Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall: (a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required by law; (b) report to the privacy officer of Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure; (c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein; (d) require all of its subcontractors and agents that receive, use, or have access to, PHI to agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement; (e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule; (f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528; (g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies; (h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and (i) if all or any portion of the PHI is maintained in a Designated Record Set: (i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and (ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 6 contracts
Samples: Business Associate Agreement (Prospect Medical Holdings Inc), Business Associate Agreement (Prospect Medical Holdings Inc), Business Associate Agreement (Prospect Medical Holdings Inc)
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by lawLaw;
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528, as well as provide an accounting of disclosures, as required by HITECH, directly to an individual provided that the individual has made a request directly to Business Associate for such an accounting. At a minimum, the Business Associate shall provide the Covered Entity with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall, within two (2) days, forward such request to the Covered Entity. The Business Associate shall implement an appropriate recordkeeping process to enable it to comply with the requirements of this Section;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and;
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen ten (1510) business days' ’ prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen ten (1510) business days' ’ prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526;
(j) maintain policies and procedures to detect and prevent identity theft in connection with the provision of the Services, to the extent required to comply with the Red Flag Rules;
(k) notify the Covered Entity within five (5) days of the Business Associate’s receipt of any request or subpoena for PHI. To the extent that the Covered Entity decides to assume responsibility for challenging the validity of such request, the Business Associate shall cooperate fully with the Covered Entity in such challenge;
(l) maintain a formal security program materially in accordance with all applicable data security and privacy laws and industry standards designed to ensure the security and integrity of the Covered Entity’s data and protect against threats or hazards to such security The Business Associate acknowledges that, as between the Business Associate and the Covered Entity, all PHI shall be and remain the sole property of the Covered Entity.
Appears in 3 contracts
Samples: Mental Health Services Agreement, Mental Health Services Agreement, Standard Agreement
Responsibilities of Business Associate. Except as otherwise specified herein, Business Associate may make any and all uses of Protected Health Information (“PHI”) necessary to perform its obligations under existing contracts and any contracts it may enter into with the Covered Entity from time to time (the “Underlying Contracts”). All other uses not authorized by this Agreement are prohibited. Nothing in this Agreement shall prohibit Business Associate’s disclosure of PHI received from or created or received on behalf of the Covered Entity, to the Covered Entity. With regard to its use and/or disclosure of PHIPHI obtained from Covered Entity, Business Associate shallassociate agrees to:
(a) use a. Use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise permitted or required by law;.
(b) report b. Use appropriate safeguards to prevent unauthorized use of disclosure of PHI.
c. Report to the privacy officer of Covered Entity, in writing, any use and/or or disclosure of the PHI of which Business Associate management becomes aware that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;Agreement.
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require d. Require all of its subcontractors and agents agent that receive, receive or use, or have access to, PHI under the Underlying Contracts, to agree agree, in writing, to adhere to essentially the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to Section 2.1 of this Agreement;.
(e) upon fifteen (15) business days' prior written request, make e. Make available all its internal practices, records, books, agreements, policies books and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary of HHS for purposes of determining the Covered Entity's ’s compliance with the Privacy Rule;HIPAA.
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business f. Within 30 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity and necessary to permit enable the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;HIPAA.
(g) subject g. Return to Section 4.4 below, return to the Covered Entity or destroy, within twenty-one (21) business 90 days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose if it is feasible to its subcontractorsdo so. If return or destruction is infeasible, agents or other third partiesBusiness Associate agrees to extend all protections contained in this Agreement to Business Associate’s use and/or disclosure of any retained PHI, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or limit any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access further uses and/or disclosures to the purpose that make the return or destruction of PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526infeasible.
Appears in 2 contracts
Samples: Business Associate Agreement, Business Associate Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by lawLaw;
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;
(g) subject , as well as provide an accounting of disclosures, as required by HITECH, directly to Section 4.4 belowan individual provided that the individual has made a request directly to Business Associate for such an accounting. At a minimum, return to the Business Associate shall provide the Covered Entity within twenty-one (21) business days of with the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if all known, the address of such entity or any portion person; (iii) a brief description of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524disclosed; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 2 contracts
Samples: Professional Services, Professional Services Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 3.1 Not use and/or or disclose the PHI only other than as permitted or required by this Agreement the BAA or as otherwise required by law;
(b) report 3.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to the privacy officer of Covered Entityelectronic PHI, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or or disclosure of such PHI other than as provided hereinfor by the BAA;
(d3.3 Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of the Plan. Business Associate shall comply with the applicable standards at Subpart C of 45 CFR Part 164;
3.4 Promptly report to the Plan any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including, but not limited to, Breaches or suspected Breaches of unsecured PHI under 45 CFR 164.410, and any Security Incident or suspected Security Incidents of which it becomes aware. Business Associate shall report the improper or unauthorized use or disclosure of PHI within 24 hours to the Plan. Business Associate shall take all reasonable steps to mitigate any harmful effects of such Breach or Security Incident. Business Associate shall indemnify the Customer against any losses, damages, expenses or other liabilities including reasonable attorney’s fees incurred as a result of Business Associate’s or its agent’s or Subcontractor’s unauthorized use or disclosure of PHI including, but not limited to, the costs of notifying individuals affected by a Breach;
3.5 In accordance with 45 CFR 164.502(e)(1)(ii) require all of its and 164.308(b)(2), if applicable, ensure that any subcontractors and agents that create, receive, usemaintain, or have access to, transmit PHI to on behalf of the Business Associate agree to adhere to the same restrictions restrictions, conditions, and conditions on the use and/or disclosure of PHI requirements that apply to the Business Associate with respect to such information;
3.6 Make available PHI in a designated record set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;
3.7 Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Plan pursuant to this Agreement45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;
(e) 3.8 Forward any requests from a Plan member for access to records maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding access to records;
3.9 Direct any requests for an amendment from an individual as soon as they are received to the Plan. The Business Associate will incorporate any amendments from the Plan immediately upon fifteen (15) business days' prior written request, direction from the covered entity;
3.10 Maintain and make available all the information required to provide an accounting of disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;
3.11 Forward any requests from a Plan member for an accounting of disclosures maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding the provision of an accounting of disclosures;
3.12 To the extent the Business Associate is to carry out one or more of the Plan's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and
3.13 Make its internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI records available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526HIPAA Rules.
Appears in 1 contract
Samples: Memorandum of Understanding
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by lawLaw;
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;45
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and;
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen ten (1510) business days' ’ prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen ten (1510) business days' ’ prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526;
(j) maintain policies and procedures to detect and prevent identity theft in connection with the provision of the Services, to the extent required to comply with the Red Flag Rules;
(k) notify the Covered Entity within five (5) days of the Business Associate’s receipt of any request or subpoena for PHI. To the extent that the Covered Entity decides to assume responsibility for challenging the validity of such request, the Business Associate shall cooperate fully with the Covered Entity in such challenge;
(l) maintain a formal security program materially in accordance with all applicable data security and privacy laws and industry standards designed to ensure the security and integrity of the Covered Entity’s data and protect against threats or hazards to such security The Business Associate acknowledges that, as between the Business Associate and the Covered Entity, all PHI shall be and remain the sole property of the Covered Entity.
Appears in 1 contract
Samples: Mental Health Services Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by law;Law; DocuSign Envelope ID: E304E1C4-C42E-44BE-8DE2-CE56713A0315
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;
(g) subject , as well as provide an accounting of disclosures, as required by HITECH, directly to Section 4.4 belowan individual provided that the individual has made a request directly to Business Associate for such an accounting. At a minimum, return to the Business Associate shall provide the Covered Entity within twenty-one (21) business days of with the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if all known, the address of such entity or any portion person; (iii) a brief description of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524disclosed; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 1 contract
Samples: Professional Services
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 3.1 Not use and/or or disclose the PHI only other than as permitted or required by this Agreement the BAA or as otherwise required by law;
(b) report 3.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to the privacy officer of Covered Entityelectronic PHI, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or or disclosure of such PHI other than as provided hereinfor by the BAA;
(d3.3 Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of the Plan. Business Associate shall comply with the applicable standards at Subpart C of 45 CFR Part 164;
3.4 Promptly report to the Plan Privacy and Security Officer any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including, but not limited to, Breaches or suspected Breaches of unsecured PHI under 45 CFR 164.410, and any Security Incident or suspected Security Incidents of which it becomes aware. Business Associate shall report the improper or unauthorized use or disclosure of PHI within 24 hours to the Plan. Business Associate shall take all reasonable steps to mitigate any harmful effects of such Breach or Security Incident. Business Associate shall indemnify the Customer against any losses, damages, expenses or other liabilities including reasonable attorney’s fees incurred as a result of Business Associate’s or its agent’s or Subcontractor’s unauthorized use or disclosure of PHI including, but not limited to, the costs of notifying individuals affected by a Breach;
3.5 In accordance with 45 CFR 164.502(e)(1)(ii) require all of its and 164.308(b)(2), if applicable, ensure that any subcontractors and agents that create, receive, usemaintain, or have access to, transmit PHI to on behalf of the Business Associate agree to adhere to the same restrictions restrictions, conditions, and conditions on the use and/or disclosure of PHI requirements that apply to the Business Associate with respect to such information;
3.6 Make available PHI in a designated record set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;
3.7 Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Plan pursuant to this Agreement45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;
(e) 3.8 Forward any requests from a Plan member for access to records maintained in accordance with the BAA as soon as they are received and no later than 72 hours after receipt. The Plan will maintain responsibility for making determinations regarding access to records;
3.9 Direct any requests for an amendment from an individual as soon as they are received and no later than 72 hours after receipt to the Plan. The Business Associate will incorporate any amendments from the Plan immediately and later than 72 hours after receipt upon fifteen (15) business days' prior written request, direction from the covered entity;
3.10 Maintain and make available all the information required to provide an accounting of disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;
3.11 Forward any requests from a Plan member for an accounting of disclosures maintained in accordance with the BAA as necessary to satisfy the Plan’s obligations under 45 CFR 164.528. The Plan will maintain responsibility for making determinations regarding the provision of an accounting of disclosures;
3.12 To the extent the Business Associate is to carry out one or more of the Plan's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and
3.13 Make its internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI records available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526HIPAA Rules.
Appears in 1 contract
Samples: Data Sharing Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 2.1 use and/or disclose the PHI only as necessary to provide the Services as permitted or required by this Agreement BAA, or as otherwise required by law;.
2.2 implement and use appropriate administrative, physical and technical safeguards to (bi) report to the privacy officer of Covered Entity, in writing, any prevent use and/or or disclosure of the PHI that is not other than as permitted or required by this Agreement BAA,; (ii) reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
2.3 without unreasonable delay, report to Covered Entity (i) any use or disclosure of PHI not provided for by this BAA of which Business Associate it becomes aware, within fifteen including breaches of unsecured PHI; and/or (15ii) business days any security incident of which it becomes aware, except that, for purposes of this reporting requirement the term “Security Incident” does not include inconsequential incidents that occur on a frequent basis such as scans or “pings” that are not allowed past Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;’s firewall.
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) 2.4 require all of its subcontractors and agents Subcontractors that create, receive, usemaintain, or have access totransmit PHI on behalf of Business Associate to agree, PHI to agree to adhere in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant it with respect to this Agreement;such information.
(e) upon fifteen (15) business days' prior written request, 2.5 make available all its internal practices, records, books, agreements, policies and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary for purposes of determining Covered Entity's ’s compliance with the Privacy Rule;Rule at a reasonable time, duration and place.
2.6 document, and within thirty (f30) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of after receiving a written request from Covered Entity, provide make available to Covered Entity such Entity, information as is requested by necessary for Covered Entity to permit Covered Entity to respond to a request by an individual for make an accounting of the disclosures of the individual's PHI about an Individual, in accordance with 45 C.F.R. § 164.528;.
2.7 provide access within thirty (g30) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill after receiving a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access Entity to the PHI in a Designated Record Set about an Individual, to Covered Entity, sufficient to allow Covered Entity orto comply with the requirements of 45 C.F.R. § 164.524.
2.8 to the extent that the PHI in its possession constitutes a Designated Record Set, make available, within thirty (30) days after a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity.
2.9 make reasonable efforts to use, to disclose, and to request only the individual minimum amount of PHI reasonably necessary to whom such PHI relates accomplish the intended purpose of the use, disclosure, or his request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation if neither Business Associate nor Covered Entity is required to limit its use, disclosure, or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the minimum necessary under HIPAA.
2.10 not directly or indirectly receive any remuneration in exchange for PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526or use or disclose PHI for marketing or fundraising purposes.
Appears in 1 contract
Samples: Benefit Account (Non Hsa) Administrative Services Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHIExcept as otherwise required by law, Business Associate shallshall use PHI in compliance with 45 C.F.R. §164.504(e). To comply with the security and privacy obligations imposed by HIPAA, Business Associate agrees to:
(aa. implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA. Business Associate acknowledges that pursuant to Section 13401(a) of the HITECH Act, 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 shall apply to Business Associate in the same manner that such sections apply to Covered Entity.
b. notify Covered Entity of any successful Security Incident of which Business Associate becomes aware.
c. not use and/or or further disclose the PHI only other than as permitted or required by this Agreement Agreement, or as otherwise required by law;.
(b) d. use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement.
e. report to the privacy officer of Covered Entity, in writing, Entity any use and/or or disclosure of the PHI that is not permitted or required provided for by this Agreement of which Business Associate becomes aware, within fifteen and.
f. ensure that any agents, including a subcontractor, to whom it provides PHI (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require all of its subcontractors and agents that receive, usereceived from, or have access tocreated or received by Business Associate on behalf of, PHI to agree to adhere Covered Entity) agrees in writing to the same restrictions and conditions on the use and/or or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule;
(f) document disclosures of PHI and information related respect to such disclosure and, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's PHI.
g. make PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set available to Covered Entity or, as directed by Covered Entity, to an Individual who is the individual subject of the PHI, to whom such comply with an Individual’s right of access to their PHI relates or his or her authorized representative to meet a request by such individual under in compliance with 45 C.F.R. § 164.524; and
(ii§164.524 and Section 13405(e) upon fifteen (15) business days' prior written request from of the HITECH Act. This provision shall be applicable only if Business Associate maintains a Designated Record Set on behalf of Covered Entity, .
h. make PHI available to Covered Entity for amendment and incorporate any amendment(s) to the PHI that Covered Entity directs directs, in accordance with 45 C.F.R. §164.526. This provision shall be applicable only if Business Associate has PHI in a Designated Record Set.
i. document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
j. make available to Covered Entity in response to a request from an Individual, the information required to provide an accounting of disclosures of PHI with respect to the Individual in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
k. make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services or his/her designee (the “Secretary”), in a time and manner designated by the Secretary, for purposes of determining Covered Entity’s compliance with the HIPAA.
l. notify Covered Entity following Business Associate’s discovery of a security breach of Unsecured PHI, in accordance with Section 13402 of the HITECH Act.
m. refrain from exchanging any PHI with any entity (including Covered Entity) of which Business Associate knows of a pattern of activity or practice that constitutes a material breach or violation of HIPAA, and upon becoming aware of such behavior by an entity with which Business Associate has already exchanged PHI, take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or arrangement with such entity, if feasible; or if termination is not feasible, report the problem to the Secretary, in accordance with Section 13404 of the HITECH Act and 45 C.F.R §164.504(e).
n. limit the use, disclosure or request for PHI in accordance with Section 13405(b) of the HITECH Act.
o. refrain from receiving any remuneration in exchange for any Individual’s PHI unless such exchange (i) is pursuant to 45 C.F.R. § 164.526a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual, or (ii) satisfies one of the exceptions enumerated in the HIPAA regulations and specifically Section 13405(d)(2) of the HITECH Act.
p. refrain from marketing activities that would violate HIPAA and specifically Section 13406 of the HITECH Act.
Appears in 1 contract
Samples: Healthcare Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by law;Law; DocuSign Envelope ID: 3CD03A0D-9792-43F5-BF89-906B6A018656
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;
(g) subject , as well as provide an accounting of disclosures, as required by HITECH, directly to Section 4.4 belowan individual provided that the individual has made a request directly to Business Associate for such an accounting. At a minimum, return to the Business Associate shall provide the Covered Entity within twenty-one (21) business days of with the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if all known, the address of such entity or any portion person; (iii) a brief description of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524disclosed; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 1 contract
Samples: Professional Services
Responsibilities of Business Associate. With regard to its use and/or disclosure handling of PHIProtected Health Information, the Business Associate shallhereby agrees to do the following:
(a) use and/or disclose 3.1 Possess, for the PHI sole purpose of destroying by shredding, the Protected Health Information only as permitted or required by the Service Agreement, this Agreement or as otherwise required by law;
(b) 3.2 Immediately report to the Company privacy officer of Covered Entityofficer, in writing, any other use and/or disclosure of the PHI Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of aware upon the Business Associate's determination of the occurrence ’s discovery of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts 3.3 Use appropriate safeguards to maintain the security of the PHI Protected Health Information and to prevent unauthorized use and/or disclosure of such PHI other than as provided hereinProtected Health Information;
(d) require 3.4 Require all of its employees, representatives, subcontractors and or agents that receive, use, receive or have access to, PHI to Protected Health Information under this Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of PHI Protected Health Information that apply herein, including the obligation to Business Associate pursuant return or destroy the Protected Health Information as hereinafter provided.
3.5 Make available, to this Agreement;
(e) upon fifteen (15) business days' prior written requestthe Secretary of HHS, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure document destruction services provided by Business Associate in the services provided to The Company involving the handling and distraction of PHI to the Secretary Protected Health Information for purposes of determining Covered Entity's the Company’s compliance with the Privacy RuleRules, subject to attorney-client and other applicable legal privileges.
3.6 Make available, during normal business hours, at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use, destruction, and/or disclosure of Protected Health Information that is subject to this Agreement, to the Company within thirty (30) days of The Company's written request, for the purpose of enabling the Company to verify the Business Associate’s compliance with the terms of this Agreement;
3.7 Within thirty (f30) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of receiving a written request from Covered EntityThe Company, provide to Covered Entity the Company such information as is requested by Covered Entity The Company to permit Covered Entity the Company to respond to a any request by an individual for an accounting of the for any disclosures of the an individual's PHI ’s Protected Health Information in accordance with 45 C.F.R. § §164.526 and §164.528;
(g) subject 3.8 Return to Section 4.4 belowthe Company or immediately destroy, return as requested by the Company, any Protected Health Information provided to Covered Entity within twenty-one (21) business days Business Associate, that is in Business Associate’s possession on the date of the termination of this Agreement, the PHI in its possession such request and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all 3.9 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an unauthorized use or any portion disclosure of Protected Health Information by Business Associate in violation of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to requirements of this Agreement or the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526Service Agreement.
Appears in 1 contract
Samples: Business Associate Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 3.1 Not use and/or or disclose the PHI only or other confidential information other than as permitted or required by this Agreement the BAA or as otherwise required by law;
(b) report 3.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to the privacy officer of Covered Entityelectronic PHI, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or or disclosure of such PHI other than as provided hereinfor by the BAA;
3.3 Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of the Plan. Business Associate shall comply with the applicable standards at Subpart C of 45 CFR Part 164. Such safeguards shall be based on applicable Federal Information Processing Standards (dFIPS) require Publication 199 protection levels;
3.4 Identify the security official who is responsible for the development and implementation of the policies and procedures required by 45 CFR Part 164, Subpart C;
3.5 Shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework;
3.6 Apply security patches and upgrades, and keep virus software up-to-date, on all systems on which PHI and other confidential information may be used;
3.7 Employ FIPS 140-2 compliant encryption of PHI at rest and in motion unless Business Associate determines it is not reasonable and appropriate to do so based upon a risk assessment, and equivalent alternative measures are in place and documented as such. In addition, Business Associate shall maintain, at a minimum, the most current industry standards for transmission and storage of PHI and other confidential information;
3.8 Immediately report to the Plan any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including, but not limited to, Breaches or suspected Breaches of unsecured PHI under 45 CFR 164.410, and any Security Incident or suspected Security Incidents of PHI or confidential information which it becomes aware. Business Associate shall report the improper or unauthorized use or disclosure of PHI or potential loss of confidential information within 24 hours to the Plan. Business DocuSign Envelope ID: 156676A8-A876-4F27-965C-E26B795AEE71 Associate shall immediately investigate any suspected Security Incident or Breach. Business Associate shall provide Covered Entity with all requested information so Covered Entity may comply with its subcontractors reporting obligations to DHCS per the Medi-Cal Contract and agents all required Breach notifications. Business Associate shall mitigate, to the extent practicable, any harmful effects that is known to Business Associate of such Breach or Security Incident of PHI or other confidential information in violation of this BAA. Business Associate shall indemnify Covered Entity against any losses, damages, expenses or other liabilities including reasonable attorney’s fees incurred as a result of Business Associate’s or its agent’s or Subcontractor’s unauthorized use or disclosure of PHI including, but not limited to, the costs of notifying individuals affected by a Breach;
3.9 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, agents, vendors, or others that create, receive, usemaintain, or have access to, transmit PHI to and/or confidential information on behalf of the Business Associate agree to adhere to the same restrictions restrictions, conditions, and conditions on the use and/or disclosure of PHI requirements that apply to the Business Associate with respect to such information;
3.10 Make available PHI in a designated record set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;
3.11 Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Plan pursuant to this Agreement45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;
(e) 3.12 Forward any requests from a Plan member for access to records maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding access to records;
3.13 Direct any requests for an amendment from an individual as soon as they are received to the Plan. The Business Associate will incorporate any amendments from the Plan immediately upon fifteen (15) business days' prior written request, direction from the covered entity;
3.14 Maintain and make available all the information required to provide an accounting of disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;
3.15 Forward any requests from a Plan member for an accounting of disclosures maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding the provision of an accounting of disclosures;
3.16 To the extent the Business Associate is to carry out one or more of the Plan's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s);
3.17 Make its internal practices, records, books, agreementsand records available to Covered Entity, policies the Secretary, and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary DHCS upon reasonable request for purposes of determining Covered Entity's compliance with the Privacy RuleHIPAA Rules. Make its facilities and systems available to DHCS to monitor compliance with the Medi-Cal Contract; DocuSign Envelope ID: 156676A8-A876-4F27-965C-E26B795AEE71
3.18 Ensure that all members of its Workforce with access to PHI and/or other confidential information sign a confidentiality statement prior to access to such data. The confidentiality statement must be renewed annually;
3.19 Agree to comply with DHCS’s monitoring provisions contained in the Medi-Cal Contract;
3.20 Agree to comply with the more protective of the privacy and security standards defined herein as Privacy Rules. Therefore, to the extent other applicable state laws or federal laws provide a greater degree of protection and security than HIPAA or are more favorable to the individuals whose information is concerned, Business Associate shall comply with the more protective applicable privacy and security standards. Business Associate shall treat any violation of the more protective standards as a Breach or Security Incident pursuant to Section 3.8 herein;
3.21 In the event Business Associate received data from Covered Entity that was verified by or provided by Social Security Administration (f“SSA”) document disclosures and is subject to an agreement between DHCS and SSA, upon request, Business Associate shall provide Covered Entity with a list of PHI all employees and information agents who have access to such data, including employees and agents of its agents, so that Covered Entity can submit this list to DHCS. Business Associate shall notify Covered Entity immediately upon the discovery of a suspected breach or security incident that involves SSA data;
3.22 Shall promptly report to Covered Entity if Business Associate is the subject of any audit, compliance review, investigation, or any proceeding that is related to such disclosure the performance of its obligations pursuant to the Agreement, so Covered Entity can to report this information to DHCS per the Medi-Cal Contract;
3.23 Shall promptly report to Covered Entity if Business Associate is the subject of any judicial or administrative proceeding alleging a violation of HIPAA, Business Associate shall report this to Covered Entity unless it is legally prohibited from doing so. Covered Entity is then required to report this information to DHCS per the Medi-Cal Contract; and
3.24 Shall make itself, within fifteen (15) business days and any subcontractors, employees or agents assisting Business Associate in the performance of receiving a written request from its obligations under the Agreement, available to Covered Entity, provide to Covered Entity such information testify as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting witnesses, or otherwise, in the event of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents litigation or other third parties, and request from administrative proceedings commenced against DHCS or Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required their directors, officers or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526employees.
Appears in 1 contract
Samples: Memorandum of Understanding
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate shallhereby agrees to do the following:
(a) use 2.3.1 Use and/or disclose the PHI only as permitted or required by this Agreement Addendum, HIPAA and HIPAA Rules, or as otherwise required by law;
(b) report to the privacy officer of Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which law. Business Associate becomes awareagrees that it will not use or disclose PHI in any manner that violates federal law, within fifteen (15) business days including but not limited to HIPAA and any regulations enacted pursuant to its provisions, or applicable provisions of Washington State law. The Business Associate's determination of Associate agrees that it is subject to and directly responsible for full compliance with the occurrence of such unauthorized use and/or disclosure;Privacy Rule that applies to the Business Associate to the same extent as the Covered Entity.
(c) use 2.3.2 Use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such PHI, including, but not limited to the following:
2.3.3 Business Associate shall apply the HIPAA Minimum Necessary standard to any use or disclosure of PHI other than as provided herein;necessary to achieve the purposes of the Underlying Agreement. See 45
(d) require 2.3.4 Require all of its employees, representatives, subcontractors and agents that create, receive, usemaintain, or transmit PHI or use or have access to, to PHI under the Underlying Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply herein, including the obligation to Business Associate pursuant to return or destroy the PHI if feasible, as provided under Sections 5.4 and 5.5 of this Agreement;Addendum.
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating 2.3.5 Promptly report to the designated privacy officer of the Covered Entity, any use and/or disclosure of the PHI to that is not permitted or required by this Addendum by telephoning the Secretary privacy officer within twenty-four (24) hours of becoming aware of it, and providing a written report of the unauthorized disclosure within five (5) business days. The name and contact information for purposes of determining the Covered Entity's compliance with privacy officer is:
2.3.6 Mitigate, to the Privacy Ruleextent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum or the law.
2.3.7 Within twenty-four (24) hours of the discovery of a breach as defined at 45 C.F.R. §
a. the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, used, or disclosed during such breach;
(f) document disclosures b. a brief description of PHI and information related to such disclosure andwhat happened, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting including the date of the disclosures breach and the date of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days discovery of the termination of this Agreementbreach, the PHI in its possession and retain no copies, including backup copiesif known;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 1 contract
Samples: Professional Services
Responsibilities of Business Associate. 2.1 Except as otherwise specified herein, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Underlying Agreement. With regard to its use and/or disclosure of PHI, Business Associate shall:
agrees to: (a) use and/or disclose the PHI only as permitted or required by this B.A. Agreement or as otherwise required by law;
; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by this B.A. Agreement; (c) report to the privacy officer of Covered Entity, in writing, Entity any use and/or or disclosure of the PHI of which it becomes aware that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
B.A. Agreement; (d) require all of its subcontractors and agents that create, receive, use, disclose or have access to, to PHI to agree to adhere agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
Associate; (e) upon fifteen (15) business days' prior written request, make available all its internal practices, records, books, agreements, policies and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary of the Department of Health and Human Services ("HHS") for purposes of determining Covered Entity's compliance with the Privacy Rule;
; (f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business 45 days of receiving a written request from Covered Entity, provide to Covered Entity such make available information as is requested by necessary for Covered Entity to permit Covered Entity to respond to a request by an individual for make an accounting of the disclosures of the PHI about an individual's PHI in accordance with 45 C.F.R. § 164.528;
; and (g) subject mitigate, to Section 4.4 belowthe extent practicable, return any harmful effect that is known to Covered Entity within twenty-one (21) business days Business Associate of a use or disclosure of PHI by Business Associate in violation of the termination requirements of this B.A. Agreement, .
2.2 The Parties agree that the PHI in its Business Associate's possession and retain no copies, including backup copies;
(h) disclose constitutes a Designated Record Set. With regard to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
, Business Associate agrees to: (ia) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in within 25 days of receiving a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make available PHI necessary for Covered Entity to respond to individuals' requests for access to PHI about them; and (b) within 45 days of receiving a written request from Covered Entity, incorporate any amendment(s) amendments or corrections to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526in accordance with the Privacy Regulation.
Appears in 1 contract
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
(a) use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required Required by law;Law; DocuSign Envelope ID: 4DF2AAE4-8B40-4634-813E-C76BF245CF0D DocuSign Envelope ID: E2F339D2-196C-42B5-B603-A1B84DFBCBD6
(b) report to the privacy officer of Covered Entity, in writing, (i) any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, and (ii) any Breach of unsecured PHI as specified by HITECH, within fifteen two (152) business days of Business Associate's ’s determination of the occurrence of such unauthorized use and/or disclosure;. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure. The notification of any Breach of unsecured PHI shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach.
(c) use commercially reasonable efforts safeguards to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require obtain and maintain an agreement with all of its subcontractors and agents that receive, use, or have access to, PHI pursuant to which agreement such subcontractors and agents agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this Agreement;
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity's Entity or Business Associate’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen ten (1510) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's ’s PHI in accordance with 45 C.F.R. § 164.528;
(g) subject , as well as provide an accounting of disclosures, as required by HITECH, directly to Section 4.4 belowan individual provided that the individual has made a request directly to Business Associate for such an accounting. At a minimum, return to the Business Associate shall provide the Covered Entity within twenty-one (21) business days of with the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if all known, the address of such entity or any portion person; (iii) a brief description of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524disclosed; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 1 contract
Samples: Professional Services
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 3.1 Not use and/or or disclose the PHI only or other confidential information other than as permitted or required by this Agreement the BAA or as otherwise required by law;
(b) report 3.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to the privacy officer of Covered Entityelectronic PHI, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or or disclosure of such PHI other than as provided hereinfor by the BAA;
3.3 Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of the Plan. Business Associate shall comply with the applicable standards at Subpart C of 45 CFR Part 164. Such safeguards shall be based on applicable Federal Information Processing Standards (dFIPS) require Publication 199 protection levels;
3.4 Identify the security official who is responsible for the development and implementation of the policies and procedures required by 45 CFR Part 164, Subpart C;
3.5 Shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework;
3.6 Apply security patches and upgrades, and keep virus software up-to-date, on all systems on which PHI and other confidential information may be used;
3.7 Employ FIPS 140-2 compliant encryption of PHI at rest and in motion unless Business Associate determines it is not reasonable and appropriate to do so based upon a risk assessment, and equivalent alternative measures are in place and documented as such. In addition, Business Associate shall maintain, at a minimum, the most current industry standards for transmission and storage of PHI and other confidential information;
3.8 Immediately report to the Plan any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including, but not limited to, Breaches or suspected Breaches of unsecured PHI under 45 CFR 164.410, and any Security Incident or suspected Security Incidents of PHI or confidential information which it becomes aware. Business Associate shall report the improper or unauthorized use or disclosure of PHI or potential loss of confidential information within 24 hours to the Plan. Business Associate shall immediately investigate any suspected Security Incident or Breach. Business Associate shall provide Covered Entity with all requested information so Covered Entity may comply with its subcontractors reporting obligations to DHCS per the Medi-Cal Contract and agents all required Breach notifications. Business Associate shall mitigate, to the extent practicable, any harmful effects that is known to Business Associate of such Breach or Security Incident of PHI or other confidential information in violation of this BAA. Business Associate shall indemnify Covered Entity against any losses, damages, expenses or other liabilities including reasonable attorney’s fees incurred as a result of Business Associate’s or its agent’s or Subcontractor’s unauthorized use or disclosure of PHI including, but not limited to, the costs of notifying individuals affected by a Breach;
3.9 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, agents, vendors, or others that create, receive, usemaintain, or have access to, transmit PHI to and/or confidential information on behalf of the Business Associate agree to adhere to the same restrictions restrictions, conditions, and conditions on the use and/or disclosure of PHI requirements that apply to the Business Associate with respect to such information;
3.10 Make available PHI in a designated record set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;
3.11 Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Plan pursuant to this Agreement45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;
(e) 3.12 Forward any requests from a Plan member for access to records maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding access to records;
3.13 Direct any requests for an amendment from an individual as soon as they are received to the Plan. The Business Associate will incorporate any amendments from the Plan immediately upon fifteen (15) business days' prior written request, direction from the covered entity;
3.14 Maintain and make available all the information required to provide an accounting of disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;
3.15 Forward any requests from a Plan member for an accounting of disclosures maintained in accordance with the BAA as soon as they are received. The Plan will maintain responsibility for making determinations regarding the provision of an accounting of disclosures;
3.16 To the extent the Business Associate is to carry out one or more of the Plan's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s);
3.17 Make its internal practices, records, books, agreementsand records available to Covered Entity, policies the Secretary, and procedures and PHI relating to the use and/or disclosure of PHI to the Secretary DHCS upon reasonable request for purposes of determining Covered Entity's compliance with the Privacy RuleHIPAA Rules. Make its facilities and systems available to DHCS to monitor compliance with the Medi-Cal Contract;
3.18 Ensure that all members of its Workforce with access to PHI and/or other confidential information sign a confidentiality statement prior to access to such data. The confidentiality statement must be renewed annually;
3.19 Agree to comply with DHCS’s monitoring provisions contained in the Medi-Cal Contract;
3.20 Agree to comply with the more protective of the privacy and security standards defined herein as Privacy Rules. Therefore, to the extent other applicable state laws or federal laws provide a greater degree of protection and security than HIPAA or are more favorable to the individuals whose information is concerned, Business Associate shall comply with the more protective applicable privacy and security standards. Business Associate shall treat any violation of the more protective standards as a Breach or Security Incident pursuant to Section 3.8 herein;
3.21 In the event Business Associate received data from Covered Entity that was verified by or provided by Social Security Administration (f“SSA”) document disclosures and is subject to an agreement between DHCS and SSA, upon request, Business Associate shall provide Covered Entity with a list of PHI all employees and information agents who have access to such data, including employees and agents of its agents, so that Covered Entity can submit this list to DHCS. Business Associate shall notify Covered Entity immediately upon the discovery of a suspected breach or security incident that involves SSA data;
3.22 Shall promptly report to Covered Entity if Business Associate is the subject of any audit, compliance review, investigation, or any proceeding that is related to such disclosure the performance of its obligations pursuant to the Agreement, so Covered Entity can to report this information to DHCS per the Medi-Cal Contract;
3.23 Shall promptly report to Covered Entity if Business Associate is the subject of any judicial or administrative proceeding alleging a violation of HIPAA, Business Associate shall report this to Covered Entity unless it is legally prohibited from doing so. Covered Entity is then required to report this information to DHCS per the Medi-Cal Contract; and
3.24 Shall make itself, within fifteen (15) business days and any subcontractors, employees or agents assisting Business Associate in the performance of receiving a written request from its obligations under the Agreement, available to Covered Entity, provide to Covered Entity such information testify as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting witnesses, or otherwise, in the event of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents litigation or other third parties, and request from administrative proceedings commenced against DHCS or Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required their directors, officers or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526employees.
Appears in 1 contract
Samples: Memorandum of Understanding
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) 2.1 not use and/or further disclose PHI except as necessary to provide the PHI only Services, as permitted or required by this Agreement BAA and/or the Agreement, and in compliance with each applicable requirement of 45 C.F.R. 164.504(e), or as otherwise required Required by law;Law; provided that, to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations.
2.2 implement and use appropriate administrative, physical and technical safeguards and as of the Compliance Date comply with applicable Security Rule requirements with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA and/or Agreement.
2.3 without unreasonable delay and within five (b5) business days of discovery, report to the privacy officer of Covered Entity, in writing, : (i) any use and/or or disclosure of the PHI that is not permitted or required provided for by this Agreement BAA and/or Agreement, of which it becomes aware in accordance with 45 C.F.R. 164.504(e)(2)(ii)(C); and/or (ii) any Security Incident of which Business Associate becomes awareaware in accordance with 45 C.F.R. 164.314(a)(2)(i)(C).
2.4 with respect to any use or disclosure of Unsecured PHI not permitted by the Privacy Rule that is caused solely by Business Associate’s failure to comply with one or more of its obligations under this BAA, within fifteen Covered Entity hereby delegates to Business Associate the responsibility for determining when any such incident is a Breach and for providing all legally required notifications to Individuals, HHS and/or the media, on behalf of Covered Entity. Business Associate shall provide these notifications in accordance with the notification requirements set forth in the Breach Rule, and shall pay for the reasonable and actual costs associated with those notifications and/or resulting from any Breach. In the event of a Breach, without unreasonable delay, and in any event no later than sixty (1560) business calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. 164.410 that includes a description of the Breach, a list of Individuals (unless Covered Entity is a plan sponsor ineligible to receive PHI) and, in the event the delegation set forth above has been triggered, a copy of the template notification letter to be sent to Individuals.
2.5 in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 45 C.F.R. 164.308(b)(2), ensure that any subcontractors of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
(d) require all of its subcontractors and agents Associate that create, receive, usemaintain or transmit PHI on behalf of Business Associate agree, or have access toin writing, PHI to agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant with respect to this Agreement;that PHI, including complying with the applicable Security Rule requirements with respect to ePHI.
(e) upon fifteen (15) business days' prior written request, 2.6 make available all its internal practices, records, books, agreements, policies books and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary for purposes of determining Covered Entity's ’s compliance with the Privacy Rule;.
2.7 document, and within thirty (f30) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of after receiving a written request from Covered EntityEntity or an Individual, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for make available an accounting of the disclosures of PHI about the individual's PHI Individual, in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is . If records are maintained in electronic form, Business Associate will account for all disclosures for at least a Designated Record Set:three (3) year period.
2.8 provide access, within twenty (i20) upon fifteen (15) business days' prior days after receiving a written request from Covered EntityEntity or an Individual, provide access to the PHI in a Designated Record Set about an Individual, in accordance with the requirements of 45 C.F.R. 164.524 including as of the Compliance Date, providing or sending a copy to Covered Entity ora designated third party and providing or sending a copy in electronic format.
2.9 to the extent that the PHI in Business Associate’s possession constitutes a Designated Record Set, as directed make available, within thirty (30) days after a written request by Covered Entity, PHI for amendment and incorporate any amendments to the individual to whom such PHI relates or his or her authorized representative to meet a request PHI, as requested by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to all in accordance with 45 C.F.R. § 164.526.
2.10 maintain at all times during the term of the Agreement Errors and Omissions Coverage with a coverage limit not less than five million dollars and containing a Privacy and Security Liability endorsement.
Appears in 1 contract
Samples: Business Associate Agreement
Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate shallhereby agrees to do the following:
(a) use 2.3.1 Use and/or disclose the PHI only as permitted or required by this Agreement Addendum, HIPAA and HIPAA Rules, or as otherwise required by law;
(b) report to the privacy officer of Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which law. Business Associate becomes awareagrees that it will not use or disclose PHI in any manner that violates federal law, within fifteen (15) business days including but not limited to HIPAA and any regulations enacted pursuant to its provisions, or applicable provisions of Washington State law. The Business Associate's determination of Associate agrees that it is subject to and directly responsible for full compliance with the occurrence of such unauthorized use and/or disclosure;Privacy Rule that applies to the Business Associate to the same extent as the Covered Entity.
(c) use 2.3.2 Use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such PHI, including, but not limited to the following:
2.3.3 Business Associate shall apply the HIPAA Minimum Necessary standard to any use or disclosure of PHI other than as provided herein;necessary to achieve the purposes of the Underlying Agreement. See 45
(d) require 2.3.4 Require all of its employees, representatives, subcontractors and agents that create, receive, usemaintain, or transmit PHI or use or have access to, to PHI under the Underlying Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply herein, including the obligation to Business Associate pursuant to return or destroy the PHI if feasible, as provided under Sections 5.4 and 5.5 of this Agreement;Addendum.
(e) upon fifteen (15) business days' prior written request, make available all internal practices, records, books, agreements, policies and procedures and PHI relating 2.3.5 Promptly report to the designated privacy officer of the Covered Entity, any use and/or disclosure of the PHI to that is not permitted or required by this Addendum by telephoning the Secretary privacy officer within twenty-four (24) hours of becoming aware of it, and providing a written report of the unauthorized disclosure within five (5) business days. The name and contact information for purposes of determining the Covered Entity's compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528;
(g) subject to Section 4.4 below, return to Covered Entity within twenty-one (21) business days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Setprivacy officer is:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make any amendment(s) to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526.
Appears in 1 contract
Samples: Professional Services Agreement
Responsibilities of Business Associate. With regard to its use Use and/or disclosure Disclosure of PHI, Business Associate shallagrees to be responsible for and to:
(a) use and/or and disclose the PHI only as necessary to provide the services, specifically as permitted or required by the Agreement and this B.A. Agreement in compliance with each applicable requirement of 45 C.F.R. §164.504(e) or as otherwise required by law;
(b) report implement and use appropriate technical, physical and administrative safeguards to the privacy officer (i) prevent Use and Disclosure of Covered Entity, in writing, any use and/or disclosure of the PHI that is not other than as permitted or required by this Agreement B.A. Agreement; and (ii) reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it maintains or transmits on behalf of the Covered Entity;
(c) use and disclose PHI in its possession for its proper management and administration or to carry out the legal and educational responsibilities of Business Associate, provided that any third party or Subcontractor to which Business Associates discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as Required by Law; (ii) the information will be used only for the purpose for which it was disclosed to the third party or Subcontractor; (iii) the third party or Subcontractor will immediately notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached; and (iv) the third party or Subcontractor agrees to the same restrictions, safeguards and conditions on the Use and Disclosure of PHI that apply to Business Associate;
(d) report within twenty-four (24) hours to Covered Entity; (i) any Use or Disclosure of PHI of which it becomes aware that is not permitted by this B.A. Agreement; and/or (ii) any Security Incident of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(ce) use commercially reasonable efforts to maintain the security without unreasonable delay and in no case later than twenty-four (24) hours after discovery, Business Associate shall notify Covered Entity of the a Breach of any Unsecured PHI and to prevent use and/or disclosure in the event of such PHI other than as provided hereinBreach, Covered Entity shall determine the appropriate Party to provide any necessary breach notification;
(df) require all of its subcontractors and agents workforce that create, receive, usemaintain, or have access to, transmit PHI to agree to adhere to the same restrictions and conditions on the use and/or disclosure Use and Disclosure of PHI that apply to Business Associate pursuant to this AgreementAssociate;
(eg) upon fifteen (15) business days' prior written request, make available all its internal practices, records, books, agreements, policies and procedures and PHI records relating to the use and/or disclosure Use and Disclosure of PHI to the Secretary for purposes of determining Covered Entity's ’s compliance with the Privacy RuleHIPAA Rules;
(fh) document disclosures mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI and information related by Business Associate that is not permitted by the requirements of this B.A. Agreement;
(i) provide reasonable access (at the request of the Covered Entity) to such disclosure andPHI in a Designated Record Set, to Covered Entity in accordance with 45 C.F.R. §164.524;
(j) make any amendments(s) to PHI in a Designated Record Set as directed, obligated, or agreed to by Covered Entity pursuant to 45 C.F.R. §164.526;
(k) within fifteen thirty (1530) business days of after receiving a written request from Covered Entity, provide to Covered Entity such make available information as is requested by necessary for Covered Entity to permit Covered Entity to respond to a request by an individual for make an accounting of the disclosures of the individual's PHI about an individual as provided in accordance with 45 C.F.R. § §164.528;
(gl) subject to Section 4.4 belowin the event that Business Associate in connection with the services uses or maintains an electronic health record of information of or about an individual, return to Covered Entity within twenty-one then Business Associate shall provide an electronic copy (21) business days at the request of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon fifteen (15) business days' prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such or the individual’s designee;
(m) not directly or indirectly receive remuneration in exchange for any PHI relates or his or her authorized representative to meet a request by such individual under in compliance with 45 C.F.R. § 164.524§164.508; and
(iin) upon fifteen (15) business days' prior written request from Covered Entity, not make or cause to be made any amendment(s) to the PHI communication about a product or service that Covered Entity directs pursuant to 45 C.F.R. § 164.526is prohibited by 42 U.S.C. §17936(a).
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
Responsibilities of Business Associate. [Required provisions]
2.1 Except as otherwise specified herein, Business Associate may make any and all uses and disclosures of PHI necessary to perform [OPTION 1 its obligations under the Underlying Agreement.] [OPTION 2 the functions and provide the services set forth above.] With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) use and/or disclose the PHI only as permitted or required by this B.A. Agreement or as otherwise required by law;
(b) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by this B.A. Agreement;
(c) report to the privacy officer of Covered Entity, in writing, Entity any use and/or or disclosure of the PHI of which it becomes aware that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided hereinB.A. Agreement;
(d) require all of its subcontractors and agents that create, receive, use, disclose or have access to, to PHI to agree to adhere agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this AgreementAssociate;
(e) upon fifteen (15) business days' prior written request, make available all its internal practices, records, books, agreements, policies and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Covered Entity's ’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days [Must be less than 60 days] of receiving a written request from Covered Entity, provide to Covered Entity such make available information as is requested by necessary for Covered Entity to permit Covered Entity to respond to a request by an individual for make an accounting of the disclosures of the PHI about an individual's PHI in accordance with 45 C.F.R. § 164.528;; and
(g) subject mitigate, to Section 4.4 belowthe extent practicable, return any harmful effect that is known to Covered Entity within twenty-one (21) business days Business Associate of a use or disclosure of PHI by Business Associate in violation of the termination requirements of this B.A. Agreement, .
2.2 [Option A: The Parties agree that the PHI information in its Business Associate’s possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in does not constitute a Designated Record Set:.]
(ia) upon fifteen (15) business within days [Must be less than 30 days' prior written request from Covered Entity, provide access to the PHI in ] of receiving a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make available PHI necessary for Covered Entity to respond to individuals’ requests for access to PHI about them; and
(b) within days [Must be less than 60 days] of receiving a written request from Covered Entity, incorporate any amendment(s) amendments or corrections to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526in accordance with the Privacy Regulation.]
Appears in 1 contract
Samples: Business Associate Agreement
Responsibilities of Business Associate. [Required provisions]
2.1 Except as otherwise specified herein, Business Associate may make any and all uses and disclosures of PHI necessary to perform [OPTION 1 its obligations under the Underlying Agreement.] [OPTION 2 the functions and provide the services set forth above.] With regard to its use and/or disclosure of PHI, Business Associate shallagrees to:
(a) use and/or disclose the PHI only as permitted or required by this B.A. Agreement or as otherwise required by law;
(b) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by this B.A. Agreement;
(c) report to the privacy officer of Covered Entity, in writing, Entity any use and/or or disclosure of the PHI of which it becomes aware that is not permitted or required by this Agreement of which Business Associate becomes aware, within fifteen (15) business days of Business Associate's determination of the occurrence of such unauthorized use and/or disclosure;
(c) use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided hereinB.A. Agreement;
(d) require all of its subcontractors and agents that create, receive, use, disclose or have access to, to PHI to agree to adhere agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate pursuant to this AgreementAssociate;
(e) upon fifteen (15) business days' prior written request, make available all its internal practices, records, books, agreements, policies and procedures and PHI records relating to the use and/or and disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Covered Entity's ’s compliance with the Privacy Rule;
(f) document disclosures of PHI and information related to such disclosure and, within fifteen (15) business days [Must be less than 60 days] of receiving a written request from Covered Entity, provide to Covered Entity such make available information as is requested by necessary for Covered Entity to permit Covered Entity to respond to a request by an individual for make an accounting of the disclosures of the PHI about an individual's PHI in accordance with 45 C.F.R. § 164.528;; and \\\DC - 67908/0004 - 1678033 v1
(g) subject mitigate, to Section 4.4 belowthe extent practicable, return any harmful effect that is known to Covered Entity within twenty-one (21) business days Business Associate of a use or disclosure of PHI by Business Associate in violation of the termination requirements of this B.A. Agreement, .
2.2 [Option A: The Parties agree that the PHI information in its Business Associate’s possession and retain no copies, including backup copies;
(h) disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
(i) if all or any portion of the PHI is maintained in does not constitute a Designated Record Set:.]
(ia) upon fifteen (15) business within days [Must be less than 30 days' prior written request from Covered Entity, provide access to the PHI in ] of receiving a Designated Record Set to Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon fifteen (15) business days' prior written request from Covered Entity, make available PHI necessary for Covered Entity to respond to individuals’ requests for access to PHI about them; and
(b) within days [Must be less than 60 days] of receiving a written request from Covered Entity, incorporate any amendment(s) amendments or corrections to the PHI that Covered Entity directs pursuant to 45 C.F.R. § 164.526in accordance with the Privacy Regulation.]
Appears in 1 contract
Samples: Business Associate Agreement
