Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to: 1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law. 2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity. 3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary. 4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County. 5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA. 6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder. 7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County. 8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County. 9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County. 10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County. 11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 12 contracts
Samples: Contract, Grant Contract, Contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PIIPII that is created, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide Provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At , at the request of, and in the time and manner designated by, the County, make .
9. Make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County, at the request of, and in the time and manner designated by, the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 7 contracts
Samples: Contract Y23 2505, County Contract No. Y23 2500, Contract for Provision of Community Services and Facility Use
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 4 contracts
Samples: Federal Subrecipient Agreement, Federal Subrecipient Agreement, Federal Subrecipient Agreement
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum Agreement or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this AddendumAgreement; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PIIPII that is created, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide Provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At , at the request of, and in the time and manner designated by, the County, make .
9. Make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County, at the request of, and in the time and manner designated by, the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 2 contracts
Samples: Providing Telehealth Psychiatric Services, Federal Subrecipient Agreement
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance complianc e with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual individua l for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individualindividua l, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrativeadministrative , physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PIIPII that is created, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide Provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At , at the request of, and in the time and manner designated by, the County, make .
Attachment 1 Business Associate Agreement
9. Make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County, at the request of, and in the time and manner designated by, the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Samples: Service Agreement
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.. Page 6 of 15
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability Page 7 of 15 of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Responsibilities of the Business Associate. Regarding the With regard to its use or and/or disclosure of PHI and PIIPHI, the Business Associate hereby agrees toto do the following:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or a. Use and/or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use Agreement or disclosure as necessaryotherwise required by Law.
4b. Use commercially reasonable efforts to maintain the security of PHI and to prevent unauthorized use and/or disclosure of PHI (an “Improper Use or Disclosure”) and use reasonable safeguards designed to ensure that transmission, handling, storage and use of PHI by Business Associate will preserve the confidentiality of the PHI, in accordance with Law including, without limitation, the Privacy Rule.
c. Report to the designated Privacy Official of the. Ensure that Borrower, in writing, any Improper Use or Disclosure or Security Incident of which the Business Associate becomes aware within ten (10) days following, the Business Associate’s subcontractors discovery of such Improper Use or agents Disclosure.
d. Mitigating, to whom the greatest extent possible, any adverse effects that are known to Business Associate provides of a use or disclosure of PHI by Business Associate (or PIIany subcontractor or Business Associate) in violation of this Agreement.
e. To the extent that Business Associate contracts with any agents, created receivedincluding subcontractors, maintainedwho will receive, use, or transmitted on behalf County have access to PHI, Business Associate will use reasonable efforts to ensure that the agents, including subcontractors, agree to the same restrictions and conditions herein on the use and/or disclosure of PHI and shall not, in any manner that apply violates HIPAA, the Privacy Rule, the Security Rule or other applicable Law, use or disclose PHI except as permitted or required by this Agreement and under Laws including, but not limited to, the Privacy Rule, the Security Rule and HITECH.
f. Promptly make available all records, books, agreements, policies and procedures relating to the Business Associate with respect use and/or disclosure of PHI, subject to PHI and PIIapplicable legal privileges, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards the Borrower for purposes of enabling the Borrower to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make determine the Business Associate’s compliance with the terms of this Agreement.
g. Promptly make available all records, books, accounts, agreements, policies, policies and procedures available relating to the use and/or disclosure of PHI, subject to applicable legal privileges, to the Secretary for the purpose of HHS for determining compliance determinations as set forth in the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPARule.
6. Limit use byh. Promptly after receiving a written request from the Borrower, or disclosure to, its subcontractors, agents, and other third parties, provide to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide Borrower such information to as is requested by the County Borrower to permit the County Borrower to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 C.F.R. § 164.528. Such records and accounting shall be provided to Borrower within five thirty (530) days of receiving receipt of a written request from the County, if the Borrower. Information necessary to provide an accounting will be maintained by Business Associate maintains for a period of six (6) years from the date of the disclosure.
i. Limit the use and disclosure of PHI to the appropriate minimum necessary representations as set forth in the Privacy Rule codified at 45 C.F.R, § 164.514(d).
j. To the extent Business Associate has PHI in a Designated Records Set on behalf Record Set, within thirty (30) days of receipt by Business Associate of Borrower’s written request, make PHI regarding a specific individual available to Borrower. In the event Business Associate receives a request from an individual for such access, Business Associate shall promptly forward such request to Borrower, and shall, within thirty (30) days of receipt of such request, provide Borrower with a copy of any PHI in the possession of Business Associate for which access was requested by the individual. Business Associate shall provide the PHI to Borrower in the format requested, unless it is not readily producible in such format, in which case it shall be produced, in hard copy format. The provision of the County.
8. At access to the request of, individual’s PHI and in the time and manner designated by, the County, provide any denials of access to the PHI and PII maintained by shall be the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf responsibility of the CountyBorrower.
9. At the request of, and k. Incorporate any amendments to PHI contained in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set when directed by Borrower in writing. In the event Business Associate receives an individual’s request for an amendment pursuant to 45 C.F.R, § 164.526, Business Associate shall promptly forward such request to Borrower. All decisions regarding the amendment of PHI shall be the responsibility of the Borrower.
l. May provide data aggregation services relating to the health care operations of Borrower.
m. Business Associate shall, following its discovery of a breach of Unsecured PHI, notify Borrower of such breach. Such notice to Borrower shall include: (i) to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; (ii) a brief description of what happened, including the date of the breach and discovery of the breach, if known; (iii) a description of the types of Unsecured PHI that was involved in the breach; (iv) a description of what Business Associate is doing to mitigate harm to individuals, and to protect against further breaches; (v) a brief description of Business Associates’s investigation into the breach and the results of such investigation; and (vi) contact information of the most knowledgeable individual for Borrower to contact relating to the breach and its investigation into the breach.
n. To the extent Business Associate performs any activities on behalf of the County.
10. Establish Borrower in connection with one or more covered accounts (as that term is defined at 16 C.F.R. § 681.2(b)(3)), Business Associate shall conduct such activities in accordance with reasonable policies and implement administrativeprocedures designated to detect, physicalprevent, and technical safeguards that reasonably and appropriately protect mitigate the confidentiality, integrity, and availability risk of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the Countyidentity theft.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:: Business Associate Addendum between Orange County and Ability Health Services & Rehabilitation, LP
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.. Business Associate Addendum between Orange County and Ability Health Services & Rehabilitation, LP Regarding
9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Samples: Contract for Services
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.deleterious
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At the request of, and in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Samples: Grant Contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum Agreement or otherwise by applicable law. Orange County, Florida and Kinder Konsulting & Parents Too, Inc Attachment 2 – Business Associate Agreement for County Contract No.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this AddendumAgreement; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PIIPII that is created, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the County, provide Provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At , at the request of, and in the time and manner designated by, the County, make .
9. Make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County, at the request of, and in the time and manner designated by, the County. Orange County, Florida and Kinder Konsulting & Parents Too, Inc Attachment 2 – Business Associate Agreement for County Contract No.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner designated by, the CountyCounty in its reasonable discretion, provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At the request of, and in the time and manner designated mutually agreed upon by, the CountyCounty and Business Associate, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Samples: Contract
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, or FIPA, if done so by a Covered Entity.Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PIIPII that is created, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rulesrules, the HITECH Act Breach Notification rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.County.
8. At the request of, and in the time and manner designated by, the County, provide Provide access to the PHI and PII maintained by the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf of the County.
9. At , at the request of, and in the time and manner designated by, the County, make County.
9. Make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set on behalf of the County., at the request of, and in the time and manner designated by, the County.
10. Establish and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the County.County.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.below.
Appears in 1 contract
Samples: Contract Y23 2504
Responsibilities of the Business Associate. Regarding the With regard to its use or and/or disclosure of PHI and PIIPHI, the Business Associate hereby agrees toto do the following:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or a. Use and/or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use Agreement or disclosure as necessaryotherwise required by Law.
4. Ensure b. Use commercially reasonable efforts to maintain the security of PHI and to prevent unauthorized use and/or disclosure of PHI (an “Improper Use or Disclosure”) and use reasonable safeguards designed to ensure that transmission, handling, storage and use of PHI by Business Associate will preserve the confidentiality of the PHI, in accordance with Law including, without limitation, the Privacy Rule.
c. Report to the designated Privacy Official of the Borrower, in writing, any Improper Use or Disclosure or Security Incident of which the Business Associate becomes aware within ten (10) days following the Business Associate’s subcontractors discovery of such Improper Use or agents Disclosure.
d. Mitigating, to whom the greatest extent possible, any adverse effects that are known to Business Associate provides of a use or disclosure of PHI by Business Associate (or PIIany subcontractor or Business Associate) in violation of this Agreement.
e. To the extent that Business Associate contracts with any agents, created receivedincluding subcontractors, maintainedwho will receive, use, or transmitted on behalf County have access to PHI, Business Associate will use reasonable efforts to ensure that the agents, including subcontractors, agree to the same restrictions and conditions herein on the use and/or disclosure of PHI and shall not, in any manner that apply violates HIPAA, the Privacy Rule, the Security Rule or other applicable Law, use or disclose PHI except as permitted or required by this Agreement and under Laws including, but not limited to, the Privacy Rule, the Security Rule and HITECH.
f. Promptly make available all records, books, agreements, policies and procedures relating to the Business Associate with respect use and/or disclosure of PHI, subject to PHI and PIIapplicable legal privileges, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards the Borrower for purposes of enabling the Borrower to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make determine the Business Associate’s compliance with the terms of this Agreement.
g. Promptly make available all records, books, accounts, agreements, policies, policies and procedures available relating to the use and/or disclosure of PHI, subject to applicable legal privileges, to the Secretary for the purpose of HHS for determining compliance determinations as set forth in the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPARule.
6. Limit use byh. Promptly after receiving a written request from the Borrower, or disclosure to, its subcontractors, agents, and other third parties, provide to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide Borrower such information to as is requested by the County Borrower to permit the County Borrower to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 C.F.R. §164.528. Such records and accounting shall be provided to Borrower within five thirty (530) days of receiving receipt of a written request from the County, if the Borrower. Information necessary to provide an accounting will be maintained by Business Associate maintains for a period of six (6) years from the date of the disclosure.
i. Limit the use and disclosure of PHI to the appropriate minimum necessary representations as set forth in the Privacy Rule codified at 45 C.F.R. § 164.514(d).
j. To the extent Business Associate has PHI in a Designated Records Set on behalf Record Set, within thirty (30) days of receipt by Business Associate of Borrower’s written request, make PHI regarding a specific individual available to Borrower. In the event Business Associate receives a request from an individual for such access, Business Associate shall promptly forward such request to Borrower, and shall, within thirty (30) days of receipt of such request, provide Borrower with a copy of any PHI in the possession of Business Associate for which access was requested by the individual. Business Associate shall provide the PHI to Borrower in the format requested, unless it is not readily producible in such format, in which case it shall be produced in hard copy format. The provision of the County.
8. At access to the request of, individual’s PHI and in the time and manner designated by, the County, provide any denials of access to the PHI and PII maintained by shall be the Business Associate to the County or individual, if the Business Associate maintains a Designated Records Set on behalf responsibility of the CountyBorrower.
9. At the request of, and k. Incorporate any amendments to PHI contained in the time and manner designated by, the County, make any amendment(s) to the PHI and PII when directed by the County, if the Business Associate maintains a Designated Record Set when directed by Borrower in writing. In the event Business Associate receives an individual’s request for an amendment pursuant to 45 C.F.R. § 164.526, Business Associate shall promptly forward such request to Borrower. All decisions regarding the amendment of PHI shall be the responsibility of the Borrower.
l. May provide data aggregation services relating to the health care operations of Borrower.
m. Business Associate shall, following its discovery of a breach of Unsecured PHI, notify Borrower of such breach. Such notice to Borrower shall include: (i) to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; (ii) a brief description of what happened, including the date of the breach and discovery of the breach, if known; (iii) a description of the types of Unsecured PHI that was involved in the breach; (iv) a description of what Business Associate is doing to mitigate harm to individuals, and to protect against further breaches; (v) a brief description of Business Associates’ investigation into the breach and the results of such investigation; and (vi) contact information of the most knowledgeable individual for Borrower to contact relating to the breach and its investigation into the breach.
n. To the extent Business Associate performs any activities on behalf of the County.
10. Establish Borrower in connection with one or more covered accounts (as that term is defined at 16 C.F.R. § 681.2(b)(3)), Business Associate shall conduct such activities in accordance with reasonable policies and implement administrativeprocedures designated to detect, physicalprevent, and technical safeguards that reasonably and appropriately protect mitigate the confidentiality, integrity, and availability risk of any PHI and PII the Business Associate creates, receives, maintains, or transmits on behalf of the Countyidentity theft.
11. Report to the County any Security Incident involving PHI and PII that the Business Associate discovers in the manner detailed in Section 7 below.
Appears in 1 contract
Samples: Credit and Guaranty Agreement (Addus HomeCare Corp)
