Common use of OBLIGATIONS TO SAFEGUARD PROTECTED HEALTH INFORMATION Clause in Contracts

OBLIGATIONS TO SAFEGUARD PROTECTED HEALTH INFORMATION. 4.1 Business Associate shall implement, use, and maintain appropriate safeguards to prevent the Use or Disclosure of Protected Health Information other than as provided for by this Business Associate Agreement. 4.2 Business Associate shall comply with Subpart C of 45 C.F.R Part 164 with respect to Electronic Protected Health Information, to prevent the Use or Disclosure of such information other than as provided for by this Business Associate Agreement. 4.3 Business Associate shall be responsible for the provision of an annual mandatory information security and privacy training, for all staff that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate or the County, at the time of initial employment and on an ongoing basis as required by federal and State law, including but not limited to Health Insurance Portability and Accountability Act (HIPAA). 4.3.1 Business Associate shall monitor, track, document and make available upon request by the federal, State and/or County government the annual information security and privacy training (e.g., training bulletins/flyers, sign-in sheets specifying name and function of staff, and/or individual certificates of completion, etc.) provided to Business Associate’s workforce members, including clerical, administrative/management, clinical, subcontractors, and independent contractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate or the County. 4.4 Business Associate shall ensure that all workforce members, including clerical, administrative, management, clinical, subcontractors, and independent contractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate or the County, sign a confidentiality statement that includes, at a minimum, General Use, Security and Privacy Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce member prior to access sensitive content such as Protected Health Information. The statement must be renewed annually. 4.5 Appropriate sanctions must be applied against workforce members who fail to comply with any provisions of Business Associate’s security and privacy policies and procedures, including termination of employment where appropriate.