Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to DOC in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DOC, Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible Use or disclosure.

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to DOC DSHS in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DOCDSHS, Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible Use or disclosure.

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to DOC DSHS in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident security incident of which it becomes aware. Upon request by DOCDSHS, Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible Use or disclosure.

Use and Disclosure of PHI. Business Associate is limited to the following Except as otherwise permitted and required uses by this Agreement or disclosures of PHI: Duty to Protect PHI. as Required by Law, Business Associate shall protect not Use or Disclose PHI fromexcept as necessary, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHIin its sole discretion, to prevent the unauthorized Use provide services to or disclosure on behalf of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by lawCovered Entity, and shall not Use or disclose such Disclose PHI in any a manner that would violate Subpart E the Privacy Rule if Used or Disclosed by Covered Entity. Each such Use or Disclosure must either be Required By Law or in compliance with each applicable requirement of 45 CFR Part 164 (this Agreement, and Business Associate may not Use or Disclose PHI in a manner that would violate the Privacy of Individually Identifiable Health Information) Rule if done by Covered Entity; provided, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. however, Business Associate may Use and Disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate Associate, or to carry out its legal responsibilities, and for the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Data Aggregation services described below. Business Associate obtains shall in such cases obtain reasonable assurances from the person or entity to whom the information PHI is disclosed that Disclosed that: (a) the information PHI will remain be held confidential and used or further disclosed Used and Disclosed only as required Required by law Law or for the purposes purpose for which it was disclosed Disclosed to the person, person or entity; and (b) the person notifies the or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the information PHI has been Breachedbreached. Impermissible Business Associate may also Disclose PHI to a Subcontractor and may allow the Subcontractor to create, receive, maintain or transmit PHI on its behalf, if Business Associate obtains a written agreement with the Subcontractor in accordance with 45 CFR 164.504(e)(1)(i) and this Agreement that the Subcontractor will appropriately safeguard the information. Except as otherwise limited in this Agreement, Business Associate may Use or Disclosure of PHIProtected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). Business Associate shall report provide information to DOC members of its workforce Using or Disclosing PHI regarding the requirements of the Privacy Rule, the Security Rule, and this Agreement. Business Associate agrees to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in writing all Uses which the PHI is Used or disclosures of PHI Disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by this Contract the Privacy Rule or the Security Rule, or in which a Breach has occurred, within one three (13) business day days of becoming aware of the unauthorized improper Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes awareDisclosure or Breach. Upon request by DOC, Business Associate shall mitigatenot Use or further Disclose PHI other than as permitted or required by this Agreement or as Required By Law. The parties acknowledge that applicable law requires Business Associate to Disclose PHI when required to do so by the Secretary to investigate Business Associate’s compliance with regulations promulgated under HIPAA or the HITECH Act, or to the extent practicableCovered Entity, any harmful effect resulting from individual who is the impermissible Use subject of the PHI, or disclosurethe individual’s designee, as necessary to satisfy Covered Entity’s obligations with respect to an individual’s request for an electronic copy of PHI.

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall must protect PHI from, and shall will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHIePHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this ContractDSA. Minimum Necessary Standard. Business Associate shall will apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this ContractDSA. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall will only Use or disclose PHI as necessary to perform the services specified in this Contract DSA or as required by law, and shall will not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate Associate, subject to HCA approval, or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. Impermissible Use or Disclosure of PHI. Business Associate shall must report to DOC the contact identified in Subsection 12.1 in writing all Uses or disclosures of PHI not provided for by this Contract DSA within one five (15) business day days of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DOCHCA, Business Associate shall will mitigate, to the extent practicable, any harmful effect resulting from the impermissible Use or disclosure.