Common use of Responsibilities of Business Associate Clause in Contracts

Responsibilities of Business Associate. With regard to its use and/or disclosure of protected health information, the Business Associate hereby agrees to do the following: (a) Use and/or disclose the protected health information only as permitted or required by this Agreement or as otherwise required by law; (b) Report to the designated privacy officer of the Covered Enti ty, in writing, any use and/or disclosure of the protected health information that is not permitted or required by this Agreement of which Business Associate becomes aware within fifteen (15) days of the Business Associate’s discovery of such unauthorized use and/or disclosure; (c) Use commercially reasonable efforts to maintain the security of the protected health information and to prevent unauthorized use and/or disclosure of such protected health information; (d) Require all of its employees, representatives, subcontractors or agents that receive or use or have access to protected health information under this Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of protected health information that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of this section. (e) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. (f) Upon written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement; (g) Within forty five (45) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject individual for amendment and accounting purposes of the disclosures of the individual’s protected health information in accordance with 45 C.F.R. §164.526 and §164.528; (h) Return to the Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) days of the termination of this Agreement, the protected health information in Business Associate’s possession and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation of the requirements of this Agreement.

Responsibilities of Business Associate. With regard to its use and/or disclosure of protected health information, the Business Associate hereby agrees to do the followingwill: (a) Use and/or Not use or further disclose the protected health information only Protected Health Information other than as permitted or required by this Agreement the Original Contract or as otherwise required by law, including without limitation, the Privacy Regulations and any applicable State law; (b) Report Use appropriate safeguards to the designated privacy officer of the Covered Enti ty, in writing, any prevent use and/or or disclosure of Protected Health Information other than as provided for in the protected health information that is not permitted or required by this Agreement of which Business Associate becomes aware within fifteen (15) days of the Business Associate’s discovery of such unauthorized use and/or disclosureOriginal Contract; (c) Use commercially reasonable efforts to maintain Implement administrative, physical, and technical safeguards that reasonably protect the security confidentiality, integrity, and availability of the electronic protected health information and to prevent unauthorized use and/or disclosure that it creates, receives, maintains, or transmits on behalf of such protected health information;the Covered Entity. (d) Require all of its employees, representatives, subcontractors or agents that receive or Report to Covered Entity any use or have access disclosure of Protected Health Information not provided for in the Original Contract of which it becomes aware; (e) Ensure that any agents, including a subcontractor, to protected health information under this Agreement to agree in writing to adhere whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of, the Covered Entity aggrees to the same restrictions and conditions on the use and/or disclosure of that apply to Business Associate with respect to Protected Health Information. Further any agent or subcontractor must agree to implement reasonable and appropriate safeguards to protect electronic protected health information that apply herein, including the obligation information. (f) Make available for inspection and copying Protected Health Information to return or destroy the protected health information as provided under an individual about such individual in accordance with 45 C.F.R § 164.524; (g) Make available Protected Health Information to an individual about such individual for amendment and incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. § 164.526; (h) Make available Protected Health Information required to provide an accounting of this section.disclosures in accordance with 45 C.F.R. §164.528; (ei) Make available all recordsits internal practices, books, agreements, policies and procedures records relating to the use and/or an disclosure of protected health information Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS to whom the authority involved has been delegated for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges.privacy Regulations; and (fj) Upon written requestAt termination of the Original Contract, make available during normal business hours at if feasible, return all Protected Health Information received from, or created or received by Business Associate’s offices all recordsAssociate on behalf of, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the that Business Associate’s compliance with the terms of this Agreement; (g) Within forty five (45) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject individual for amendment and accounting purposes of the disclosures of the individual’s protected health information Associates still maintains in accordance with 45 C.F.R. §164.526 and §164.528; (h) Return to the Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) days of the termination of this Agreement, the protected health information in Business Associate’s possession any form and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigateof such Protected Health information or, if return is not feasible, extend the protections of the Original Contract and this Agreement to the extent practicable, any harmful effect information and limit further uses and disclosures to those purposes that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation make the return of the requirements of this Agreementprotected Health Information infeasible.

Responsibilities of Business Associate. With regard to its use and/or and disclosure of protected health information, the Business Associate hereby BUSINESS ASSOCIATE agrees to do the following: (a) : Use and/or disclose the protected health information only as permitted or required by this Agreement or as otherwise required by law; ; no further use or disclosure is permitted. Use appropriate physical, technical and administrative safeguards to protect electronic PHI, and comply with the requirements of the HIPAA Security Regulations (b45 CFR Part 164 Subpart C) which are applicable to business associates. Report to the designated privacy officer of the Covered Enti tyCOVERED ENTITY any security incident, in writing, and any use and/or or disclosure not provided by this contract, including breaches of the unsecured protected health information that is not permitted or as required by this Agreement 45 CFR 164.410. Require that subcontractors who create, receive, maintain or transmit ePHI on behalf of which Business Associate becomes aware within fifteen (15) days comply with applicable HIPAA Security regulations by entering into a Business Associate contract with these subcontractors. The Business Associate contract shall meet the specifications of 45 CFR 164.314. Make available to the Business Associate’s discovery of such unauthorized use and/or disclosure; (c) Use commercially reasonable efforts to maintain the security of the protected health information and to prevent unauthorized use and/or disclosure of such individual any requested protected health information; (d) Require all , in accordance with procedures specified by COVERED ENTITY and in compliance with 45 CFR 164.524, “Access of its employees, representatives, subcontractors or agents that receive or use or have access individuals to protected health information”. Make available for amendment and incorporate any amendments to protected health information under this Agreement to agree in writing to adhere to accordance with the same restrictions and conditions on the use and/or disclosure requirements of 45 CFR 164.526, “Amendment of protected health information”. Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. To the extent that apply hereinBUSINESS ASSOCIATE is to carry out COVERED ENTITY’s obligations under the HIPAA Privacy Regulations, including 45 CFR 164 Part E, comply with the obligation to return or destroy requirements of the protected health information as provided under (h) Privacy Regulations in the performance of this section. (e) those obligations. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Secretary of HHS for purposes of determining the Covered EntityCOVERED ENTITY’s compliance with the Privacy RegulationHIPAA regulations, subject to attorney-client and other applicable legal privileges. (f) Upon written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement; (g) Within forty five (45) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject individual for amendment and accounting purposes of the disclosures of the individual’s protected health information in accordance with 45 C.F.R. §164.526 and §164.528; (h) . Return to the Covered Entity COVERED ENTITY or destroy, as requ ested requested by the Covered EntityCOVERED ENTITY, within fifteen (15) 30 days of the termination of this Agreement, the protected health information in Business AssociateBUSINESS ASSOCIATE’s possession and retain no copies or electronic back-up tapes; and (i) Business Associate agrees to mitigatecopies. If this is not feasible, BUSINESS ASSOCIATE will limit further uses and disclosures to the extent practicablereason that return/destruction is not feasible, any harmful effect that is known and to Business Associate of a use or disclosure of extend the protections in this agreement for as long as the protected health information by Business Associate is in violation of the requirements of this Agreementits possession.

Responsibilities of Business Associate. With regard to its use and/or disclosure of protected health informationProtected Health Information, the Business Associate hereby agrees to do the following: (a) : Use and/or disclose the protected health information Protected Health Information only as permitted or required by this Agreement or as otherwise required by law; (b) . Report to the designated privacy officer Privacy Officer of the Covered Enti tyEntity, in writing, any use and/or disclosure of the protected health information Protected Health Information that is not permitted or required by this Agreement and as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations, of which Business Associate becomes aware within fifteen (15) 10 days of the Business Associate’s discovery of such unauthorized use and/or disclosure; (c) . Establish procedures for mitigating, to the greatest extent possible, any effects from any improper use and/or disclosure of Protected Health Information that Business Associate reports to Covered Entity. Use commercially reasonable efforts to maintain the security of the protected health information Protected Health Information and to prevent unauthorized use and/or disclosure of such protected health information; (d) Protected Health Information. Require all of its employees, representatives, subcontractors or and agents that receive or use use, or have access to protected health information to, Protected Health Information under this Agreement to agree agree, in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosure of protected health information Protected Health Information that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of Business Associate pursuant this section. (e) Agreement. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. (f) . Upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Covered Entity within fifteen (15) 15 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement; (g) . Within forty five (45) 45 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject an individual for amendment and an accounting purposes of the disclosures of the individual’s protected health information 's Protected Health Information in accordance with 45 C.F.R. §164.526 and §164.528; (h) Return HIPAA. Subject to the Section 4.4 below, return to Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) 15 days of the termination of this Agreement, the protected health information Protected Health Information in Business Associate’s its possession and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation of the requirements which for purposes of this AgreementAgreement shall mean destroy all backup tapes). Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder.

Responsibilities of Business Associate. With regard to Regarding its use and/or disclosure of protected health informationProtected Health Information, the Business Associate hereby agrees to do the following: (a) A. Use and/or disclose the protected health information Protected Health Information in its possession only as permitted by this HIPAA exhibit or otherwise permitted or required by federal and state laws; B. Ensure that all its employees, representatives, subcontractors, or agents that receive, use, or have access to Protected Health Information under this Agreement HIPAA exhibit agree to comply with the same terms and conditions on the use and/or disclosure of Protected Health Information that apply herein, including the obligation to return, destroy, or maintain the confidentiality of Protected Health Information as otherwise provided under Section 8(B)(2) of this HIPAA exhibit; C. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity, as required by lawthe Privacy and Security Rule; (b) D. Establish procedures for mitigating improper use and/or disclosure of Protected Health Information in the event Business Associate discloses Protected Health Information to any third party for purposes other than “treatment,” “payment,” or “health care operations,” as those terms are used and defined within the Privacy and Security Rule. Business Associate shall provide prompt notice of the date and purpose of each disclosure as well as the name and address of the recipient to the Covered Entity at the address set forth in the licensing Agreement. E. Report to the designated privacy officer Privacy Officer of the Covered Enti ty, Entity in writing, writing any use and/or disclosure of the protected health information Protected Health Information that is not permitted or required by this Agreement HIPAA exhibit or a security incident of which Business Associate becomes aware of within fifteen ten (1510) days of the Business Associate’s discovery of such unauthorized use and/or disclosuredisclosure or security incident; (c) Use commercially reasonable efforts to maintain the security of the protected health information and to prevent unauthorized use and/or disclosure of such protected health information; (d) Require all of its employees, representatives, subcontractors or agents that receive or use or have access to protected health information under this Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of protected health information that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of this section. (e) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. (f) F. Upon written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies policies, and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Covered Entity within fifteen ten (1510) days of receiving the request for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this AgreementHIPAA exhibit; G. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy and Security Rule, subject to attorney-client privilege and other applicable legal privileges; and H. Within thirty (g) Within forty five (4530) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject individual an Individual to account for amendment and accounting purposes of the disclosures of the individualIndividual’s protected health information Protected Health Information or to amend the Individual’s Protected Health Information in accordance with 45 C.F.R. §164.526 and §164.528; (h) Return to the Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) days of the termination Section 7 of this Agreement, the protected health information in Business Associate’s possession and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation of the requirements of this AgreementHIPAA exhibit.

Responsibilities of Business Associate. With regard to its use and/or disclosure If, during the term of protected health informationthis Agreement, the Business Associate is in receipt of PHI, Business Associate hereby agrees to do the following: (a) a. Use and/or disclose the protected health information PHI only as permitted or required by this the Agreement or as otherwise required Required by law;Law. (b) b. Report to the designated privacy officer Privacy and Security Officer of the Covered Enti tyFMCNA, in writing, any use and/or disclosure of the protected health information PHI that is not permitted or required by this the Agreement of which Business Associate becomes aware within fifteen two (152) days of the Business Associate’s discovery of such unauthorized use and/or disclosure;. (c) c. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of PHI that Business Associate reports to FMCNA. d. Use commercially reasonable efforts to maintain the security of the protected health information and appropriate safeguards to prevent unauthorized use and/or disclosure of such protected health information;PHI. (d) e. Implement Administrative, Physical, and Technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI that Business Associate creates, receives, maintains, or transmits on behalf of FMCNA. f. Require all of its employees, representatives, subcontractors or and agents that receive or use create, receive, maintain, transmit, use, or have access to protected health information under to, PHI governed by this Agreement to agree agree, in writing writing, to adhere to the same restrictions and conditions on the use use, disclosure, and/or disclosure protection of protected health information PHI that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of this sectionBusiness Associate pursuant hereto. (e) g. Make available all records, books, agreements, policies policies, procedures, and procedures internal practices relating to the use and/or disclosure of protected health information PHI to the United States Secretary of HHS Health and Human Services for purposes of determining the Covered EntityFMCNA’s compliance with the Privacy RegulationHIPAA, subject to attorney-client and other applicable legal privileges. i. Upon termination of the Agreement, where feasible, destroy or return to FMCNA within thirty (f30) Upon written requestdays all PHI received from, make available during normal business hours at or created, received, maintained or transmitted by Business Associate on behalf of FMCNA. Where return or destruction is not feasible, the duties of Business Associate under this Agreement shall be extended to protect the PHI retained by Business Associate. Business Associate agrees to limit further uses and disclosures of the PHI retained to those purposes that made the return or destruction infeasible. j. Disclose to its subcontractors, agents or other third parties, and request from FMCNA, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. k. Notify FMCNA within two (2) business days if an Individual (FMCNA patient or the patient’s offices all recordslegal representative) wishes to assert his or her right of access to obtain a copy of PHI as set forth in 45 C.F.R. § 164.524. l. At the request of FMCNA, booksand in the time and manner specified by FMCNA, agreements, policies and procedures relating provide access to the use and/or disclosure of protected health information PHI contained in a Designated Record Set to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance an Individual in accordance with the terms and provisions of this Agreement;45 C.F.R. § 164.524. FMCNA’s determination of what constitutes PHI or a Designated Record Set shall be final and conclusive. m. Notify FMCNA within two (g2) Within forty five business days if an Individual (45FMCNA patient or the patient’s legal representative) wishes to assert his or her right to amend PHI or amend a record in a Designated Record Set as set forth in 45 C.F.R. § 164.526. n. Make any amendment(s) to an Individual’s PHI contained in a Designated Record Set that FMCNA directs or agrees to pursuant to 45 C.F.R. § 164.526 and in the time and manner directed by FMCNA. FMCNA’s determination of what PHI is subject to amendment pursuant to 45 C.F.R. § 164.526 shall be final and conclusive. o. Notify FMCNA within two (2) business days if an Individual (FMCNA patient or the patient’s legal representative) wishes to assert his or her right to receive an accounting of receiving a written request from the Covered Entity, provide to the Covered Entity such information disclosures of PHI as is requested by the Covered Entity to permit the Covered Entity set forth in 45 C.F.R. § 164.528. p. Document any disclosures of PHI that would be required for FMCNA to respond to a request by the subject individual an Individual for amendment and an accounting purposes of the disclosures of the individual’s protected health information PHI in accordance with 45 C.F.R. §164.526 and §§ 164.528; (h) Return to the Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) days of the termination of this Agreement, the protected health information in Business Associate’s possession and retain no copies or back-up tapes; and (i) . Business Associate agrees to mitigateprovide to FMCNA, in a time and manner designated by FMCNA, the information collected in accordance with this paragraph to permit FMCNA respond to a request by an Individual for an accounting of disclosures pursuant to 45 C.F.R. § 164.528. q. Report in writing, within two (2) days, to the extent practicable, FMCNA any harmful effect that is known to Security Incident (as defined in 45 C.F.R. § 164.304) of which Business Associate of becomes aware. However, the obligation to report a use or disclosure of protected health Security Incident shall not include immaterial incidents, such as unsuccessful attempts to penetrate Business Associate’s information by Business Associate in violation of the requirements of this Agreementsystem.

Responsibilities of Business Associate. With regard to its use and/or disclosure of protected health informationProtected Health Information, the Business Associate hereby agrees to do the following: (a) a. Use and/or disclose the protected health information Protected Health Information only as permitted or required by this Agreement or as otherwise required by law;. (b) b. Report to the designated privacy officer Privacy Officer of the Covered Enti tyEntity, in writing, any use and/or disclosure of the protected health information Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware within fifteen (15) days a reasonable time of the Business Associate’s discovery of such unauthorized use and/or disclosure;. (c) c. Establish procedures for mitigating, to the greatest extent possible, any effects from any improper use and/or disclosure of Protected Health Information that Business Associate reports to Covered Entity. d. Use commercially reasonable efforts to maintain the security of the protected health information Protected Health Information and to prevent unauthorized use and/or disclosure of such protected health information;Protected Health Information. (d) e. Require all of its employees, representatives, subcontractors or and agents that receive or use use, or have access to protected health information to, Protected Health Information under this Agreement to agree agree, in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosure of protected health information Protected Health Information that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of Business Associate pursuant to this sectionAgreement. (e) f. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. (f) Upon written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement; (g) g. Within forty five (45) 45 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject an individual for amendment and an accounting purposes of the disclosures of the individual’s protected health information Protected Health Information in accordance with 45 C.F.R. §164.526 and §164.528;HIPAA. (h) Return h. Subject to the Section 4.4 below, return to Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) days a reasonable time of the termination of this Agreement, the protected health information Protected Health Information in Business Associate’s its possession and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation of the requirements which for purposes of this AgreementAgreement shall mean destroy all backup tapes).‌‌‌‌‌‌‌‌‌‌ i. Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder.

Responsibilities of Business Associate. With regard to its use and/or disclosure of protected health informationProtected Health Information, the Business Associate hereby agrees to do the following: (a) : Use and/or disclose the protected health information Protected Health Information only as permitted or required by this Agreement or as otherwise required by law; (b) . Report to the designated privacy officer Privacy Officer of the Covered Enti tyEntity, in writing, any use and/or disclosure of the protected health information Protected Health Information that is not permitted or required by this Agreement and as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations, of which Business Associate becomes aware within fifteen (15) 10 days of the Business Associate’s discovery of such unauthorized use and/or disclosure; (c) . Establish procedures for mitigating, to the greatest extent possible, any effects from any improper use and/or disclosure of Protected Health Information that Business Associate reports to Covered Entity. Use commercially reasonable efforts to maintain the security of the protected health information Protected Health Information and to prevent unauthorized use and/or disclosure of such protected health information; (d) Protected Health Information. Require all of its employees, representatives, subcontractors or and agents that receive or use use, or have access to protected health information to, Protected Health Information under this Agreement to agree agree, in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosure of protected health information Protected Health Information that apply herein, including the obligation to return or destroy the protected health information as provided under (h) of Business Associate pursuant this section. (e) Agreement. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. (f) . Upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Covered Entity within fifteen (15) 15 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement; (g) . Within forty five (45) 45 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject an individual for amendment and an accounting purposes of the disclosures of the individual’s protected health information 's Protected Health Information in accordance with 45 C.F.R. §164.526 and §164.528; (h) Return HIPAA. Subject to the Section 4.5 below, return to Covered Entity or destroy, as requ ested by the Covered Entity, within fifteen (15) 15 days of the termination of this Agreement, the protected health information Protected Health Information in Business Associate’s its possession and retain no copies or back-up tapes; and (i) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation of the requirements which for purposes of this AgreementAgreement shall mean destroy all backup tapes). Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder.

Responsibilities of Business Associate. With regard to its use and/or or disclosure of protected health informationProtected Health Information, the Business Associate hereby agrees to do the followingthat it shall: (a) Use and/or or disclose the protected health information Protected Health Information only as needed to perform its obligations to the Covered Entity under the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by the Covered Entity; (b) Not use or further disclose Protected Health Information other than as permitted or required by this Addendum, the Service Agreement or as otherwise required by law; (bc) Use appropriate safeguards to prevent unauthorized use or disclosure of such Protected Health Information; (d) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum; (e) Report to the designated privacy officer Compliance Officer of the Covered Enti tyEntity, in writing, (i) any use and/or disclosure Use or Disclosure of the protected health information Protected Health Information that is not permitted or required by this Agreement Addendum and (ii) any Security Incident of which Business Associate becomes aware within fifteen ten (1510) days of the Business Associate’s discovery of such unauthorized use and/or disclosureUse or Disclosure or Security Incident; (cf) Use commercially reasonable efforts to maintain To the security extent that any of the protected health information Protected Health Information Used and/or Disclosed by the Business Associate constitutes Personal Information, the Business Associate shall notify affected Individuals of any Security Breach in the manner required by and pursuant to prevent unauthorized use and/or disclosure the provisions of such protected health informationNew Hampshire RSA 359-C:20 and otherwise comply with the requirements of RSA 359-C; (dg) Require all of its employees, representatives, subcontractors or agents that receive or use or have access to protected health information under this Agreement Protected Health Information to agree in writing to adhere to the same restrictions and conditions on the use Use and/or disclosure Disclosure of protected health information that apply Protected Health Information as are contained herein, including the obligation to return or destroy the protected health information as provided under ; (h) Provide access, at the request of this section.Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524; (ei) Make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity; (j) Document such disclosures of Protected Health Information and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. §164.528; (k) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of protected health information Protected Health Information to the Covered Entity, or at the request of the Covered Entity to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges.HIPAA Rules; (fl) Upon written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use Use and/or disclosure Disclosure of protected health information Protected Health Information to the Covered Entity within fifteen thirty (1530) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this AgreementAddendum; (g) Within forty five (45) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by the subject individual for amendment and accounting purposes of the disclosures of the individual’s protected health information in accordance with 45 C.F.R. §164.526 and §164.528; (hm) Return to the Covered Entity or destroy, as requ ested requested by the Covered Entity, within fifteen thirty (1530) days of the expiration or termination of this AgreementAddendum, the protected health information Protected Health Information in Business Associate’s possession and retain no copies or back-up tapesups of any kind; and (in) Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that the Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of protected health information by Business Associate in violation Uses and/or Discloses on behalf of the requirements of this AgreementCovered Entity.