Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI:
a. Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract.
Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases:
2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement;
2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and
2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act.
Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use or disclose PHI except as necessary to provide Services described above to or on behalf of Covered Entity, and shall not use or disclose PHI that would violate the HIPAA Rules if used or disclosed by Covered Entity. Also, knowing that there are certain restrictions on disclosure of PHI. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases:
(a) provide information and training to members of its workforce using or disclosing PHI regarding the confidentiality requirements of the HIPAA Rules and this Agreement;
(b) obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (a) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (b) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and
(c) agree to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules.
Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI:
Use and Disclosure of PHI. VRC shall use and disclose PHI to the minimal amount necessary (i) for purposes of performing under the Agreement; (ii) as permitted or required by this Agreement; or (iii) as Required by Law.
Use and Disclosure of PHI. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required by Law. Business Associate may:
(a) use or disclose PHI to perform the Services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity;
(b) use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate and disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
(c) use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B); and
(d) use PHI to report violations of law or certain other conduct to appropriate federal and state authorities or other designated officials in a manner consistent with 45 CFR § 164.502(j)(1).
Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use, maintain, transmit or disclose PHI except as necessary to provide services to or on behalf of Covered Entity and except as required by Law. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases:
3.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in HIPAA and this Agreement;
3.1.2 obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached;
3.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by HIPAA.
Use and Disclosure of PHI. Subcontractor may use and disclose PHI as permitted or required under this Agreement or as Required by Law, but shall not otherwise use or disclose any PHI. Subcontractor shall not use or disclose PHI in any manner that would constitute a violation of HIPAA if so used or disclosed by the Service Company or the Covered Entities (except as set forth in Sections 2.1(a), (b) and (c) of this Agreement). To the extent Subcontractor carries out any of Business Associate’s or the Covered Entities’ obligations under the HIPAA privacy standards, Subcontractor shall comply with the requirements of the HIPAA privacy standards that apply to the Service Company or the Covered Entities (as applicable) in the performance of such obligations. Without limiting the generality of the foregoing, Subcontractor is permitted to use or disclose PHI as set forth below:
(a) Subcontractor may use PHI internally for Subcontractor’s proper management and administrative services or to carry out its legal responsibilities;
(b) Subcontractor may disclose PHI to a third party for the Subcontractor’s proper management and administration, provided that the disclosure is Required by Law or Subcontractor obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which it was disclosed to the third party and (3) notify the Service Company of any instances of which the third party is aware in which the confidentiality of the PHI has been breached;
(c) Subcontractor may use PHI to provide Data Aggregation services relating to the Health Care Operations of the Service Company or the Covered Entities if required or permitted under this Agreement;
(d) Subcontractor may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Subcontractor may disclose de-identified health information for any purpose permitted by law; and
(e) Subcontractor may use PHI about an Individual to request the Individual’s authorization to use or disclose PHI.
Use and Disclosure of PHI a. PHI, in electronic form or otherwise, may be used or disclosed only when required by law or as necessary to enable Agent to satisfy the obligations and to perform the functions, activities, services and operations to which Agent is contractually obligated by Company. Agent shall not and shall ensure that its directors, officers, employees, contractors and agents do not use PHI received from the Company in any manner that would constitute a violation of applicable law.
b. Agent shall not and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from the Company in any manner that would constitute a violation of applicable law if used or disclosed by the Company. Agent may disclose PHI (a) as permitted and pursuant to the requirements of this Addendum or (b) as required by law.
c. To the extent Agent discloses PHI to a third party, Agent must obtain, prior to making any such disclosure:
1. Reasonable assurances evidenced by written contract from such third party that PHI will be held confidential and safeguarded consistent with the terms of this Addendum, and only used or further disclosed for the purpose for which Agent disclosed it to the third party or as required by law; and
2. An agreement from such third party to immediately notify Agent (who will in turn notify the Company in accordance with Section 4 of this Addendum A) of any:
i. Unauthorized access, use or disclosure of PHI;
ii. Security Incident as defined in 45 C.F.R. §164.304 and further explained in Section 4(b) of this Addendum; and
iii. Breaches of the confidentiality of the PHI, as “Breach” is defined by 45 C.F.R. §164.402, to the extent such third party has discovered such unauthorized access, use or disclosure of PHI, Security Incident or Breach.
d. Agent shall utilize a Limited Data Set, if practicable, for all uses, disclosures or requests of PHI. Otherwise, any uses or disclosures of PHI shall be limited to the “Minimum Necessary,” as defined in 45 C.F.R. §514(d) and any further guidance that may be issued by the Department of Health and Human Services. Agent acknowledges its obligation under 45 C.F.R. §164.502(b) to determine what constitutes the minimum necessary to accomplish the intended purposes of any disclosure of PHI.
e. To the extent that Agent fulfills Company’s obligations under Subpart E of 45 C.F.R. Part 164, Agent will comply with the requirements of this Subpart as such obligations apply to Company.
Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use, disclose or make amendment to PHI except as necessary to provide its services to Covered Entity as set forth in the an agreement for services between the Parties or as expressly authorized herein, and shall not use or disclose PHI that would violate the Privacy Rule if used or disclosed by Covered Entity.
