Common use of Protection of Phi by Business Associate Clause in Contracts

Protection of Phi by Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall: (1) Not use or further disclose PHI other than as permitted or required by this Agreement or as required by law. Notwithstanding anything contained in this Agreement or any other agreement or understanding between Customer and Business Associate to the contrary, Business Associate shall not further disclose PHI to any third party for purposes other than "treatment," "payment" or "health care operations," as those terms are used and defined within the Privacy Rule, without the prior, written consent of Customer. To the extent Customer’s written consent is given to make such disclosures, Business Associate shall: (a) Maintain records of each such disclosure containing, at a minimum, the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure; and (b) Provide, upon request, to Customer or to the individual to whom the PHI relates an accounting of all such disclosures in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. Business Associate shall notify Customer promptly, and in any event, within ten (10) days of a receipt of any request for an accounting of disclosures by an Individual. In the event Business Associate discloses PHI to any third party for purposes other than "treatment", "payment" or "health care operations," as those terms are used and defined within the Privacy Rule, Business Associate shall provide prompt notice of the date and purpose of such disclosure as well as the name and address of the recipient, which notice shall be sent to Customer at address provided in Service Agreement; (2) Use appropriate, commercially reasonable safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement; (3) Report to the Customer any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including without limitation, any disclosure of PHI to any unauthorized subcontractor, within ten (10) days of its discovery; (4) report any Breach of Unsecured Protected Health Information of which Business Associate becomes aware in writing to Customer without unreasonable delay, and in no event more than ten (10) days following discovery of the Breach, with such report to include such information as Customer may require in order to meet their obligations under 45 CFR Part 164, Subpart D, or under applicable state security breach laws, including, without limitation, a description of the Breach, the date of the Breach and its discovery, the types of information involved and description of Business Associate’s investigation, and Business Associate’s mitigation and prevention efforts; (5) Establish procedures for mitigating any deleterious effects of any improper use and/or disclosure of PHI that Business Associate reports to Customer; (6) Ensure that any agents, including a subcontractor, to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of, Customer agrees to the same restrictions and conditions that apply to Business Associate with respect to such information; (7) Make available, upon prior request and during normal business hours, all records, books, agreements, policies and procedures relating to the use/disclosure of PHI to Customer for purposes of enabling Customer to determine Business Associate’s compliance with the terms of this Agreement; (8) use reasonable efforts to limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purposes of such use, disclosure or request, in accordance with the minimum necessary standards at 45 CFR § 164.502(b) and in any guidance issued by the Secretary; and (9) Make its internal practices, books, agreements, policies, procedures and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary of the Department of Health and Human Services, at a time and in the manner designated by Customer, for purposes of determining Customer’s compliance with the Privacy Rule, subject to attorney-client and other applicable privileges.