Common use of Responsibilities of the Business Associate Clause in Contracts

Responsibilities of the Business Associate. a. The Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. b. The Business Associate represents and warrants that to the extent that the Business Associate is provided with any Health Information, the Business Associate will: 1) not use or further disclose the information other than as specifically set forth in this Business Associate Agreement; 2) not use or further disclose the Health Information in a manner that would violate the requirements of any state or federal law including the provisions of the HIPAA Regulations; 3) use appropriate safeguards to prevent use or disclosure of the Health Information other than as provided for in this Business Associate Agreement; 4) report to GCCMHA any use or disclosure of the Health Information not provided for by this Agreement of which BA may become aware; 5) ensure that any agents, including subcontractors, to whom BA provides Health Information received from GCCMHA or Affiliated Entities agrees to the same restrictions and conditions that apply to Business Associate with respect to such Health Information; 6) make the Health Information available in accordance with the HIPAA Regulations; 7) make available Health Information for amendment and incorporate any amendments to Health Information in accordance with the HIPAA Regulations; 8) make its internal practices, books and records relating to the use and disclosure of Health Information received from GCCMHA available to the Secretary of the Center for Medicaid Services (CMS) for purposes of determining GCCMHA compliance with the HIPAA Regulations; 9) return all Health Information received from GCCMHA which Business Associate maintains in any form at the termination of this Agreement; 10) provide an accounting of disclosures to the individual upon request; 11) provide an accounting of disclosures to the GCCMHA upon request. c. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the Privacy Rule, Security Rule, and HITECH Act. d. Business Associate recognizes that, as of February 18, 2010, the administrative, physical, and e. Business Associate recognizes that, as of February 18, 2010, civil and criminal penalties for violation of the HIPAA security rule shall apply to a BA in the same manner as they apply to a Covered Entity. f. In the event of a breach of PHI, Business Associate understands Business Associate is required by law to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, PHI breached and the date or period of time during which the breach occurred. Business Associate understands that such a report must be provided to the Covered Entity immediately. g. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement and this Exhibit thereto. h. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act. Business Associate agrees to provide to the Covered Entity information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act within 30 days. i. The Business Associate agrees to report, in writing, to the designated Privacy Officer of the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement immediately.

Responsibilities of the Business Associate. a. The Business Associate agrees With regard to its use appropriate safeguards to prevent use or and/or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. b. The Business Associate represents and warrants that to the extent that the Business Associate is provided with any Health Information, the Business Associate will: 1) not use or further hereby agrees to do the following: Use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law. Implement and comply with all provisions of Title 45 of the Code of Federal Regulations which are now applicable to business associates or which hereafter become applicable to business associates, including, without limitation, Sections 164.308, 164.310, 164.312, 164.316 , and 164.504(e) thereof. Implement and comply with all requirements of ARRA and the regulations thereunder that relate to privacy or security and are made applicable under ARRA to business associates and covered entities, including, without limitation: Section 13402 of ARRA regarding notification in the case of breach; provided, however, that Business Associate shall notify Covered Entity within five (5) calendar days of any event which is the subject of such notice requirement, and Business Associate shall promptly upon request reimburse Covered Entity for the cost of providing any notice to Individuals which is required to be given by Covered Entity as a result of a breach by Business Associate; Section 13405 of ARRA regarding restrictions on certain disclosures and sales of health information, accounting of certain protected health information disclosures, and access to certain information in electronic format; Section 13406 of ARRA regarding conditions on certain contacts as part of health care operations; Section 13407 of ARRA regarding temporary breach notification requirements for vendors of personal health records and other than as specifically non-HIPAA covered entities (if applicable); and, Section 13408 of ARRA regarding business associate contracts required for certain entities (if applicable). In addition to the notification requirements set forth in this herein, Business Associate Agreement; 2) not use or further disclose shall report to the Health Information in a manner that would violate the requirements of any state or federal law including the provisions designated Privacy Officer of the HIPAA Regulations; 3) Covered Entity, in writing, any use appropriate safeguards to prevent use or and/or disclosure of the PHI that is not permitted or required by this Agreement, of which Business Associate becomes aware within five (5) business days of the Business Associate’s discovery of such unauthorized use and/or disclosure. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information other than as provided for in this that the Business Associate Agreement; 4) report reports to GCCMHA any the Covered Entity. Use commercially reasonable efforts to maintain the security of the Protected Health Information and to prevent unauthorized use or and/or disclosure of the such PHI. Require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information not provided for by under this Agreement of which BA may become aware; 5) ensure that any agentsto agree, including subcontractorsin writing, to whom BA provides Health Information received from GCCMHA or Affiliated Entities agrees adhere to the same restrictions and conditions that apply to Business Associate with respect to such Health Information; 6) make the Health Information available in accordance with the HIPAA Regulations; 7) make available Health Information for amendment and incorporate any amendments to Health Information in accordance with the HIPAA Regulations; 8) make its internal practices, books and records relating to on the use and disclosure of Health Information received from GCCMHA available to the Secretary of the Center for Medicaid Services (CMS) for purposes of determining GCCMHA compliance with the HIPAA Regulations; 9) return all Health Information received from GCCMHA which Business Associate maintains in any form at the termination of this Agreement; 10) provide an accounting of disclosures to the individual upon request; 11) provide an accounting of disclosures to the GCCMHA upon request. c. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the Privacy Rule, Security Rule, and HITECH Act. d. Business Associate recognizes that, as of February 18, 2010, the administrative, physical, and e. Business Associate recognizes that, as of February 18, 2010, civil and criminal penalties for violation of the HIPAA security rule shall apply to a BA in the same manner as they apply to a Covered Entity. f. In the event of a breach of PHI, Business Associate understands Business Associate is required by law to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, PHI breached and the date or period of time during which the breach occurred. Business Associate understands that such a report must be provided to the Covered Entity immediately. g. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or and/or disclosure of Protected Health Information by that apply to the Business Associate in violation of the requirements pursuant to section 2 of this Agreement Agreement. Make available all records, books, agreements, policies and this Exhibit thereto. h. Business Associate agrees procedures relating to document such disclosures the use and/or disclosure of Protected Health Information to the Secretary of HHS for the purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges. Upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within 14 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement. Within five (5) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information related as is requested by the Covered Entity to such disclosures as would be required for permit the Covered Entity to respond to a request by an Individual individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 C.F.R. § 164.528. Subject to Section 4.5 below, return to the Covered Entity or destroy, within 90 days of the termination of this Agreement, the Protected Health Information in its possession and retain no copies (which for purposes of this Agreement shall mean destroy all backup tapes). Disclose to its subcontractors, agents or other third parties, and request from the Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder. To the extent Business Associate performs any activities on behalf of Covered Entity in connection with one or more covered accounts (as defined in 16 C.F.R. § 681.2(b)(3)), Business Associate shall conduct such activities in accordance with reasonable policies and procedures designated to detect, prevent, and mitigate the Privacy Rule and the HITECH Actrisk of identity theft. Business Associate agrees to provide must comply with any written directive received from Covered Entity relating to the Covered Entity information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule use and the HITECH Act within 30 days. i. The Business Associate agrees to report, in writing, to the designated Privacy Officer of the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement immediatelyPHI concerning an individual.

Responsibilities of the Business Associate. a. The With regard to the use and/or disclosure of PHI by the Subcontractor, the Business Associate agrees hereby agrees: To inform the Subcontractor of any changes in the notice of privacy practices (“Notice”) that the Business Associate and/or Covered Entity provides to use appropriate safeguards individuals pursuant to prevent 45 CFR §164.520 that affect Subcontractor’s use or disclosure of PHI, and provide to the Protected Health Information other than as Subcontractor, upon request, a copy of the Notice currently in use. To inform the Subcontractor of any changes in, or revocation of, the authorization provided for by this to the Business Associate Agreement. b. The Business Associate represents and warrants that and/or Covered Entity by individuals pursuant to 45 CFR §164.508, to the extent that relevant to the Services being provided under the Agreement. To inform the Subcontractor of any opt-outs exercised by any individual from fundraising activities of the Business Associate is and/or Covered Entity pursuant to 45 CFR §164.514(f), to the extent relevant to the Services being provided with under the Agreement. To notify the Subcontractor, in writing and in a timely manner, of any Health Information, arrangements permitted or required of the Business Associate will: 1) not and/or Covered Entity under 45 CFR § part 160 and 164 that may impact in any manner the use or further disclose the information other than as specifically set forth in this Business Associate Agreement; 2) not use or further disclose the Health Information in a manner that would violate the requirements of any state or federal law including the provisions of the HIPAA Regulations; 3) use appropriate safeguards to prevent use or and/or disclosure of PHI required by the Health Information other than Subcontractor under this HIPAA Subcontractor Agreement, including, but not limited to, agreed upon restrictions regarding the use and/or disclosure of PHI as provided for in this Business Associate Agreement; 4) report to GCCMHA any use or disclosure 45 CFR §164.522. Additional Responsibilities of the Health Information not provided for by this Agreement Subcontractor with Respect to Handling of which BA may become aware; 5) ensure that any agents, including subcontractors, to whom BA provides Health Information received from GCCMHA or Affiliated Entities agrees to Designated Record Set. To the same restrictions and conditions that apply to Business Associate with respect to such Health Information; 6) make extent the Health Information available in accordance with the HIPAA Regulations; 7) make available Health Information for amendment and incorporate any amendments to Health Information in accordance with the HIPAA Regulations; 8) make its internal practices, books and records relating to the use and disclosure of Health Information received from GCCMHA available to the Secretary of the Center for Medicaid Services (CMS) for purposes of determining GCCMHA compliance with the HIPAA Regulations; 9) return all Health Information received from GCCMHA which Business Associate maintains in any form at the termination of this Agreement; 10) provide an accounting of disclosures to the individual upon request; 11) provide an accounting of disclosures to the GCCMHA upon request. c. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it Subcontractor creates, receives, maintains, or transmits PHI in a Designated Record Set on behalf of Business Associate, the covered entity as required by Subcontractor hereby agrees to do the Privacy Rulefollowing: Within fifteen (15) days of request of the Business Associate, Security Rule, and HITECH Act. d. provide Business Associate recognizes that, as of February 18, 2010, access to the administrative, physical, and e. PHI so that Business Associate recognizes that, as of February 18, 2010, civil and criminal penalties for violation of the HIPAA security rule shall apply to a BA in the same manner as they apply to a Covered Entity. f. In the event of a breach of PHI, Business Associate understands Business Associate is required by law to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, PHI breached and the date or period of time during which the breach occurred. Business Associate understands that such a report must be provided to the Covered Entity immediately. g. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement and this Exhibit thereto. h. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to can respond to a request for access or request for copies of PHI by an Individual for an accounting individual who is the subject of disclosures of Protected Health Information the PHI, or his/her personal representative in accordance with 45 CFR §164.524. Within thirty (30) days of request of the Privacy Rule and the HITECH Act. Business Associate, provide Business Associate agrees with access to provide PHI in the custody of Subcontractor so that Business Associate can make any amendment(s) to the Covered Entity information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information PHI in accordance with the Privacy Rule and the HITECH Act within 30 days45 CFR §164.526. i. The Business Associate agrees to report, in writing, to the designated Privacy Officer of the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement immediately.

Responsibilities of the Business Associate. a. The Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. b. The Business Associate represents and warrants that to the extent that the Business Associate is provided with any Health Information, the Business Associate will: 1) not use or further disclose the information other than as specifically set forth in this Business Associate Agreement; 2) not use or further disclose the Health Information in a manner that would violate the requirements of any state or federal law including the provisions of the HIPAA Regulations; 3) use appropriate safeguards to prevent use or disclosure of the Health Information other than as provided for in this Business Associate Agreement; 4) report to GCCMHA any use or disclosure of the Health Information not provided for by this Agreement of which BA may become aware; 5) ensure that any agents, including subcontractors, to whom BA provides Health Information received from GCCMHA or Affiliated Entities agrees to the same restrictions and conditions that apply to Business Associate with respect to such Health Information; 6) make the Health Information available in accordance with the HIPAA Regulations; 7) make available Health Information for amendment and incorporate any amendments to Health Information in accordance with the HIPAA Regulations; 8) make its internal practices, books and records relating to the use and disclosure of Health Information received from GCCMHA available to the Secretary of the Center for Medicaid Services (CMS) for purposes of determining GCCMHA compliance with the HIPAA Regulations; 9) return all Health Information received from GCCMHA which Business Associate maintains in any form at the termination of this Agreement; 10) provide an accounting of disclosures to the individual upon request; 11) provide an accounting of disclosures to the GCCMHA upon request. c. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the Privacy Rule, Security Rule, and HITECH Act. d. Business Associate recognizes that, as of February 18, 2010, the administrative, physical, andand technical standards and implementation specifications of the HIPAA security rule (45 CFR sections 164.308, 164.310, 164.312, and 164.316) apply to the BA in the same manner that it applies to a Covered Entity. e. Business Associate recognizes that, as of February 18, 2010, civil and criminal penalties for violation of the HIPAA security rule shall apply to a BA in the same manner as they apply to a Covered Entity. f. In the event of a breach of PHI, Business Associate understands Business Associate is required by law to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, PHI breached and the date or period of time during which the breach occurred. Business Associate understands that such a report must be provided to the Covered Entity immediately. g. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement and this Exhibit thereto. h. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act. Business Associate agrees to provide to the Covered Entity information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act within 30 days. i. The Business Associate agrees to report, in writing, to the designated Privacy Officer of the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement immediately.