumreasonable manner, the Business Associate shall provide information required for the Covered Entity with to provide access to an individual or for the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for Covered Entity to provide an accounting is delivered directly to the Business Associateof disclosures in accordance with 45 C.F.R. §§ 164.524, the Business Associate shall within two (2) days forward such request to the Covered Entity.164.528; 8. The Business Associate shall promptly g. make available to the secretary Secretary of the U.S. Department Health HHS immediately, and Human Services and/or the secretary’s authorized representativesin no event longer than three (3) days and in a reasonable manner, this Agreement, its all internal practices, all booksbooks and records, documents, and records relating to the use and disclosure of Protected Health Information received from, or created or received by, by the Business Associate from or on behalf of of, the Covered Entity for necessary to allow the purposes of determining Secretary to determine whether the Covered Entity is in compliance with the Privacy Rule regarding the PHI under this Agreement; h. provide to the Covered Entity’s compliance , within five (5) days and in a reasonable manner, of receiving a written request from the Covered Entity, information collected pertaining to disclosures of PHI by the Business Associate to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. Part 164§ 164.528; i. mitigate, Subpart E.to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate that is in violation of this Agreement; j. document such disclosures of Protected Health Information and information related to such disclosures of Protected Health Information as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of the Individual’s Protected Health Information in accordance with 45 C.F.R. § 164.528;