Common use of Covered Entity’s Obligations Clause in Contracts

Covered Entity’s Obligations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices issued in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. If Business Associate promptly notifies Covered Entity that it cannot comply with the proposed limitation, both parties agree to make good faith efforts to reach a mutually agreeable resolution. Covered Entity shall notify Business Associate of any known changes in, or revocation of, permission by enrollees or their personal representatives to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of enrollees’ PHI that it has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. If Business Associate promptly notifies Covered Entity that it cannot comply with the proposed restriction, both parties agree to make good faith efforts to reach a mutually agreeable resolution. Covered Entity shall immediately notify Business Associate of any changes to its Business Associates to whom Business Associate has been directed to release PHI pursuant to the Contract. Covered Entity will enter into agreements in accordance with 45 CFR § 164.504(e) with such business associates to whom Business Associate is directed to release PHI. Covered Entity and its business associates whom Covered Entity directs to release PHI to Business Associate, shall provide to Business Associate or otherwise confirm receipt of enrollees’ valid authorization as required by Law, in order to receive PHI from business associates. Covered Entity shall request Business Associate use or disclose PHI in a manner that is permissible under the Privacy Rule if done by Covered Entity, except for uses and disclosures of PHI for data aggregation or management and administrative activities of Business Associate. Breach Notification. Within one (1) business day of discovery, Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware. Within one (1) business day, Business Associate shall notify Covered Entity by telephone and in writing of any acquisition, access, use, or disclosure of PHI and/or electronic PHI not allowed by this Agreement of which it becomes aware, and of any instance where the PHI is subpoenaed, copied or removed by anyone except an authorized representative of Covered Entity or the Business Associate. Within one (1) business day, Business Associate shall notify Covered Entity by telephone or e-mail of any potential breach of security or privacy. Business Associate shall follow telephone or e-mail notification with a faxed or other written explanation of the breach, to include the following: date and time of the breach, medium that contained the PHI, origination and Covered Entity destination of PHI, Business Associate unit and personnel associated with the breach, detailed Covered Entity description of PHI, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-mail of the Individual who is responsible for the mitigation. Business Associate will address breach notification communications to Covered Entity at the following: Washington State Department of Enterprise Services Attention: EAP Contract Manager ▇▇ ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇-▇▇▇▇ Telephone: ▇▇▇-▇▇▇-▇▇▇▇ Fax: ▇▇▇-▇▇▇-▇▇▇▇ Email: ▇▇▇-▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ In the event of a breach of PHI or disclosure which compromises the privacy or integrity of PHI obtained from Covered Entity, Business Associate shall take all measures required by state and federal law. Business Associate shall provide Enterprise Services with a copy of its investigation results and other information requested by Covered Entity. Business Associate will report all PHI breaches to the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) as required by 45 CFR Parts 160 and 164, and also shall provide notification to Covered Entity that a report has been filed with OCR. If Covered Entity determines that Business Associate is responsible for a breach of unsecured PHI: Covered Entity may choose to make any notifications to the Individuals under 45 CFR § 164.404, to the media under 45 CFR § 164.406, and to the Secretary of the U.S. Department of Health and Human Services under 45 CFR § 164.408, or direct Business Associate to make them or any of them. Business Associate will be responsible for all reasonable costs of all notifications under Section 3.2.3.1, and any other action Covered Entity reasonably considers appropriate to protect Individuals, including credit monitoring for affected Individuals. Business Associate shall compensate affected Individuals for ▇▇▇▇▇ caused to them by the breach or possible breach described above, and indemnify Covered Entity for any damages or fines assessed Covered Entity against by a court of competent jurisdiction or other governmental entity.

Covered Entity’s Obligations. a. Covered Entity shall will notify Business Associate in writing in advance of any limitation(s) in its notice of privacy practices issued in accordance with 45 CFR § 164.520, 164.520 “Notice of privacy practices for protected health information” to the extent that such limitation the limitation(s) may affect Business Associate’s use or disclosure of PHI. If Business Associate promptly notifies Protected Health Information. b. Covered Entity that it cannot comply with the proposed limitation, both parties agree to make good faith efforts to reach a mutually agreeable resolution. Covered Entity shall will notify Business Associate in writing and in advance of any known changes in, or revocation of, permission any prior consent or authorization provided to Covered Entity by enrollees or their personal representatives an Individual to use or disclose PHI, Protected Health Information to the extent that such these changes may affect Business Associate’s use or disclosure of PHIProtected Health Information. Business Associate shall not be required to implement any such change or revocation until a reasonable period after its receipt of notice of the same. c. Covered Entity shall will notify Business Associate in advance of any proposed restriction to on the use or disclosure of enrollees’ PHI that it has agreed Protected Health Information to which Covered Entity may agree in accordance with 45 CFR § 164.522, 164.522 “Rights to request privacy protection for protected health information” to the extent that such the restriction may affect Business Associate’s use or disclosure of PHIProtected Health Information. If Neither Covered Entity nor Business Associate promptly notifies Covered Entity that it cannot comply with shall be required to agree to the proposed restriction, both parties agree to make good faith efforts to reach a mutually agreeable resolution. Covered Entity shall immediately notify provided that Business Associate will accommodate Covered Entity’s or an Individual’s reasonable request to receive communications of any changes to its Business Associates to whom Protected Health Information from Business Associate has been directed to release PHI pursuant to by alternative means or at alternative locations if the Contract. Individual clearly states in writing that the disclosure of all or part of that information could endanger the Individual. d. Covered Entity will enter into agreements in accordance with 45 CFR § 164.504(e) with such business associates to whom Business Associate is directed to release PHI. Covered Entity and its business associates whom Covered Entity directs to release PHI to Business Associate, shall provide to Business Associate or otherwise confirm receipt of enrollees’ valid authorization as required by Law, in order to receive PHI from business associates. Covered Entity shall not request that Business Associate use or disclose PHI Protected Health Information in a any manner that is would not be permissible under the Privacy Rule if done by Covered Entity, except for uses and disclosures of PHI to the extent that Business Associate may use or disclose Protected Health Information for data aggregation or Business Associate’s management and administrative activities of Business Associate. Breach Notification. Within one (1) business day of discovery, Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware. Within one (1) business day, Business Associate shall notify Covered Entity by telephone and in writing of any acquisition, access, use, or disclosure of PHI and/or electronic PHI not allowed by this Agreement of which it becomes aware, and of any instance where the PHI is subpoenaed, copied or removed by anyone except an authorized representative of Covered Entity or the Business Associate. Within one (1) business day, Business Associate shall notify Covered Entity by telephone or e-mail of any potential breach of security or privacy. Business Associate shall follow telephone or e-mail notification with a faxed or other written explanation of the breach, to include the following: date and time of the breach, medium that contained the PHI, origination and Covered Entity destination of PHI, Business Associate unit and personnel associated with the breach, detailed Covered Entity description of PHI, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-mail of the Individual who is responsible for the mitigation. Business Associate will address breach notification communications to Covered Entity at the following: Washington State Department of Enterprise Services Attention: EAP Contract Manager ▇▇ ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇-▇▇▇▇ Telephone: ▇▇▇-▇▇▇-▇▇▇▇ Fax: ▇▇▇-▇▇▇-▇▇▇▇ Email: ▇▇▇-▇▇▇▇▇▇▇▇▇@▇▇▇administration.▇▇.▇▇▇ In the event of a breach of PHI or disclosure which compromises the privacy or integrity of PHI obtained from Covered Entity, Business Associate shall take all measures required by state and federal law. Business Associate shall provide Enterprise Services with a copy of its investigation results and other information requested by Covered Entity. Business Associate will report all PHI breaches to the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) as required by 45 CFR Parts 160 and 164, and also shall provide notification to Covered Entity that a report has been filed with OCR. If Covered Entity determines that Business Associate is responsible for a breach of unsecured PHI: Covered Entity may choose to make any notifications to the Individuals under 45 CFR § 164.404, to the media under 45 CFR § 164.406, and to the Secretary of the U.S. Department of Health and Human Services under 45 CFR § 164.408, or direct Business Associate to make them or any of them. Business Associate will be responsible for all reasonable costs of all notifications under Section 3.2.3.1, and any other action Covered Entity reasonably considers appropriate to protect Individuals, including credit monitoring for affected Individuals. Business Associate shall compensate affected Individuals for ▇▇▇▇▇ caused to them by the breach or possible breach described above, and indemnify Covered Entity for any damages or fines assessed Covered Entity against by a court of competent jurisdiction or other governmental entity.