Common use of Uses and Disclosures of PHI Clause in Contracts

Uses and Disclosures of PHI. Except as otherwise limited in the Agreement or this Addendum, Business Associate may, and shall ensure that its directors, officers, employees, contractors, subcontractors, vendors, and agents use or disclose PHI only as follows: (a) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (b) Business Associate may disclose PHI for the proper management and administration, or to carry out the legal responsibilities, of the Business Associate, provided that disclosures are required by HIPAA, or Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware or suspects in which the confidentiality of the PHI has been breached. In such case, Business Associate shall report such known or suspected breaches to Covered Entity as soon as possible and in accordance with timeframes set forth in this Addendum. (c) Business Associate, upon written request by Covered Entity, may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B). For purposes of this Section, Data Aggregation means, with respect to PHI, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a Business Associate of another Covered Entity to permit data analyses that relate to the health care operations of the respective Covered Entities. It is not contemplated that Business Associate will perform Data Aggregation services with PHI received from Covered Entity without express prior written permission of Covered Entity. (d) Business Associate may completely de-identify any and all PHI created or received by Business Associate under this Agreement; provided, however, that the de-identification conforms to the requirements of HIPAA and in accordance with any guidance issued by the Secretary. Such resulting de-identified information would not be subject to the terms of this Addendum. (e) Business Associate may create a Limited Data Set, as defined in HIPAA, and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of HIPAA, provided Covered Entity agrees to such creation and use of a Limited Data Set.

Uses and Disclosures of PHI. Except as otherwise limited in the Agreement With respect to each use and disclosure of PHI Business Associate makes pursuant to this BAA, or this Addendumotherwise, Business Associate may, and shall ensure that its directors, officers, employees, contractors, subcontractors, vendors, and agents use or disclose PHI only agrees as follows: (a1) Business Associate may agrees not to use or disclose PHI for other than as permitted or required by this BAA or as Required by Law. To the proper management and administration extent that Business Associate performs any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Business Associate or Privacy Rule that apply to carry out Covered Entity in the legal responsibilities performance of the Business Associatesuch obligation. (b2) Business Associate may disclose PHI for the proper management and administrationagrees to mitigate, or to carry out the legal responsibilities, of the Business Associate, provided that disclosures are required by HIPAA, or Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entityextent practicable, and the person or entity notifies the any harmful effect that is known to Business Associate of any instances a use or disclosure of which it is aware or suspects in which the confidentiality of the PHI has been breached. In such case, Business Associate shall report such known or suspected breaches to Covered Entity as soon as possible and in accordance with timeframes set forth in this Addendum. (c) Business Associate, upon written request by Covered Entity, may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B). For purposes of this Section, Data Aggregation means, with respect to PHI, the combining of such PHI by Business Associate in violation of the requirements of this BAA. (3) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware. (4) If applicable, in accordance with 45 CFR §§ 164.504(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to enter into written XXXx with any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate, and the terms of such agreements shall incorporate substantially similar restrictions, conditions, and requirements that apply to Business Associate through this BAA. (5) At the sole cost and expense of the Covered Entity, Business Associate agrees to make available and provide Covered Entity with access to PHI received by to meet the requirements under 45 CFR § 164.524. The obligations of Business Associate in its capacity this paragraph apply only to PHI in Designated Record Sets in Business Associate’s possession or control as such term is defined at 45 CFR § 164.501. Such access shall be in a timely and reasonable manner, as agreed upon by the Parties. (6) At the sole cost and expense of the Covered Entity, Business Associate of another agrees to make any amendment(s) to PHI that Covered Entity directs or agrees to permit data analyses that relate pursuant to 45 CFR § 164.526 at the health care operations of the respective Covered Entities. It is not contemplated that Business Associate will perform Data Aggregation services with PHI received from Covered Entity without express prior written permission request of Covered Entity, in a time and manner reasonably agreed upon by the Parties. The obligations of Business Associate in this paragraph apply only to PHI in Designated Record Sets in Business Associate’s possession or control as such term is defined at 45 CFR § 164.501. (d7) Business Associate may completely de-identify agrees to make its internal practices, books, and records, including any policies and all procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate under this Agreement; providedon behalf of Covered Entity, however, that the de-identification conforms available to the requirements of HIPAA Secretary, in a time and in accordance with any guidance issued manner reasonably agreed upon or designated by the Secretary. Such resulting de-identified information would not be subject to , for purposes of the terms of this AddendumSecretary determining a Covered Entity’s compliance with the Privacy Rule. (e) 8) Business Associate may create agrees to maintain and make available, in a Limited Data Settime and manner reasonably negotiated between the Parties, the information required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, as defined in HIPAA, and use such Limited Data Set pursuant necessary to a Data Use Agreement that meets the requirements of HIPAA, provided satisfy Covered Entity agrees to such creation and use of a Limited Data SetEntity’s obligations under 45 CFR § 164.528.

Uses and Disclosures of PHI. Except as otherwise limited in the Agreement or this Addendum, Business Associate mayshall not, and shall ensure that its directors, officers, employees, contractors, subcontractors, vendors, and agents do not, use or disclose PHI only other than as follows: (a) : o Business Associate may use Covered Entity’s PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (b) . o Business Associate may disclose Covered Entity’s PHI for the proper management and administration, or to carry out the legal responsibilities, of the Business Associate, provided that disclosures are required by HIPAA, or Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware or suspects in which the confidentiality of the PHI has been breached. In such case, Business Associate shall report such known or suspected breaches to Covered Entity as soon as possible and in accordance with timeframes set forth in this Addendum. (c) Agreement. o Business Associate, upon written request by Covered Entity, may use Covered Entity’s PHI to provide Data Aggregation services to Covered Entity as permitted by 45 42 CFR 164.504(e)(2)(i)(B). For purposes of this Section, Data Aggregation means, with respect to Covered Entity’s PHI, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a Business Associate of another Covered Entity to permit data analyses that relate to the health care operations of the respective Covered Entities. It is not contemplated that Business Associate will perform Data Aggregation services with PHI received from Covered Entity without express prior written permission of Covered Entity. (d) o Business Associate may completely de-identify any and all PHI created or received by Business Associate under this Agreement; provided, however, that the de-de- identification conforms to the requirements of HIPAA and in accordance with any guidance issued by the Secretary. Such resulting de-identified information would not be subject to the terms of this Addendum. (e) Agreement. o Business Associate may create a Limited Data Set, as defined in HIPAA, and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of HIPAA, provided Covered Entity agrees to such creation and use of a Limited Data Set.