Common use of Obligations of Agent Clause in Contracts

Obligations of Agent. With regard to its access, use and/or disclosure of the PHI, Agent agrees to: a. not use or further disclose the PHI other than as permitted or required by this B.A. Agreement or as permitted by law; b. use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted in Section 3.2(a); c. implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of a Covered Entity; and makes its policies, procedures, and documentation, to the extent required by the Security Rule to be maintained relating to such safeguards, available to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining the Covered Entity’s compliance with the Security Rule; d. report to the applicable Covered Entity in writing any use or disclosure of the PHI not permitted in Section 3.2(a) of which Agent’s management becomes aware; e. report to the applicable Covered Entity any Security Incident of which Agent management becomes aware, provided that for purposes of this B.A. Agreement, the Parties agree that any attempted or threatened incident that does not result in a security breach, including but not limited to “pings” and other request-response utilities, does not constitute a Security Incident; f. ensure that any agents and subcontractors to which Agent provides the PHI agree to the same restrictions and conditions that apply to Agent with respect to such PHI; g. make available the PHI necessary for a Covered Entity to respond to individuals’ requests for access to the PHI about them in the event that the PHI in Agent’s possession constitutes a Designated Record Set; h. make available the PHI for amendment and incorporate any amendments to the PHI in accordance with the Privacy Rule in the event that the PHI in Agent’s possession constitutes a Designated Record Set; i. if applicable, make available the information as would be required to allow a Covered Entity to respond to a request by an individual for an accounting of disclosures in accordance with the Privacy Rule; j. make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining a Covered Entity’s compliance with the Privacy Rule; and k. return to the applicable Covered Entity or destroy, within ninety (90) days of the termination of this B.A. Agreement, the PHI in its possession and retain no copies, if it is feasible to do so. If Agent in its discretion determines that return or destruction is infeasible, Agent shall provide to Covered Entities notification of the conditions that make the return or destruction infeasible, and Agent agrees to extend all protections contained in this B.A. Agreement to Agent’s use and/or disclosure of any retained PHI, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible for so long as Agent maintains such PHI.