Permitted Uses and Disclosures of PHI Clause Samples

Permitted Uses and Disclosures of PHI. Business Associate may: 4.1 use and disclose PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 De-identify any PHI received or created by Business Associate under this BAA in accordance with the Privacy Rule. 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining documentation of individual authorizations, an Institutional Review Board, or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing Covered Entity with copies of such authorizations or waivers upon request. 4.6 make PHI available for reviews preparatory to Research in accordance with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii). 4.7 use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of the Covered Entity or for Research or Public Health purposes as provided in the Privacy Rule.

Permitted Uses and Disclosures of PHI. 2.1 Pursuant to the Agreement, Business Associate provides services for NYC Health + Hospitals that may involve the use, access to, or disclosure of PHI or ePHI. 2.2 Except as otherwise specified in this BAA and pursuant to 42 U.S.C. § 17934, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Agreement, provided that such uses or disclosures do not violate the HIPAA Regulations if made by NYC Health + Hospitals. Unless otherwise limited herein or under applicable law, Business Associate may use PHI for the following purposes: 2.2.1 Business Associate may use or disclose PHI for proper management and administration of Business Associate as set forth in 45 C.F.R. § 164.504(e)(4). 2.2.2 Subject to section 2.2.4 below, Business Associate may disclose PHI in its possession to third parties for the purpose of performing its duties under the Agreement and/or this BAA. The third parties shall provide written assurances to Business Associate of their confidential handling of such PHI, which shall include adherence to the same restrictions and conditions on use and disclosure as set forth herein. 2.2.3 Business Associate may use or disclose PHI to meet any responsibilities required under (i) 45 C.F.R. § 164.103, or (ii) 45 C.F.R. § 164.504(e)(4). To the extent permitted by applicable law, prior to disclosing PHI as set forth herein, Business Associate shall notify NYC Health + Hospitals in writing and provide reasonable time for NYC Health + Hospitals to oppose such disclosure. If NYC Health + Hospitals does not respond to Business Associate regarding such opposition prior to the date on which such disclosure must be timely made, Business Associate may, in its own discretion, disclose PHI as required by applicable law. 2.2.4 Business Associate may aggregate the PHI in its possession with the PHI of other covered entities and provide NYC Health + Hospitals with data analyses relating to NYC Health + Hospitals’ health care operations in accordance with 45 C.F.R. § 164.504 (e)(2)(i)(B). Business Associate shall not disclose PHI to any other party pursuant to this section 2.2.4 without the express written authorization of NYC Health + Hospitals. 2.2.5 Business Associate may de-identify PHI and utilize de-identified PHI for purposes other than research, provided that Business Associate (i) de-identifies the PHI pursuant to the HIPAA requirements set forth in 45 C.F.R. § 164.514(b) and (ii) provides NYC Healt...

Permitted Uses and Disclosures of PHI. 2.1 Unless otherwise limited herein, Business Associate may: (a) use or disclose PHI to perform functions, activities or Services for, or on behalf of, Covered Entity as requested by Covered Entity from time to time, provided that such use or disclosure would not violate the Privacy or Security Rules or the standards for Business Associate Agreements set forth in 45 C.F.R. § 164.504(e), exceed the minimum necessary to accomplish the intended purpose of such use or disclosure, violate the additional requirements of HITECH contained in Public Law 111-005 that relate to privacy and security, or violate the CMIA; (b) disclose PHI for the purposes authorized by this Agreement only: (i) to its employees, subcontractors and agents; (ii) as directed by this Agreement; or (iii) as otherwise permitted by the terms of this Agreement; (c) use PHI in its possession to provide Data Aggregation Services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); (d) use PHI in its possession for proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate as permitted by 45 C.F.R. § 164.504(e)(4)(i); (e) disclose the PHI in its possession to third parties for the proper management and administration of Business Associate to the extent and in the manner permitted under 45 C.F.R. § 164.504(e)(4)(ii); provided that disclosures are Required by Law , or Business Associate obtains reasonable assurances from the persons to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (f) use PHI to report violations of law to appropriate Federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1); (g) de-identify any PHI obtained by Business Associate under this Agreement for further use or disclosure only to the extent such de-identification is pursuant to this Agreement, and use such de-identified data in accordance with 45 C.F.R. § 164.502(d)(1).

Permitted Uses and Disclosures of PHI. BUSINESS ASSOCIATE may use, access, and/or disclose PHI received by BUSINESS ASSOCIATE solely for the purpose of performing a function or activity for or on behalf of the University. To the extent the BUSINESS ASSOCIATE carries out one or more of UNIVERSITY’s obligation(s) under Subpart E of 45 CFR Part 164, BUSINESS ASSOCIATE must comply with the requirements of Subpart E that apply to the UNIVERSITY in the performance of such obligation(s).

Permitted Uses and Disclosures of PHI. The Business Associate will use and disclose PHI only for those purposes necessary to perform functions, activities, or services for, or on behalf of, the DES Covered Component as specified in the underlying Contract, this BAA , or as Required By Law. Any use or disclosure by the Business Associate shall not violate applicable Privacy Rule provisions, the terms of this BAA, or the DES Covered Component policies and procedures for using or disclosing only the Minimum Necessary PHI.

Permitted Uses and Disclosures of PHI. Except as provided in Paragraphs (b), (c), and (d), below, Business Associate may only use or disclose PHI to perform functions, activities or services for, or on behalf of Covered Entity.

Permitted Uses and Disclosures of PHI. Unless otherwise limited herein, Business Associate may: (a) Use or Disclose PHI to perform Services for, or on behalf of, Covered Entity, provided that such Use or Disclosure would not violate the Privacy or Security Rules, this BAA, or California Confidentiality Laws if done by Covered Entity; (b) Use PHI to provide Data Aggregation Services for the Health Care Operations of Covered Entity, if required by the Services Agreement and as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); (c) Use PHI if necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate as permitted by 45 C.F.R. § 164.504(e)(4)(i); (d) Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate as DocuSign Envelope ID: F41EDEC2-77E4-43A0-8A52-37876FE6F8C2 permitted under 45 C.F.R. § 164.504(e)(4)(ii), provided that Disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and that such person will notify the Business Associate of any instances of which such person is aware that the confidentiality of the information has been breached; and (e) Use PHI to report violations of law to appropriate Federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

Permitted Uses and Disclosures of PHI. Business Associate shall Use and Disclose PHI in the minimum amount necessary to perform the Services for or on behalf of Covered Entity, provided that such Use or Disclosure would not violate the Privacy and Security Regulations if done by Covered Entity. Further, Business Associate: 2.1.1. shall Disclose PHI to Covered Entity upon request; or 2.1.2. may Use or Disclose PHI as required by law;

Permitted Uses and Disclosures of PHI. 2.1 Except as otherwise limited in this Agreement, Business Associate may create, receive, maintain, transmit, use or disclose PHI on behalf of, or to provide services to, University to perform its obligations pursuant to the Services Agreement, provided that such action: (a) would not violate HIPAA or HITECH if undertaken by University; and (b) would not violate any policies and procedures of the University, as communicated to and made available to Business Associate by University. 2.2 Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to University as permitted by 45 CFR § 164.504 (e)(2)(i)(B). 2.3 Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. 2.4 Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).