Common use of Permissible Use and Disclosure of PHI Clause in Contracts

Permissible Use and Disclosure of PHI. A. Except as otherwise limited in this Agreement, or by privilege, protection, or confidentiality under HIPAA, MCMRA, or other applicable law, Business Associate may use or disclose (including permitting acquisition or access to) PHI to perform applicable functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement. Moreover, the provisions of HIPAA are expressly incorporated by reference into, and made a part of, this Agreement. B. Business Associate may use or disclose (including permitting acquisition or access to) PHI only as permitted or required by this Agreement or as Required By Law. C. Business Associate is directly responsible for full compliance with the relevant requirements of HIPAA. D. Business Associate must not use or disclose (including permitting acquisition or access to) PHI other than as permitted or required by this Agreement or HIPAA, and must use or disclose PHI only in a manner consistent with HIPAA. As part of this, Business Associate must use appropriate safeguards to prevent use or disclosure of PHI that is not permitted by this Agreement or HIPAA. Furthermore, Business Associate must take reasonable precautions to protect PHI from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. E. Business Associate must implement and comply with administrative, physical, and technical safeguards governing the PHI, in a manner consistent with HIPAA, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. F. Business Associate must immediately notify Covered Entity, in a manner consistent with HIPAA, of: (i) any use or disclosure of PHI not provided for by this Agreement, including a Breach of PHI of which it knows or by exercise of reasonable diligence would have known, as required at 45 CFR §164.410; and, (ii) any Security Incident of which it becomes aware as required at 45 CFR §164.314(a)(2)(i)(C). Business Associate’s notification to Covered Entity required by HIPAA and this Section III.F must: 1. Be made to Covered Entity without unreasonable delay and in no case later than 14 calendar days after Business Associate: a) knows, or by exercising reasonable diligence would have known, of a Breach, b) becomes aware of a Security Incident, or c) becomes aware of any use or disclosure of PHI not provided for by this Agreement; 2. Include the names and addresses of the Individual(s) whose PHI is the subject of a Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement. In addition, Business Associate must provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement; 3. Be in substantially the same form as Exhibit A hereto; 4. Include a brief description of what happened, including the date of the Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement, if known, and the date of the discovery of the Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement; 5. Include a description of the type(s) of Unsecured PHI that was involved in the Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement (such as full name, Social Security number, date of birth, home address, account number, disability code, or other types of information that were involved); 6. Identify the nature and extent of the PHI involved, including the type(s) of identifiers and the likelihood of re identification; 7. If known, identify the unauthorized person who used or accessed the PHI or to whom the disclosure was made; 8. Articulate any steps the affected Individual(s) should take to protect him or herself from potential harm resulting from the Breach, Security Incident, or use or disclosure of PHI not permitted by this Agreement; 9. State whether the PHI was actually acquired or viewed; 10. Provide a brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement, to mitigate losses, and to protect against any further Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement; 11. Note contact information and procedures for an Individual(s) to ask questions or learn additional information, which must include a toll-free telephone number of Business Associate, along with an e-mail address, Web site, or postal address; and 12. Include a draft letter for the Covered Entity to utilize, in the event Covered Entity elects, in its sole discretion, to notify the Individual(s) that his or her PHI is the subject of a Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement that includes the information noted in Section III.F.4 – III.F.11 above. G. Business Associate must, and is expected to, directly and independently fulfill all notification requirements under HIPAA. H. In the event of a Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement, Business Associate must mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it. I. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any agent, subcontractor, or employee to whom it provides PHI (received from, or created or received by, Business Associate on behalf of Covered Entity) agrees to the same restrictions, conditions, and requirements that apply through this Agreement to Business Associate with respect to such information. J. Business Associate must ensure that any contract or other arrangement with a subcontractor meets the requirements of paragraphs 45 CFR §164.314(a)(2)(i) and (a)(2)(ii) required by 45 CFR § 164.308(b)(3) between a Business Associate and a subcontractor, in the same manner as such requirements apply to contracts or other arrangements between a Covered Entity and Business Associate. K. Pursuant to 45 CFR § 164.502(a)(4)(ii), Business Associate must disclose PHI to the Covered Entity, Individual, or Individual's designee, as necessary to satisfy a Covered Entity's obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of PHI. L. To the extent applicable, Business Associate must provide access to PHI in a Designated Record Set at reasonable times, at the request of Covered Entity or as directed by Covered Entity, to an Individual specified by Covered Entity in order to meet the requirements under 45 CFR § 164.524. M. A Business Associate that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, must not use or disclose PHI that is genetic information for underwriting purposes, in accordance with the provisions of 45 CFR 164.502. N. To the extent applicable, Business Associate must make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to, pursuant to 45 CFR § 164.526, at the request of Covered Entity or an Individual. O. Business Associate must, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. P. Business Associate must, upon request and with reasonable notice, furnish to Covered Entity security and privacy audit results, risk analyses, security and privacy policies and procedures, details of previous Breaches and Security Incidents, and documentation of controls. Q. Business Associate must also maintain records indicating who has accessed PHI about an Individual in an electronic designated record set and information related to such access, in accordance with 45 C.F.R. § 164.528. Business Associate must document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Should an Individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 C.F.R. § 164.528, Business Associate must promptly provide Covered Entity with information in a format and manner sufficient to respond to the Individual's request. R. Business Associate must, upon request and with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI that was provided to it by Covered Entity. S. Business Associate must make its internal practices, books, records, and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with HIPAA. Business Associate must make the aforementioned information available to the Secretary in the manner and place as designated by the Secretary or the Secretary's duly appointed delegate. Under this Agreement, Business Associate must comply and cooperate with any request for documents or other information from the Secretary directed to Covered Entity that seeks documents or other information held or controlled by Business Associate. T. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. § 164.502(j)(1). U. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate or the Underlying Agreement, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the limited purpose for which it was disclosed to the person, and the person must agree to notify Business Associate of any instance of any Breach, Security Incident, or use or disclosure of PHI not provided for by this Agreement of which it is aware in which the confidentiality of the information has been breached. V. Business Associate understands that, pursuant to 45 CFR § 160.402, the Business Associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation of the HIPAA rules based on the act or omission of any agent of the Business Associate, including a workforce member or subcontractor, acting within the scope of the agency.