Common use of Rights and Responsibilities of Business Associate Clause in Contracts

Rights and Responsibilities of Business Associate. a. Business Associate shall have the right to use and disclose PHI in order to perform services for or on behalf of the Board, consistent with the terms of this Business Associate Agreement and consistent with the Privacy Rule and Security Rule. b. In providing services, Business Associate shall use and disclose PHI only as permitted by the terms of this Business Associate Agreement or as required by law and only to the extent that such use and disclosure would not violate the Privacy Rule, Security Rule, or HITECH Act if performed by the Board. Upon the request of Board, Business Associate may use PHI to provide data aggregation services related to the healthcare operations of the Board as permitted by 45 CFR §164.504(e)(2)(i)(B). c. Business Associate may use and disclose PHI received during the performance of the Agreement if necessary for the proper management and administration of the Agreement, provided that Business Associate may disclose PHI to third parties not employed by Business Associate only if (i) the disclosure is required by law, or (ii) Business Associate enters into a business associate agreement with the recipient, if the recipient is a subcontractor, or obtains reasonable assurances from the recipient, if the recipient is not a subcontractor, that (A) the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (B) the recipient will notify Business Associate of any breach of confidentiality of PHI. d. To the extent that Business Associate may use or disclose PHI as provided by this Business Associate Agreement and HIPAA, the HITECH Act, or State Law, Business Associate shall make reasonable efforts limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. e. Business Associate shall utilize appropriate safeguards in accordance with HIPAA and the HITECH Act to prevent any use or disclosure of PHI not authorized by the terms of this Business Associate Agreement. f. Business Associate shall utilize administrative, physical, and technical safeguards in accordance with HIPAA and the HITECH Act that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of the Board. g. Business Associate shall report to the Board On-Site Representative and GLO Privacy Officer: (i) any Breach, use, or disclosure of PHI not permitted under the terms of this Agreement without delay and no later than twenty-four (24) hours after becoming aware of such use or disclosure; and

Rights and Responsibilities of Business Associate. a. Business Associate shall have the right to use and disclose PHI in order to perform services for or on behalf of the Board, consistent with the terms of this Business Associate Agreement and consistent with the Privacy Rule and Security Rule. b. In providing services, Business Associate shall use and disclose PHI only as permitted by the terms of this Business Associate Agreement or as required by law and only to the extent that such use and disclosure would not violate the Privacy Rule, Security Rule, or HITECH Act if performed by the Board. Upon the request of Board, Business Associate may use PHI to provide data aggregation services related to the healthcare operations of the Board as permitted by 45 CFR §§ 164.504(e)(2)(i)(B). c. Business Associate may use and disclose PHI received during the performance of the Agreement if necessary for the proper management and administration of the Agreement, provided that Business Associate may disclose PHI to third parties not employed by Business Associate only if (i) the disclosure is required by law, or (ii) Business Associate enters into a business associate agreement with the recipient, if the recipient is a subcontractor, or obtains reasonable assurances from the recipient, if the recipient is not a subcontractor, that (A) the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (B) the recipient will notify Business Associate of any breach of confidentiality of PHI. d. To the extent that Business Associate may use or disclose PHI as provided by this Business Associate Agreement and HIPAA, the HITECH Act, or State Law, Business Associate shall make reasonable efforts limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. e. Business Associate shall utilize appropriate safeguards in accordance with HIPAA and the HITECH Act to prevent any use or disclosure of PHI not authorized by the terms of this Business Associate Agreement. f. Business Associate shall utilize administrative, physical, and technical safeguards in accordance with HIPAA and the HITECH Act that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of the Board. g. Business Associate shall report to the Board On-Site Representative and GLO Privacy Officer: (i) any Breach, use, or disclosure of PHI not permitted under the terms of this Agreement without delay and no later than twenty-four (24) hours after becoming aware of such use or disclosure; and

Rights and Responsibilities of Business Associate. a. Business Associate shall have the right to use and disclose PHI in order to perform services for or on behalf of the Board, consistent with the terms of this Business Associate Agreement and consistent with the Privacy Rule and Security Rule. b. In providing services, Business Associate shall use and disclose PHI only as permitted by the terms of this Business Associate Agreement or as required by law and only to the extent that such use and disclosure would not violate the Privacy Rule, Security Rule, or HITECH Act if performed by the Board. Upon the request of Board, Business Associate may use PHI to provide data aggregation services related to the healthcare operations of the Board as permitted by 45 CFR §§ 164.504(e)(2)(i)(B). c. Business Associate may use and disclose PHI received during the performance of the Agreement if necessary for the proper management and administration of the Agreement, provided that Business Associate may disclose PHI to third parties not employed by Business Associate only if (i) the disclosure is required by law, or (ii) Business Associate enters into a business associate agreement with the recipient, if the recipient is a subcontractor, or obtains reasonable assurances from the recipient, if the recipient is not a subcontractor, that (A) the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (B) the recipient will notify Business Associate of any breach of confidentiality of PHI. d. To the extent that Business Associate may use or disclose PHI as provided by this Business Associate Agreement and HIPAA, the HITECH Act, or State Law, Business Associate shall make reasonable efforts limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. e. Business Associate shall utilize appropriate safeguards in accordance with HIPAA and the HITECH Act to prevent any use or disclosure of PHI not authorized by the terms of this Business Associate Agreement. f. Business Associate shall utilize administrative, physical, and technical safeguards in accordance with HIPAA and the HITECH Act that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of the Board. g. Business Associate shall report to the Board On-Site Representative and GLO Privacy Officer: : (i) any Breach, use, or disclosure of PHI not permitted under the terms of this Agreement without delay and no later than twenty-four (24) hours after becoming aware of such use or disclosure; and (ii) any unauthorized access, use, disclosure, modification, or destruction of Electronic PHI or interference with systems operations in an information system containing Electronic PHI without delay and no later than twenty-four (24) hours after becoming aware of such incident. In the event that Business Associate becomes aware of any violation of any HIPAA provision and fails to notify the Board and take corrective action, the Board may immediately terminate the Agreement without prior notice to Business Associate. h. With respect to any improper uses and disclosures of PHI reported to the Board under Section 2 (g) above that constituted, in Business Associate’s determination, a Breach of Unsecured PHI, Business Associate shall also, within six (6) business days of discovering such incident, report to the GLO’s Privacy Officer the following: (i) a brief description of the incident, including the date of the incident, the date of the discovery of the incident, and identification of each patient whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, improperly accessed, acquired, used, or disclosed, (ii) a description of the types of Unsecured PHI involved in the incident, (iii) any steps the patient should take to protect himself or herself from harm resulting from the incident, (iv) a brief description of what Business Associate is doing to investigate the incident, mitigate the harm to the patient, and protect against future occurrences; and (v) any other relevant information. Business Associate and the Board shall cooperate with respect to providing any notification of the Breach to the patient as required by the HITECH Act. i. Business Associate shall enter into business associate agreements, pursuant to the “business associate” provisions of the Privacy Rule found in 45 CFR § 160 and §164 Subparts A and E, with agents and subcontractors to ensure that any agent or subcontractor to whom Business Associate furnishes PHI agrees to the same restrictions and conditions that apply under this Business Associate Agreement to Business Associate with respect to PHI. j. Business Associate shall take appropriate actions necessary to mitigate any harmful effects known to Business Associate to result from an unauthorized use or disclosure of PHI by Business Associate. k. Within twenty-four (24) hours of receiving an individual’s request for access, Business Associate shall allow a person who is the subject of the PHI, his/her legal representative, or the Board to have access to inspect and copy PHI maintained by the Business Associate. If the Business Associate uses or maintains an electronic health record, Business Associate shall provide such PHI in electronic format, if requested. Copies, if requested must be provided within five (5) business days. l. To enable the Board to respond to a patient’s request to amend the patient’s PHI, Business Associate shall make the requested PHI maintained by Business Associate available to the Board within twenty (20) business days of receiving a request from the Board and Business Associate shall amend the patient’s PHI as directed by the Board. m. Business Associate shall (i) maintain a record of its disclosures of PHI according to 45 CFR § 164.528(a)(1), including disclosures not made for the purposes of this Business Associate Agreement, and (ii) within thirty (30) business days of receiving a request for accounting of disclosures, make available to the requestor the following information concerning such disclosures made on or after the date which is six (6) years prior to the request date: the date of disclosure; the name of the recipient and, if known, the recipient’s address; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure. n. Business Associate shall make all internal practices, books, and records relating to the use and disclosure of PHI received or created by Business Associate on behalf of the Board available to the Secretary of HHS for the purpose of determining the Board’s or Business Associate’s compliance with the Privacy Rule or the Security Rule. o. Business Associate acknowledges that as required by the HITECH Act, Business Associate shall comply with the requirements of the Security Rule and the other applicable requirements imposed on business associates under the HITECH Act. p. If Business Associate conducts electronically any of the administrative or financial healthcare transactions identified as standard transactions under HIPAA for or on behalf of the Board, Business Associate shall comply with all applicable requirements of the Electronic Transactions and Code Sets Standards promulgated under HIPAA when conducting such standard transactions for or on behalf of Hybrid Entity. q. Business Associate shall, pursuant to Tex. Health and Safety Code § 181.101, train its employees within ninety (90) days of employment regarding the state and federal law concerning PHI as necessary and appropriate for the employees to carry out their duties. If the duties of an employee are affected by a material change in state or federal law concerning PHI, Business Associate shall train the employee regarding such material change within a reasonable period, but not later than one (1) year after the effective date of the material change. Business Associate shall require its employees to sign a statement verifying training and retain the statement for six (6) years.

Rights and Responsibilities of Business Associate. a. Business Associate shall have the right to use and disclose PHI in order to perform services for or on behalf of the Board, consistent with the terms of this Business Associate Agreement and consistent with the Privacy Rule and Security Rule. b. In providing services, Business Associate shall use and disclose PHI only as permitted by the terms of this Business Associate Agreement or as required by law and only to the extent that such use and disclosure would not violate the Privacy Rule, Security Rule, or HITECH Act if performed by the Board. Upon the request of Board, Business Associate may use PHI to provide data aggregation services related to the healthcare operations of the Board as permitted by 45 CFR §164.504(e)(2)(i)(B)Board. c. Business Associate may use and disclose PHI received during the performance of the Agreement if necessary for the proper management and administration of the Agreement, provided that Business Associate may disclose PHI to third parties not employed by Business Associate only if (i) the disclosure is required by law, or (ii) Business Associate enters into a business associate agreement with the recipient, if the recipient is a subcontractor, or obtains reasonable assurances from the recipient, if the recipient is not a subcontractor, that (A) the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (B) the recipient will notify Business Associate of any breach of confidentiality of PHI. d. To the extent that Business Associate may use or disclose PHI as provided by this Business Associate Agreement and HIPAA, the HITECH Act, or State Law, Business Associate shall make reasonable efforts limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. e. Business Associate shall utilize appropriate safeguards in accordance with HIPAA and the HITECH Act to prevent any use or disclosure of PHI not authorized by the terms of this Business Associate Agreement. f. Business Associate shall utilize administrative, physical, and technical safeguards in accordance with HIPAA and the HITECH Act that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of the Board. g. Business Associate shall report to the Board On-Site Representative and GLO Privacy Officer: (i) any Breach, use, or disclosure of PHI not permitted under the terms of this Agreement without delay and no later than twenty-four (24) hours after becoming aware of such use or disclosure; andfour