Common use of Permitted Uses and Disclosures by the Business Associate Clause in Contracts

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI on behalf of the Covered Entity for purposes of providing the services described hereinabove and described in any written agreement between the parties, provided that such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, or the HIE Statute if done by the Covered Entity, including, but not limited to, the minimum necessary to accomplish the purpose of the use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (b) Except as otherwise limited in this Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (c) Except as otherwise limited in this Agreement, the Business Associate may disclose PHI to a third person for the proper management and administration of the Business Associate, provided that such disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and may only be used or further disclosed as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been the subject of a Security Breach. (d) The Business Associate may use PHI to report violations of law to appropriate federal and state authorities in accordance with 45 C.F.R. § 164.502(j)(1). (e) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (f) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, provided such de-identification is accomplished in accordance with the requirements of 45 C.F.R. § 164.514(a) and (b). (g) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related to the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set only for the purposes of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information.

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI on behalf of the Covered Entity for purposes of providing the services described hereinabove and described in any written agreement between the parties, provided that such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, the or Security Rule, or the HIE Statute Rule if done by the Covered Entity, including, but not limited to, the minimum necessary to accomplish the purpose of the use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (b) Except as otherwise limited in this Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (cb) Except as otherwise limited in this AgreementBAA, the Business Associate may disclose PHI to a third person for the proper management and administration of the Business Associate, provided that such disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and may only be used or further disclosed as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been the subject of a Security Breach. (dc) The Business Associate may use PHI to report violations of law to appropriate federal and state authorities in accordance with 45 C.F.R. CFR § 164.502(j)(1). (e) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (fd) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, provided but only if such de-identification is accomplished in accordance with the requirements of 45 C.F.R. CFR § 164.514(a514 (a) and (b). (ge) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related to the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set and disclose PHI only for the purposes if such use and disclosure is in compliance with each applicable requirement of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information45 CFR § 164.504(e).

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI on behalf of the Covered Entity PO for purposes of providing the services described hereinabove and described in any written agreement between the parties, provided that such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule, or the HIE Statute Rule if done by the Covered Entity, including, but not limited to, the minimum necessary to accomplish the purpose of the use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessaryPO.” (b) Except as otherwise limited in this Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (c) Except as otherwise limited in this Agreement, the Business Associate may disclose PHI to a third person Subcontractor for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that such disclosures are Required By Lawrequired by law, or that the Business Associate obtains reasonable assurances from the person Subcontractor to whom the information is disclosed that it will shall remain confidential and may only be used or further disclosed as Required By Lawrequired by law, or for the purpose for which it was disclosed to the personSubcontractor, and the person Subcontractor notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been the subject of a Security Incident or Breach. (d) The Except as otherwise limited in this Agreement, the Business Associate may use PHI to report violations of law provide data aggregation services to appropriate federal and state authorities in accordance with 45 C.F.R. § 164.502(j)(1)the PO. (e) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (f) The Business Associate may de-identify Deidentify any and all PHI that it obtains from the Covered EntityPO, provided but only if such de-identification Deidentification is accomplished in accordance with the requirements of 45 C.F.R. § 164.514(a) and (b). (g) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related to the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set only for the purposes of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information.

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI on behalf of the Covered Entity for purposes of providing the services described hereinabove and described in any written agreement between the parties, provided that such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, or the HIE Statute HIPAA if done by the Covered Entity, including, including but not limited to, the minimum necessary to accomplish the purpose of the use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (b) Except as otherwise limited in this Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (c) Except as otherwise limited in this Agreement, the Business Associate may disclose PHI to a third person for the proper management and administration of the Business Associate, provided that such disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and may only be used or further disclosed as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been the subject of a Security Breach. (d) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity. (e) The Business Associate may use PHI to report violations of law to appropriate federal and state authorities in accordance with 45 C.F.R. § 164.502(j)(1). (ef) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, but only if such de- identification is accomplished in accordance with the requirements of 45 C.F.R. § 514(a) and (b). (g) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (f) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, provided such de-identification is accomplished in accordance with the requirements of 45 C.F.R. § 164.514(a) and (b). (g) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related to the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set only for the purposes of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information.

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may obtain and/or use PHI as necessary to perform its obligation to provide services to, for, or disclose PHI on behalf of the Covered Entity for purposes of providing the services described hereinabove and described in any written agreement between the partiesPlans, so long as such access and/or use is either permitted or required by law and, provided further, that the Business Associate has met all legal requirements for such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, or the HIE Statute if done by the Covered Entity, includingaccess and/or use. This specifically includes, but is not limited to, the minimum Business Associate’s access and/or use of PHI as necessary to accomplish perform the purpose of services set forth in the use or disclosure. The service agreement between the Business Associate agrees to comply with and the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessaryCity.” (b) Except as otherwise limited The Business Associate may not use or disclose PHI in this Agreementa manner that would violate the HIPAA Rules. If the Agreement permits the Business Associate to use or disclose PHI for its own management and administration and legal responsibilities, or for data aggregation services, then disclosure is permitted for the specific uses and disclosures set forth below. i) The Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (cii) Except as otherwise limited in this Agreement, the The Business Associate may disclose PHI to a third person for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that such the disclosures are Required By Lawrequired by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it the information will remain confidential and may only be used used, or further disclosed disclosed, only as Required By Law, required by law or for the purpose purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it becomes is aware in which the confidentiality of the information has been the subject of a Security Breachbreached. (diii) The Business Associate may use PHI to report violations of law to appropriate federal and state authorities in accordance with 45 C.F.R. § 164.502(j)(1). (e) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (f) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, provided such de-identification is accomplished in accordance with the requirements of 45 C.F.R. § 164.514(a) and (b). (g) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related relating to the health care operations of the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set only for the purposes of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information.

Permitted Uses and Disclosures by the Business Associate. (a) Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI on behalf of the Covered Entity for purposes of providing the services described hereinabove and described in any written agreement between the parties, provided that such use or disclosure shall not violate HIPAA, the HITECH Act, the Privacy Rule, the or Security Rule, or the HIE Statute Rule if done by the Covered Entity, including, including but not limited to, the minimum necessary to accomplish the purpose of the use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (b) Except as otherwise limited in this Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate. (c) Except as otherwise limited in this Agreement, the Business Associate may disclose PHI to a third person for the proper management and administration of the Business Associate, provided that such disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and may only be used or further disclosed as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been the subject of a Security Breach. (d) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity. As part of these services, Business Associate may, in its discretion, utilize a Limited Data Set, subject to the restrictions on uses of Limited Data Sets contained in the Privacy Rule or Security Rule. (e) The Business Associate may use PHI to report violations of law to appropriate federal and state authorities in accordance with 45 C.F.R. § 164.502(j)(1). (ef) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, but only if such de-identification is accomplished in accordance with the requirements of 45 C.F.R. § 514(a) and (b). (g) The Business Associate may use and disclose PHI only if each such use and disclosure is in compliance with each applicable requirement of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, and the HIE Statute, including but not limited to 45 C.F.R. § 164.504(e). (f) The Business Associate may de-identify any and all PHI that it obtains from the Covered Entity, provided such de-identification is accomplished in accordance with the requirements of 45 C.F.R. § 164.514(a) and (b). (g) Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services related to the Covered Entity’s health care operations. (h) Except as otherwise limited in this Agreement, the Business Associate may use PHI provided by the Covered Entity to create a Limited Data Set. The Business Associate may use the Limited Data Set only for the purposes of research, public health, or health care operations. The Business Associate shall not use or further disclose the information in the Limited Data Set other than as permitted by this Agreement or as otherwise required by law. The Business Associate shall use appropriate safeguards to prevent use or disclosure of the information in the Limited Data Set other than as provided for by this Agreement and shall report to the Covered Entity any use or disclosure of the information not provided for by this Agreement of which it becomes aware. The Business Associate shall not identify the information in the Limited Data Set or contact the Individuals who are the subjects of the information, and shall ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the Business Associate under this Agreement with respect to such information.