Common use of Responsibilities of the Business Associate Clause in Contracts

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. Not use or disclose PHI other than as permitted or required by the Underlying Arrangement or as required by law, subject to Section 3(c) below. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to secure and protect electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement, and to protect the integrity and availability of PHI. c. Report, in writing, to the UCMC privacy officer within five (5) business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI, and any security incident of which it becomes aware, and cooperate with UCMC in any mitigation or breach reporting efforts. The notice will provide as much information as Business Associate has gathered as of that time. A subsequent notice, which Business Associate will provide no later than thirty (30) days after the first discovery of the use or disclosure, will include the identification of each individual whose PHI has been or is reasonably believed by Business Associate to have been affected by or during such use or disclosure. Business Associate will make no public disclosure of such use or disclosure without the approval of UCMC. d. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. e. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America. f. Within five (5) business days request of UCMC, make available PHI in a designated record set, if a pp lica ble , to UCMC, as necessary to satisfy UCMC’s obligations under 45 CFR § 164.524. g. Within five (5) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by UCMC pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy UCMC’s obligations under 45 CFR § 164.526. h. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy UCMC’s obligations under 45 CFR § 164.528. i. To the extent the Business Associate is to carry out one or more of UCMC's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to UCMC in the performance of such obligation(s). j. Upon request, make its internal practices, books, and records available to the Secretary and to UCMC for purposes of determining compliance with the HIPAA Rules. k. Comply with minimum necessary requirements under the HIPAA Rules. l. Take actions to mitigate, to the extent practical, any harmful effects that are known to it of its use or disclosure of PHI or a failure of its obligations to safeguard PHI. m. Otherwise comply with all HIPAA requirements applicable to it.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. Not use or disclose PHI other than as permitted or required by the Underlying Arrangement or as required by law, subject to Section 3(c) below. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to secure and protect electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement, and to protect the integrity and availability of PHI. c. Report, in writing, to the UCMC UC privacy officer within five (5) business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI, and any security incident of which it becomes aware, and cooperate with UCMC UC in any mitigation or breach reporting efforts. The notice will provide as much information as Business Associate has gathered as of that time. A subsequent notice, which Business Associate will provide no later than thirty (30) days after the first discovery of the use or disclosure, will include the identification of each individual whose PHI has been or is reasonably believed by Business Associate to have been affected by or during such use or disclosure. Business Associate will make no public disclosure of such use or disclosure without the approval of UCMCUC. d. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. e. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America. f. Within five (5) business days request of UCMCUC, make available PHI in a designated record set, if a pp lica ble , to UCMCUC, as necessary to satisfy UCMCUC’s obligations under 45 CFR § 164.524. g. Within five (5) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by UCMC UC pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy UCMCUC’s obligations under 45 CFR § 164.526. h. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy UCMCUC’s obligations under 45 CFR § 164.528. i. To the extent the Business Associate is to carry out one or more of UCMCUC's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to UCMC UC in the performance of such obligation(s). j. Upon request, make its internal practices, books, and records available to the Secretary and to UCMC UC for purposes of determining compliance with the HIPAA Rules. k. Comply with minimum necessary requirements under the HIPAA Rules. l. Take actions to mitigate, to the extent practical, any harmful effects that are known to it of its use or disclosure of PHI or a failure of its obligations to safeguard PHI. m. Otherwise comply with all HIPAA requirements applicable to it.