Common use of Permitted Uses and Disclosures by the Business Associate Clause in Contracts

Permitted Uses and Disclosures by the Business Associate. a. Business Associate may use or disclose PHI: (i) for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate; provided, however, either (A) the disclosures are required by law, or (B) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) as required by law; (iii) for Data Aggregation services relating to the health care operations of the Covered Entity; (iv) to de-identify, consistent with 45 CFR 164.514(a) – (c), PHI it receives from the Covered Entity. If the Business Associates de-identifies the PHI it receives from the Covered Entity, the Business Associate may use the de-identified information for any purpose not prohibited by the HIPAA Rules; and (v) for any other purpose listed here: carrying out the Business Associate’s duties under the Contract. b. Business Associate agrees to make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures. c. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity except for the specific uses and disclosures described above in 3(a)(i) and (iii).

Permitted Uses and Disclosures by the Business Associate. a. Business Associate may use or disclose PHI: (i) for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate; provided, however, either (A) the disclosures are required by law, or (B) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) as required by law; (iii) for Data Aggregation services relating to the health care operations of the Covered Entity; (iv) to de-identify, consistent with 45 CFR 164.514(a) – (c), PHI it receives from the Covered Entity. If the Business Associates de-identifies the PHI it receives from the Covered Entity, the Business Associate may use the de-identified information for any purpose not prohibited by the HIPAA Rules; and (v) for any other purpose listed here: carrying out the Business Associate’s duties under the Contract. b. . Business Associate agrees to make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures. c. . Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity except for the specific uses and disclosures described above in 3(a)(i) and (iii).