Common use of Permitted Uses and Disclosures of Phi by Business Associate Clause in Contracts

Permitted Uses and Disclosures of Phi by Business Associate. A. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement or as required by law. B. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. D. Business Associate may, if directed to do so in writing by Covered Entity, create a limited data set as defined at 45 C.F.R. § 164.514(e)(2), for use in public health, research, or health care operations. Any such limited data sets shall omit any of the identifying information listed in 45 C.F.R. § 164.514(e)(2). Business Associate will enter into a valid, HIPAA-compliant Data Use Agreement as described in 45 C.F.R. § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violation. E. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration or legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. F. The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual pursuant to §§ 13405(d)(1) and (2) of the HITECH Act. This prohibition does not apply to the State’s payment of Business Associate for its performance pursuant to the Underlying Agreement. G. The Business Associate shall comply with the limitations on marketing and fundraising communications provided in § 13406 of the HITECH Act in connection with any PHI of individuals.

Permitted Uses and Disclosures of Phi by Business Associate. A. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement or as required by law. B. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. D. Business Associate may, if directed to do so in writing by Covered Entity, create a limited data set set, as defined at 45 C.F.R. § CFR 164.514(e)(2)) , for use in public health, research, or health care operations. Any such limited data sets shall omit any of the identifying information listed in 45 C.F.R. CFR § 164.514(e)(2). Business Associate will enter into a valid, HIPAA-compliant Data Use Agreement Agreement, as described in 45 C.F.R. CFR § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violation. E. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration administration, or legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. F. The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual Individual pursuant to §§ §13405(d)(1) and (2) of the HITECH Act. This prohibition does not apply to the State’s payment of Business Associate for its performance pursuant to the Underlying Agreement. G. The Business Associate shall comply with the limitations on marketing and fundraising communications provided in § §13406 of the HITECH Act in connection with any PHI of individualsIndividuals.

Permitted Uses and Disclosures of Phi by Business Associate. A. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement or as required by law. B. Business Associate agrees to make uses and disclosures uses, disclosures, and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. D. Business Associate may, if directed to do so in writing by Covered Entity, create a limited data set set, as defined at 45 C.F.R. § CFR 164.514(e)(2), for use in public health, research, or health care operations. Any such limited data sets shall omit any of the identifying information listed in 45 C.F.R. CFR § 164.514(e)(2). Business Associate will enter into a valid, HIPAA-compliant Data Use Agreement Agreement, as described in 45 C.F.R. CFR § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violation. E. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration administration, or legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. F. The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual Individual pursuant to §§ §13405(d)(1) and (2) of the HITECH Act. This prohibition does not apply to the State’s payment of Business Associate for its performance pursuant to the Underlying Agreement. G. The Business Associate shall comply with the limitations on marketing and fundraising communications provided in § §13406 of the HITECH Act in connection with any PHI of individualsIndividuals.

Permitted Uses and Disclosures of Phi by Business Associate. A. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement or as required by law. B. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity. D. Business Associate may, if directed to do so in writing by Covered Entity, create a limited data set as defined at 45 C.F.R. § 164.514(e)(2), for use in public health, research, or health care operations. Any such limited data sets shall omit any of the identifying information listed in 45 C.F.R. § 164.514(e)(2). Business Associate will enter into a valid, HIPAA-compliant Data Use Agreement as described in 45 C.F.R. § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violation. E. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration or legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. F. The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual pursuant to §§ 13405(d)(1) and (2) of the HITECH Act. This prohibition does not apply to the State’s payment of Business Associate for its performance pursuant to the Underlying Agreement. G. The Business Associate shall comply with the limitations on marketing and fundraising communications provided in § 13406 of the HITECH Act in connection with any PHI of individuals.

Permitted Uses and Disclosures of Phi by Business Associate. A. (a) Business Associate may only use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity, including as necessary to perform the services set forth in the Underlying Agreement or as required by lawAgreement. B. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. (b) Business Associate may use or disclose PHI as Required by ▇▇▇. (c) Business Associate must not use or disclose PHI in a manner that would violate Subpart E of is prohibited under the Privacy Rule, 45 C.F.R. Part 164 § 164.502(a)(5), or would otherwise violate the Privacy Rule if done by Covered Entity. D. Business Associate may, if directed to do so in writing by Covered Entity, create a limited data set as defined at 45 C.F.R. § 164.514(e)(2), except for use in public health, research, or health care operations. Any such limited data sets shall omit any of the identifying information listed in 45 C.F.R. § 164.514(e)(2). Business Associate will enter into a valid, HIPAA-compliant Data Use Agreement as described in 45 C.F.R. § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violation. E. Except as otherwise limited specific uses and disclosures permitted in this Agreement, . (d) Business Associate may use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate. (e) Business Associate may disclose PHI for the proper management and administration or of Business Associate and to carry out the legal responsibilities of the Business Associate, provided that disclosures are Associate if: (i) Such disclosure is Required By by Law, or or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it such information will remain confidential and used or further disclosed only as Required By by Law or for the purpose purposes for which it was disclosed to the person, and the person notifies the agrees to notify Business Associate of any instances of which it is aware in which that the confidentiality of the information has been breachedBreached. F. The (f) Business Associate shall not directly limit its uses and disclosures of, and requests for, PHI, to the minimum amount of PHI necessary to accomplish the intended purpose of such use, disclosure or indirectly receive remuneration request subject to the exceptions set forth in exchange for any the Privacy Rule. (g) Business Associate may de-identify PHI of an individual pursuant to §in accordance with 45 C.F.R. § 13405(d)(1164.514(a)-(c) (“De-Identified Information”) and may use and disclose such De-Identified Information for lawful purposes provided that the De-Identified Information cannot be reasonably linked to Covered Entity or any Individual. (2h) of the HITECH Act. This prohibition does not apply Business Associate may use PHI to provide Data Aggregation services related to the State’s payment health care operations of Business Associate for its performance pursuant to the Underlying AgreementCovered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). G. The (i) Business Associate shall comply with any requests for restrictions on certain uses and disclosures of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by Covered Entity. (j) In the limitations on marketing event Business Associate receives a request for the use or disclosure of PHI that is potentially related to Reproductive Health Care, as defined by 45 C.F.R. § 160.103 (“RHI”) and fundraising communications provided that may be prohibited under 45 C.F.R. § 165.502(a)(5)(iii), Business Associate shall (i) notify Covered Entity of such request; and (ii) only use or disclose the RHI to the requester if (1) Business Associate has reasonably determined that such use or disclosure is not prohibited under 45 C.F.R § 165.502(a)(5)(iii), and (2) where required, Business Associate has received a signed attestation in the form required by 45 C.F.R. § 13406 164.509 from the requestor that the use or disclosure of the HITECH Act in connection with any PHI of individualsRHI is not for a purpose prohibited by 45 C.F.R. § 164.502(a)(5)(iii).

Permitted Uses and Disclosures of Phi by Business Associate. A. (a) Business Associate may only use or disclose PHI only as necessary to perform provide the products or services set forth in under the Underlying Agreement Service Agreement, as permitted under this Agreement, or as required Required by lawLaw. B. (b) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s policies and procedures regarding minimum necessary use of PHI. C. Business Associate may must not use or disclose PHI in a manner that would violate Subpart E of is prohibited under the Privacy Rule, 45 C.F.R. Part 164 § 164.502(a)(5), or would otherwise violate the Privacy Rule if done by Covered Entity▇▇▇▇▇▇▇▇▇. D. (c) Business Associate maymust not sell, if directed to do so in writing by Covered Entitysub-license or receive any remuneration from a third party for PHI and must not use or disclose PHI for any marketing activities, create a limited data set as defined at 45 C.F.R. § 164.514(e)(2), for use in public health, research, or health care operationswithout ▇▇▇▇▇▇▇▇▇’▇ prior written consent. Any such limited data sets shall omit any of permitted use must be in accordance with the identifying information listed in 45 C.F.R. § 164.514(e)(2). Privacy Rule. (d) Business Associate will enter into a validshall limit its uses and disclosures of, HIPAA-compliant Data Use Agreement as described and requests for, PHI, to the minimum amount of PHI necessary to accomplish the intended purpose of such use, disclosure or request subject to the exceptions set forth in 45 C.F.R. § 164.514(e)(4), with the limited data set recipient. Business Associate will report any material breach or violation of the data use agreement to Covered Entity immediately after it becomes aware of any such material breach or violationPrivacy Rule. E. Except as otherwise limited in this (e) To the extent necessary to provide the services or products under the Service Agreement, Business Associate may disclose use PHI for to provide Data Aggregation services related to the proper management and administration or legal responsibilities health care operations of ▇▇▇▇▇▇▇▇▇ as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). If Business Associate is de-identifying PHI as part of the Data Aggregation services for ▇▇▇▇▇▇▇▇▇, Business Associate must comply with the de-identification standards of 45 C.F.R. § 164.514. (f) Business Associate must not use any PHI, even if de-identified, for any improvements or enhancements to Business Associate’s services, provided that disclosures are Required By Lawofferings, product development or Business Associate obtains reasonable assurances any other business interest without prior written approval from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached▇▇▇▇▇▇▇▇▇. F. The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual pursuant to §§ 13405(d)(1(g) and (2) of the HITECH Act. This prohibition does not apply to the State’s payment of Business Associate for its performance pursuant to the Underlying Agreement. G. The Business Associate shall comply with any requests for restrictions on certain uses and disclosures of PHI to which ▇▇▇▇▇▇▇▇▇ has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by ▇▇▇▇▇▇▇▇▇. (h) In the limitations on marketing event Business Associate receives a request for the use or disclosure of PHI that is potentially related to Reproductive Health Care, as defined by 45 C.F.R. § 160.103 (“RHI”), Business Associate shall notify ▇▇▇▇▇▇▇▇▇ of such request within five (5) business days of receipt. Business Associate shall only use or disclose the RHI to the requestor if (i) Business Associate reasonably determines that such use or disclosure is not prohibited under 45 C.F.R § 165.502(a)(5)(iii) and fundraising communications provides the basis for such determination in writing to ▇▇▇▇▇▇▇▇▇; (ii) where required by law, Business Associate has received a signed attestation in the form required by 45 C.F.R. § 164.509 from the requestor and has provided in § 13406 a copy of the HITECH Act signed attestation to ▇▇▇▇▇▇▇▇▇; and (iii) ▇▇▇▇▇▇▇▇▇ approves in connection with any PHI writing the use or disclosure of individualsthe RHI to the requestor.