Common use of Responsibilities of Business Associate Clause in Contracts

Responsibilities of Business Associate. A. Business Associate shall provide relevant training on HIPAA and the requirements of this agreement to all persons accessing PHI or ePHI. The training materials and records shall be provided to the covered entity upon request. B. Business Associate shall implement and use appropriate Technical, Physical and Administrative Safeguards to reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI and to prevent Use or Disclosure of PHI, other than as permitted by this BAA. C. Business Associate shall, within the earlier of the Compliance Date or 90-days from the Effective Date, comply with all applicable provisions of the Security Rule. The Business Associate shall conduct a risk assessment to evaluate compliance with the Security Rule and shall, at the request of the Covered Entity, provide a written attestation acknowledging completion and communicating the results of the risk assessment. D. Business Associate shall Encrypt all transmissions of ePHI and all portable media or storage devices on which ePHI may be stored, including laptops, back-up media, CDs, or USB drives. E. Within 30-days after receiving a written request from Covered Entity, make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, as provided in 45 C.F.R. § 164.528; and in accordance with 42 U.S.C. § 17935(c) and its implementing regulations as of the Compliance Date, make that accounting directly to the Individual if directed to do so by Covered Entity. F. At the request of Covered Entity and in the time, manner, and form designated by Covered Entity, not to exceed 15-days, provide access to PHI in a Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual or to a recipient designated by the Individual, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate shall not charge Covered Entity or any Individual any fee associated with the production of PHI in accordance with this section that exceeds fees described at 45 C.F.R. § 164.524. G. Make available PHI in a Designated Record Set, no more than 30-days following receipt of a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity, all in accordance with 45 C.F.R. § 164.526. H. Business Associate shall notify Covered Entity, in writing, no more than 3-days following Business Associate’s receipt directly from an Individual of any request for an accounting of disclosures or access to or amendment of PHI as contemplated in Sections II (D) (E) or (F), above. I. Business Associate shall require each Subcontractor to agree, in writing, to the same restrictions and conditions that apply to Business Associate. Furthermore, to the extent that Business Associate provides ePHI to Subcontractor, Business Associate shall require Subcontractor to comply with all applicable provisions of the Security Rule upon the earlier of the Compliance Date or 90-days from the Effective Date. If Subcontractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing the obligations under this BAA or the Agreement will be outside of the jurisdiction of the United States, Business Associate must require Subcontractor to agree by written contract with Business Associate to be subject to the jurisdiction of the Secretary, the laws, and the courts of the United States, and waive any available jurisdictional defenses that pertain to the parties’ obligations under this BAA, HIPAA, or ARRA. J. Business Associate shall not Use or Disclose PHI except as necessary to perform its obligations under the Agreement or as otherwise required by this BAA, provided that such Use or Disclosure is permitted by applicable law and complies with each applicable requirement of 45 C.F.R. § 164.504(e). 1. In compliance with 45 C.F.R. § 164.502(b)(1), as of its Compliance Date or no more than 90-days following the Effective Date, whichever is earlier, Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. 2. Business Associate shall not use PHI to make or cause to be made any communication that would constitute Marketing. K. Without unreasonable delay, and in any event, no more than 24-hours after Discovery, Business Associate shall notify Covered Entity of any Breach, Use or Disclosure of PHI not permitted under this BAA, or any Security Incident. Business Associate shall deliver the initial notification of such Breach, in writing, which must include a reasonably detailed description of the Breach and the steps Business Associate is taking and would propose to mitigate or terminate the Breach. Furthermore, Business Associate shall supplement the initial notification, no more than 5 calendar-days following Discovery, with information including the identification of each individual whose PHI was or is believed to have been involved; a reasonably detailed description of the types of PHI involved, and written updates every 5 calendar-days until the event has been concluded; all other information reasonably requested by Covered Entity, including all information necessary to enable Covered Entity to perform and document a risk assessment in accordance with 45 C.F.R. Part 164 subpart D; and all other information necessary for Covered Entity to provide notice to individuals, the U.S. Department of Health & Human Services (“HHS”), or the media, if required. Despite anything to the contrary in the preceding provisions, in Covered Entity’s sole and absolute discretion and in accordance with its directions, Business Associate shall conduct, or pay the costs of conducting, an investigation of any Breach and shall provide or pay the costs of providing any notices required by the Breach Notice Rule or other applicable law. L. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate that is not permitted by this BAA. M. Business Associate shall make available to HHS its internal practices, books, and records, relating to the Use and Disclosure of PHI pursuant to the Agreement for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule. N. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI. O. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. P. Business Associate shall provide contact information for one primary person and one secondary person in Appendix A. Any changes in the contact information shall be forwarded to the Covered Entity. Q. The Business Associate shall respond in writing within 10 business days to the Covered Entity’s request(s) to attest to the Business Associate’s compliance with the Privacy Rule, the Security Rule, and the Responsibilities of the Business Associate as specified in this BAA. The Business Associate shall make available to the Covered Entity its internal practices, books, and records, relating to the Use and Disclosure of PHI as necessary to substantiate the attestation of compliance.

Responsibilities of Business Associate. A. Business Associate shall provide relevant training on HIPAA and the requirements of this agreement to all persons accessing PHI or ePHI. The training materials and records shall be provided to the covered entity upon request. B. Business Associate shall implement and use appropriate Technical, Physical and Administrative Safeguards to reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI and to prevent Use or Disclosure of PHI, other than as permitted by this BAA. C. Business Associate shall, within the earlier of the Compliance Date or 90-days from the Effective Date, comply with all applicable provisions of the Security Rule. The Business Associate shall conduct a risk assessment to evaluate compliance with the Security Rule and shall, at the request of the Covered Entity, provide a written attestation acknowledging completion and communicating the results of the risk assessment. D. Business Associate shall Encrypt all transmissions of ePHI and all portable media or storage devices on which ePHI may be stored, including laptops, back-up media, CDs, or USB drives. E. Within 30-days after receiving a written request from Covered Entity, make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, as provided in 45 C.F.R. § 164.528; and in accordance with 42 U.S.C. § 17935(c) and its implementing regulations as of the Compliance Date, make that accounting directly to the Individual if directed to do so by Covered Entity. F. At the request of Covered Entity and in the time, manner, and form designated by Covered Entity, not to exceed 15-days, provide access to PHI in a Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual or to a recipient designated by the Individual, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate shall not charge Covered Entity or any Individual any fee associated with the production of PHI in accordance with this section that exceeds fees described at 45 C.F.R. § 164.524. G. Make available PHI in a Designated Record Set, no more than 30-days following receipt of a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity, all in accordance with 45 C.F.R. § 164.526. H. Business Associate shall notify Covered Entity, in writing, no more than 3-days following Business Associate’s receipt directly from an Individual of any request for an accounting of disclosures or access to or amendment of PHI as contemplated in Sections II (D) (E) or (F), above. I. Business Associate shall require each Subcontractor to agree, in writing, to the same restrictions and conditions that apply to Business Associate. Furthermore, to the extent that Business Associate provides ePHI to Subcontractor, Business Associate shall require Subcontractor to comply with all applicable provisions of the Security Rule upon the earlier of the Compliance Date or 90-days from the Effective Date. If Subcontractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing the obligations under this BAA or the Agreement will be outside of the jurisdiction of the United States, Business Associate must require Subcontractor to agree by written contract with Business Associate to be subject to the jurisdiction of the Secretary, the laws, and the courts of the United States, and waive any available jurisdictional defenses that pertain to the parties’ obligations under this BAA, HIPAA, or ARRA.. DHS-4001 Rev. 4/2020 J. Business Associate shall not Use or Disclose PHI except as necessary to perform its obligations under the Agreement or as otherwise required by this BAA, provided that such Use or Disclosure is permitted by applicable law and complies with each applicable requirement of 45 C.F.R. § 164.504(e). 1. In compliance with 45 C.F.R. § 164.502(b)(1), as of its Compliance Date or no more than 90-days following the Effective Date, whichever is earlier, Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. 2. Business Associate shall not use PHI to make or cause to be made any communication that would constitute Marketing. K. Without unreasonable delay, and in any event, no more than 24-hours after Discovery, Business Associate shall notify Covered Entity of any Breach, Use or Disclosure of PHI not permitted under this BAA, or any Security Incident. Business Associate shall deliver the initial notification of such Breach, in writing, which must include a reasonably detailed description of the Breach and the steps Business Associate is taking and would propose to mitigate or terminate the Breach. Furthermore, Business Associate shall supplement the initial notification, no more than 5 calendar-days following Discovery, with information including the identification of each individual whose PHI was or is believed to have been involved; a reasonably detailed description of the types of PHI involved, and written updates every 5 calendar-days until the event has been concluded; all other information reasonably requested by Covered Entity, including all information necessary to enable Covered Entity to perform and document a risk assessment in accordance with 45 C.F.R. Part 164 subpart D; and all other information necessary for Covered Entity to provide notice to individuals, the U.S. Department of Health & Human Services (“HHS”), or the media, if required. Despite anything to the contrary in the preceding provisions, in Covered Entity’s sole and absolute discretion and in accordance with its directions, Business Associate shall conduct, or pay the costs of conducting, an investigation of any Breach and shall provide or pay the costs of providing any notices required by the Breach Notice Rule or other applicable law. L. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate that is not permitted by this BAA. M. Business Associate shall make available to HHS its internal practices, books, and records, relating to the Use and Disclosure of PHI pursuant to the Agreement for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule. N. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI. O. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. P. Business Associate shall provide contact information for one primary person and one secondary person in Appendix A. Any changes in the contact information shall be forwarded to the Covered Entity. Q. The Business Associate shall respond in writing within 10 business days to the Covered Entity’s request(s) to attest to the Business Associate’s compliance with the Privacy Rule, the Security Rule, and the Responsibilities of the Business Associate as specified in this BAA. The Business Associate shall make available to the Covered Entity its internal practices, books, and records, relating to the Use and Disclosure of PHI as necessary to substantiate the attestation of compliance.

Responsibilities of Business Associate. A. Business Associate shall provide relevant training on HIPAA and the requirements of this agreement to all persons accessing PHI or ePHI. The training materials and records shall be provided to the covered entity upon request. B. Business Associate shall implement and use appropriate Technical, Physical and Administrative Safeguards designed to reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI and to prevent Use or Disclosure of PHI, other than as permitted by this BAABAA or as required by law. C. B. Business Associate shall, within the earlier of the Compliance Date or 90-90- days from the Effective Date, comply with all applicable provisions of the Security Rule. The Business Associate shall conduct a risk assessment to evaluate compliance with . C. No later than six months from the Security Rule and shall, at the request effective date of the Covered EntityAgreement, provide a written attestation acknowledging completion and communicating the results of the risk assessment. D. Business Associate shall Encrypt all transmissions of ePHI and all portable media or storage devices on which ePHI may be stored, including laptops, back-up media, CDs, or USB drives. E. D. Within 30-days after receiving a written request from Covered Entity, Business Associate shall make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, as provided in 45 C.F.R. § 164.528; and in accordance with 42 U.S.C. § 17935(c) and its implementing regulations as of the Compliance Date, make that accounting directly to the Individual if directed to do so by Covered Entity. E. In the event that Business Associate, in connection with performing its obligations under this BAA or the Agreement, uses or maintains an Electronic Health Record of information of or about an Individual, then Business Associate shall provide an electronic copy (at the request of Covered Entity, and in the time and manner designated by Covered Entity, not to exceed 15-days) of the PHI to Covered Entity or, as directed by Covered Entity, to an Individual or a third party designated by the Individual, all in accordance with 42 U.S.C. § 17935 and its implementing regulations, as of its Compliance Date. F. To the extent that PHI in the Business Associate’s possession constitutes a Designated Record Set, Business Associate shall: 1. At the request of Covered Entity and in the time, manner, time and form manner designated by Covered Entity, not to exceed 15-days, provide access to PHI in a Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual or to a recipient designated by the Individual, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate shall not charge Covered Entity or any Individual any fee associated with the production of PHI in accordance with this section that exceeds fees described at 45 C.F.R. C.F.R § 164.524. G. 2. Make available PHI in a Designated Record Setavailable, no more than 30-days following receipt of a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity, all in accordance with 45 C.F.R. § §164.526. H. G. Business Associate shall notify Covered Entity, in writing, no more than 35-days following Business Associate’s receipt directly from an Individual of any request for an accounting of disclosures or access to or amendment of PHI as contemplated in Sections II (D) (E) or (FE)(F), above. I. H. Business Associate shall require each Subcontractor to agree, in writing, to the same restrictions and conditions that apply to Business Associate. Furthermore, to the extent that Business Associate provides ePHI to Subcontractor, Business Associate shall require Subcontractor to comply with all applicable provisions of the Security Rule upon the earlier of the Compliance Date or 90-days from the Effective Date. If Subcontractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing the obligations under this BAA or the Agreement will be outside of the jurisdiction of the United States, Business Associate must require Subcontractor to agree by written contract with Business Associate to be subject to the jurisdiction of the Secretary, the laws, and the courts of the United States, and waive any available jurisdictional defenses that pertain to the parties’ obligations under this BAA, HIPAA, or ARRA. J. I. Business Associate shall not Use or Disclose PHI except as necessary to perform its obligations under the Agreement or as otherwise required by this BAABAA or for the proper management and administration of Business Associate, provided that such Use or Disclosure is permitted by applicable law and complies with each applicable requirement of 45 C.F.R. § 164.504(e)) and this BAA. 1. In compliance with 45 C.F.R. § 164.502(b)(1)42 U.S.C. §17935(b) and its implementing regulations, as of its Compliance Date or no more than 90-days following the Effective Date, whichever is earlier, Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. 2. As of the Compliance Date of 42 U.S.C. §17936(a) and its implementing regulations, Business Associate shall not use PHI to make or cause to be made any communication about a product or service that would constitute Marketingis prohibited by 42 U.S.C. § 17936(a), and its implementing regulations. J. Business Associate shall report to Covered Entity any Use or Disclosure of PHI not permitted under this BAA or any Security Incident, without unreasonable delay, and in any event no more than 10-days following Discovery. K. Without unreasonable delaydelay and, and in any event, no more than 2448-hours after Discovery, Business Associate shall notify Covered Entity of any actual or reasonably suspected Breach, Use or Disclosure of PHI not permitted under this BAA, or any Security Incident. Business Associate shall deliver the initial notification of such Breach, in writing, which must include a reasonably detailed description of the Breach and the steps Business Associate is taking and would propose to mitigate or terminate the Breach. Furthermore, Business Associate shall supplement the initial notification, no more than 5 calendar10-days following Discovery, with information including including, to the extent known to Business Associate after conducting a commercially reasonable investigation (i) the identification of each individual whose PHI was or is believed to have been involvedinvolved in the Breach; (ii) a reasonably detailed description of the types of PHI involved, and written updates every 5 calendar-days until the event has been concluded; (iii) all other information reasonably requested by Covered Entity, including all information necessary to enable Covered Entity to perform and document a risk assessment in accordance with 45 C.F.R. Part 164 subpart D; and all (iv)all other information necessary for Covered Entity to provide notice to individuals, the U.S. Department of Health & Human Services (“HHS”), or the media, if required. Despite anything to the contrary in the preceding provisions, in Covered Entity’s sole and absolute discretion and in accordance with its directions, to the extent a Breach results from a violation of this BAA or applicable law or the gross negligence or willful misconduct of Business Associate or its employees, agents or contractors (other than Covered Entity), Business Associate shall conduct, or pay the costs of conducting, an investigation of any Breach and shall provide or pay the costs of providing any notices required by the Breach Notice Rule or other applicable law. L. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate that is not permitted by this BAA. M. Business Associate shall make available to HHS its internal practices, books, and records, relating to the Use and Disclosure of PHI pursuant to the Agreement for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule. N. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI, as provided in 42 U.S.C.§ 17935(d). O. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. P. Business Associate shall provide contact information for one primary person and one secondary person in Appendix A. Any changes in the contact information shall be forwarded to the Covered Entity. Q. The Business Associate shall respond in writing within 10 business days to the Covered Entity’s request(s) to attest to the Business Associate’s compliance with the Privacy Rule, the Security Rule, and the Responsibilities of the Business Associate as specified in this BAA. The Business Associate shall make available to the Covered Entity its internal practices, books, and records, relating to the Use and Disclosure of PHI as necessary to substantiate the attestation of compliance.

Responsibilities of Business Associate. A. Business Associate shall provide relevant training on HIPAA and the requirements of this agreement to all persons accessing PHI or ePHI. The training materials and records shall be provided to the covered entity upon request. B. Business Associate shall implement and use appropriate Technical, Physical and Administrative Safeguards to reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI and to prevent Use or Disclosure of PHI, other than as permitted by this BAA. C. Business Associate shall, within the earlier of the Compliance Date or 90-days from the Effective Date, comply with all applicable provisions of the Security Rule. The Business Associate shall conduct a risk assessment to evaluate compliance with the Security Rule and shall, at the request of the Covered Entity, provide a written attestation acknowledging completion and communicating the results of the risk assessment. D. Business Associate shall Encrypt all transmissions of ePHI and all portable media or storage devices on which ePHI may be stored, including laptops, back-up media, CDs, or USB drives. E. Within 30-days after receiving a written request from Covered Entity, make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, as provided in 45 C.F.R. § 164.528; and in accordance with 42 U.S.C. § 17935(c) and its implementing regulations as of the Compliance Date, make that accounting directly to the Individual if directed to do so by Covered Entity. F. At the request of Covered Entity and in the time, manner, and form designated by Covered Entity, not to exceed 15-days, provide access to PHI in a Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual or to a recipient designated by the Individual, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate shall not charge Covered Entity or any Individual any fee associated with the production of PHI in accordance with this section that exceeds fees described at 45 C.F.R. § 164.524. G. Make available PHI in a Designated Record Set, no more than 30-days following receipt of a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity, all in accordance with 45 C.F.R. § 164.526. H. Business Associate shall notify Covered Entity, in writing, no more than 3-days following Business Associate’s receipt directly from an Individual of any request for an accounting of disclosures or access to or amendment of PHI as contemplated in Sections II (D) (E) or (F), above. I. Business Associate shall require each Subcontractor to agree, in writing, to the same restrictions and conditions that apply to Business Associate. Furthermore, to the extent that Business Associate provides ePHI to Subcontractor, Business Associate shall require Subcontractor to comply with all applicable provisions of the Security Rule upon the earlier of the Compliance Date or 90-days from the Effective Date. If Subcontractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing the obligations under this BAA or the Agreement will be outside of the jurisdiction of the United States, Business Associate must require Subcontractor to agree by written contract with Business Associate to be subject to the jurisdiction of the Secretary, the laws, and the courts of the United States, and waive any available jurisdictional defenses that pertain to the parties’ obligations under this BAA, HIPAA, or ARRA. J. Business Associate shall not Use or Disclose PHI except as necessary to perform its obligations under the Agreement or as otherwise required by this BAA, provided that such Use or Disclosure is permitted by applicable law and complies with each applicable requirement of 45 C.F.R. § 164.504(e). 1. K. In compliance with 45 C.F.R. § 164.502(b)(1), as of its Compliance Date or no more than 90-days following the Effective Date, whichever is earlier, Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. 2. L. Business Associate shall not use PHI to make or cause to be made any communication that would constitute Marketing. K. M. Without unreasonable delay, and in any event, no more than 2448-hours after Discovery, Business Associate shall notify Covered Entity of any Breach, Use or Disclosure of PHI not permitted under this BAA, or any Security Incident. Business Associate shall deliver the initial notification of such Breach, in writing, which must include a reasonably detailed description of the Breach and the steps Business Associate is taking and would propose to mitigate or terminate the Breach. Furthermore, Business Associate shall supplement the initial notification, no more than 5 calendar10-days following Discovery, with information including the identification of each individual whose PHI was or is believed to have been involved; a reasonably detailed description of the types of PHI involved, and written updates every 5 calendar-days until the event has been concluded; all other information reasonably requested by Covered Entity, including all information necessary to enable Covered Entity to perform and document a risk assessment in accordance with 45 C.F.R. Part 164 subpart D; and all other information necessary for Covered Entity to provide notice to individuals, the U.S. Department of Health & Human Services (“HHS”), or the media, if required. Despite anything to the contrary in the preceding provisions, in Covered Entity’s sole and absolute discretion and in accordance with its directions, Business Associate shall conduct, or pay the costs of conducting, an investigation of any Breach and shall provide or pay the costs of providing any notices required by the Breach Notice Rule or other applicable law. L. N. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate that is not permitted by this BAA. M. O. Business Associate shall make available to HHS its internal practices, books, and records, relating to the Use and Disclosure of PHI pursuant to the Agreement for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule. N. P. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI. O. Q. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. P. R. Business Associate shall provide contact information for one primary person and one secondary person in Appendix A. Any changes in the contact information shall be forwarded to the Covered Entity. Q. S. The Business Associate shall respond in writing within 10 business days to the Covered Entity’s request(s) to attest to the Business Associate’s compliance with the Privacy Rule, the Security Rule, and the Responsibilities of the Business Associate as specified in this BAA. The Business Associate shall make available to the Covered Entity its internal practices, books, and records, relating to the Use and Disclosure of PHI as necessary to substantiate the attestation of compliance.

Responsibilities of Business Associate. A. Business Associate shall provide relevant training on HIPAA and the requirements of this agreement to all persons accessing PHI or ePHI. The training materials and records shall be provided to the covered entity upon request. B. Business Associate shall implement and use appropriate Technical, Physical and Administrative Safeguards to reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI and to prevent Use or Disclosure of PHI, other than as permitted by this BAA. C. Business Associate shall, within the earlier of the Compliance Date or 90-days from the Effective Date, comply with all applicable provisions of the Security Rule. The Business Associate shall conduct a risk assessment to evaluate compliance with the Security Rule and shall, at the request of the Covered Entity, provide a written attestation acknowledging completion and communicating the results of the risk assessment. D. Business Associate shall Encrypt all transmissions of ePHI and all portable media or storage devices on which ePHI may be stored, including laptops, back-up media, CDs, or USB drives. E. Within 30-days after receiving a written request from Covered Entity, make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, as provided in 45 C.F.R. § 164.528; and in accordance with 42 U.S.C. § 17935(c) and its implementing regulations as of the Compliance Date, make that accounting directly to the Individual if directed to do so by Covered Entity. F. At the request of Covered Entity and in the time, manner, and form designated by Covered Entity, not to exceed 15-days, provide access to PHI in a Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual or to a recipient designated by the Individual, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate shall not charge Covered Entity or any Individual any fee associated with the production of PHI in accordance with this section that exceeds fees described at 45 C.F.R. § 164.524. G. Make available PHI in a Designated Record Set, no more than 30-days following receipt of a written request by Covered Entity, PHI for amendment and incorporate any amendments to the PHI as directed by Covered Entity, all in accordance with 45 C.F.R. § 164.526. H. Business Associate shall notify Covered Entity, in writing, no more than 3-days following Business Associate’s receipt directly from an Individual of any request for an accounting of disclosures or access to or amendment of PHI as contemplated in Sections II (D) (E) or (F), above. I. Business Associate shall require each Subcontractor to agree, in writing, to the same restrictions and conditions that apply to Business Associate. Furthermore, to the extent that Business Associate provides ePHI to Subcontractor, Business Associate shall require Subcontractor to comply with all applicable provisions of the Security Rule upon the earlier of the Compliance Date or 90-days from the Effective Date. If Subcontractor is not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing the obligations under this BAA or the Agreement will be outside of the jurisdiction of the United States, Business Associate must require Subcontractor to agree by written contract with Business Associate to be subject to the jurisdiction of the Secretary, the laws, and the courts of the United States, and waive any available jurisdictional defenses that pertain to the parties’ obligations under this BAA, HIPAA, or ARRA. J. Business Associate shall not Use or Disclose PHI except as necessary to perform its obligations under the Agreement or as otherwise required by this BAA, provided that such Use or Disclosure is permitted by applicable law and complies with each applicable requirement of 45 C.F.R. § 164.504(e). 1. K. In compliance with 45 C.F.R. § 164.502(b)(1), as of its Compliance Date or no more than 90-days following the Effective Date, whichever is earlier, Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. 2. L. Business Associate shall not use PHI to make or cause to be made any communication that would constitute Marketing. K. Without unreasonable delay, and in any event, no more than 24-hours after Discovery, Business Associate shall notify Covered Entity of any Breach, Use or Disclosure of PHI not permitted under this BAA, or any Security Incident. Business Associate shall deliver the initial notification of such Breach, in writing, which must include a reasonably detailed description of the Breach and the steps Business Associate is taking and would propose to mitigate or terminate the Breach. Furthermore, Business Associate shall supplement the initial notification, no more than 5 calendar-days following Discovery, with information including the identification of each individual whose PHI was or is believed to have been involved; a reasonably detailed description of the types of PHI involved, and written updates every 5 calendar-days until the event has been concluded; all other information reasonably requested by Covered Entity, including all information necessary to enable Covered Entity to perform and document a risk assessment in accordance with 45 C.F.R. Part 164 subpart D; and all other information necessary for Covered Entity to provide notice to individuals, the U.S. Department of Health & Human Services (“HHS”), or the media, if required. Despite anything to the contrary in the preceding provisions, in Covered Entity’s sole and absolute discretion and in accordance with its directions, Business Associate shall conduct, or pay the costs of conducting, an investigation of any Breach and shall provide or pay the costs of providing any notices required by the Breach Notice Rule or other applicable law. L. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate that is not permitted by this BAA. M. Business Associate shall make available to HHS its internal practices, books, and records, relating to the Use and Disclosure of PHI pursuant to the Agreement for purposes of determining Business Associate’s and Covered Entity’s compliance with the Privacy Rule. N. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI. O. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. P. Business Associate shall provide contact information for one primary person and one secondary person in Appendix A. Any changes in the contact information shall be forwarded to the Covered Entity. Q. The Business Associate shall respond in writing within 10 business days to the Covered Entity’s request(s) to attest to the Business Associate’s compliance with the Privacy Rule, the Security Rule, and the Responsibilities of the Business Associate as specified in this BAA. The Business Associate shall make available to the Covered Entity its internal practices, books, and records, relating to the Use and Disclosure of PHI as necessary to substantiate the attestation of compliance.