Common use of Privacy Practices Clause in Contracts

Privacy Practices. The Provider that creates, receives, maintains, or transmits protected health information through the provision of services under the Provider Agreement shall undertake the following acts regarding such information: a. Establish physical, technical, and administrative safeguards that prevent the improper use or disclosure of the information, including: i. Designating a person or persons to be responsible for assuring the privacy of the information. ii. Developing and implementing privacy policies and procedures regarding required and permissible use and disclosure of the information. Toward that end, the Provider may only use and disclose protected health information owned by DHSS that it accesses, maintains, retains, modifies, records, stores, receives, or transmits if the use or disclosure is in compliance with each applicable requirement of 45 C.F.R. 164.504(e) of the Privacy Rule. The additional requirements of Subtitle D of the HITECH Act contained in Public Law 111-5 that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to the Provider and are incorporated into this Privacy and Security Procedures. To the extent that the Provider discloses protected health information to a third party, the Provider must obtain, prior to making any such disclosure: (1) reasonable assurances from the third party that the protected health information will be held confidential as provided in this Privacy and Security Procedures and only disclosed as required by law or for the purposes for which it was disclosed to the third party; and (2) an agreement from the third party to notify the Provider within one business day of any breach of confidentiality of the protected health information, to the extent it obtained knowledge of the breach. iii. Identifying a contact person responsible for receiving complaints, appropriately investigating, and, if necessary, taking prompt corrective action to cure any deficiencies that result from breaches of security, intrusion, or unauthorized use or disclosure of service recipient information; iv. Permitting the disclosure of the information to DHSS as a health oversight agency (without requiring the authorization of a recipient of services) for purposes of DHSS’s determination of compliance with, administration of the terms, or termination of the Provider Agreement, or assignment of services to an approved subcontractor or another provider. b. Take reasonable steps to mitigate the harmful effects of any improper use or disclosure of the information. c. Discipline workforce that violate the Provider’s privacy policies and procedures. d. Not coerce, discriminate, or retaliate against any person for exercising his or her rights regarding such information or for reporting any alleged violation of the Provider’s privacy policies and procedures.

Privacy Practices. The Provider Grantee that creates, receives, maintains, or transmits protected health information through the provision of services under the Provider Agreement in its role as grantee shall undertake the following acts regarding such information: a. Establish physical, technical, and administrative safeguards that prevent the improper use or disclosure of the information, including: i. Designating a person or persons to be responsible for assuring the privacy of the information. ii. Developing and implementing privacy policies and procedures regarding required and permissible use and disclosure of the information. Toward that end, the Provider grantee may only use and disclose protected health information owned by DHSS that it accesses, maintains, retains, modifies, records, stores, receives, or transmits if the use or disclosure is in compliance with each applicable requirement of 45 C.F.R. 164.504(e) of the Privacy Rule. The additional requirements of Subtitle D of the HITECH Act contained in Public Law 111-5 that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to the Provider grantee and are incorporated into this Privacy and Security Procedures. To the extent that the Provider grantee discloses protected health information to a third party, the Provider grantee must obtain, prior to making any such disclosure: (1) reasonable assurances from the third party that the protected health information will be held confidential as provided in this Privacy and Security Procedures and only disclosed as required by law or for the purposes for which it was disclosed to the third party; and (2) an agreement from the third party to notify the Provider grantee within one business day of any breach of confidentiality of the protected health information, to the extent it obtained knowledge of the breach. iii. Identifying a contact person responsible for receiving complaints, appropriately investigating, and, if necessary, taking prompt corrective action to cure any deficiencies that result from breaches of security, intrusion, or unauthorized use or disclosure of service grant recipient information;. iv. Permitting the disclosure of the information to DHSS as a health oversight agency (without requiring the authorization of a recipient of services) for purposes of DHSS’s determination of compliance withgrant compliance, administration of the termsgrant administration, grant termination, or termination of the Provider Agreement, or assignment of services to an approved subcontractor or another providergrant assignment. b. Take reasonable steps to mitigate the harmful effects of any improper use or disclosure of the information. c. Discipline workforce that violate the Providergrantee’s privacy policies and procedures. d. Not coerce, discriminate, or retaliate against any person for exercising his or her rights regarding such information or for reporting any alleged violation of the Providergrantee’s privacy policies and procedures.

Privacy Practices. The Provider that creates, receives, maintains, or transmits protected health information through the provision of services under the Provider Agreement shall undertake the following acts regarding such information: a. Establish physical, technical, and administrative safeguards that prevent the improper use or disclosure of the information, including: i. Designating a person or persons to be responsible for assuring the privacy of the information. ii. Developing and implementing privacy policies and procedures regarding required and permissible use and disclosure of the information. Toward that end, the Provider may only use and disclose protected health information owned by DHSS that it accesses, maintains, retains, modifies, records, stores, receives, or transmits if the use or disclosure is in compliance with each applicable requirement of 45 C.F.R. 164.504(e) of the Privacy Rule. The additional requirements of Subtitle D of the HITECH Act contained in Public Law 111-5 that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to the Provider and are incorporated into this Privacy and Security Procedures. To the extent that the Provider discloses protected health information to a third party, the Provider must obtain, prior to making any such disclosure: (1) reasonable assurances from the third party that the protected health information will be held confidential as provided in this Privacy and Security Procedures and only disclosed as required by law or for the purposes for which it was disclosed to the third party; and (2) an agreement from the third party to notify the Provider within one business day of any breach of confidentiality of the protected health information, to the extent it obtained knowledge of the breach. iii. Identifying a contact person responsible for receiving complaints, appropriately investigating, and, if necessary, taking prompt corrective action to cure any deficiencies that result from breaches of security, intrusion, or unauthorized use or disclosure of service recipient information; iv. Permitting the disclosure of the information to DHSS DFCS as a health oversight agency (without requiring the authorization of a recipient of services) for purposes of DHSS’s determination of compliance with, administration of the terms, or termination of the Provider Agreement, or assignment of services to an approved subcontractor or another provider. b. Take reasonable steps to mitigate the harmful effects of any improper use or disclosure of the information. c. Discipline workforce that violate the Provider’s privacy policies and procedures. d. Not coerce, discriminate, or retaliate against any person for exercising his or her rights regarding such information or for reporting any alleged violation of the Provider’s privacy policies and procedures.