Common use of Permitted Uses and Disclosures of Phi by Business Associate Clause in Contracts

Permitted Uses and Disclosures of Phi by Business Associate. a. Business Associate may use or disclose PHI as permitted by HIPAA as necessary to further the HCDS discussions between the Parties or to perform the services set forth in any future Participation Agreement between Covered Entity and Business Associate. b. Business Associate may use or disclose PHI as Required by Law. c. Business Associate agrees to make uses and disclosures and requests for PHI consistent with the minimum necessary standards at 45 CFR 164.502(b) and the Covered Entity’s policies regarding minimum necessary. d. Business Associate may not use or disclose PHI in a manner that would violate Supart E of 45 CFR Part 164 if done by the Covered Entity, except for the specific Uses and Disclosures set forth below: (1) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (3) Business Associate may provide Data Aggregation services relating to the Health Care operations of the Covered Entity.

Permitted Uses and Disclosures of Phi by Business Associate. a. (a) Business Associate may use or disclose PHI as permitted by HIPAA only as necessary to further provide the HCDS discussions between products or services under the Parties Service Agreement, as permitted under this Agreement, or to perform the services set forth in any future Participation Agreement between Covered Entity and Business Associate. b. Business Associate may use or disclose PHI as Required by Law. c. (b) Business Associate agrees to make uses and disclosures and requests for PHI consistent with the minimum necessary standards at 45 CFR 164.502(b) and the Covered Entity’s policies regarding minimum necessary. d. Business Associate may must not use or disclose PHI in a manner that is prohibited under the Privacy Rule, 45 C.F.R. § 164.502(a)(5), or would otherwise violate Supart E of 45 CFR Part 164 the Privacy Rule if done by the Covered Entity▇▇▇▇▇▇▇▇▇, except for the specific Uses uses and Disclosures set forth disclosures permitted below:. (1c) Business Associate may use PHI for the proper management and administration of the Business Associate or its business and to carry out the its legal responsibilities of the Business Associateresponsibilities. (2d) Business Associate may disclose PHI for the proper management and administration of Business Associateits business and to carry out its legal responsibilities if: (1) Such disclosure is Required by Law, provided that disclosures are required by law, or or (2) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it such information will remain confidential and used or further disclosed only as required Required by law Law or for the purpose purposes for which it was disclosed to the person, and the person notifies the agrees to notify Business Associate of any instances of which it is aware in which that the confidentiality of the information has been breachedBreached. (3e) Business Associate must not sell, sub-license or receive any remuneration from a third party for PHI and must not use or disclose PHI for any marketing activities, without ▇▇▇▇▇▇▇▇▇’▇ prior written consent. Any permitted use must be in accordance with the Privacy Rule. (f) Business Associate shall limit its uses and disclosures of, and requests for, PHI, to the minimum amount of PHI necessary to accomplish the intended purpose of such use, disclosure or request subject to the exceptions set forth in the Privacy Rule. (g) To the extent necessary to provide the services or products under the Service Agreement, Business Associate may use PHI to provide Data Aggregation services relating related to the Health Care health care operations of ▇▇▇▇▇▇▇▇▇ as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). If Business Associate is de-identifying PHI as part of the Covered EntityData Aggregation services for ▇▇▇▇▇▇▇▇▇, Business Associate must comply with the de-identification standards of 45 C.F.R. § 164.514. (h) Business Associate must not use any PHI, even if de-identified, for any improvements or enhancements to Business Associate’s services, offerings, product development or any other business interest without prior written approval from ▇▇▇▇▇▇▇▇▇. (i) Business Associate shall comply with any requests for restrictions on certain uses and disclosures of PHI to which ▇▇▇▇▇▇▇▇▇ has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by ▇▇▇▇▇▇▇▇▇. (j) In the event Business Associate receives a request for the use or disclosure of PHI that is potentially related to Reproductive Health Care, as defined by 45 C.F.R. § 160.103 (“RHI”), Business Associate shall notify ▇▇▇▇▇▇▇▇▇ of such request within five (5) business days of receipt. Business Associate shall only use or disclose the RHI to the requestor if (i) Business Associate reasonably determines that such use or disclosure is not prohibited under 45 C.F.R § 165.502(a)(5)(iii) and provides the basis for such determination in writing to ▇▇▇▇▇▇▇▇▇; (ii) where required by law, Business Associate has received a signed attestation in the form required by 45 C.F.R. § 164.509 from the requestor and has provided a copy of the signed attestation to ▇▇▇▇▇▇▇▇▇; and (iii) ▇▇▇▇▇▇▇▇▇ approves in writing the use or disclosure of the RHI to the requestor.

Permitted Uses and Disclosures of Phi by Business Associate. a. (a) General Use and Disclosure Provisions Except as otherwise limited in this Addendum, Business Associate may use Use or disclose Disclose PHI as permitted by HIPAA as necessary to further the HCDS discussions between the Parties obtained from or on behalf of Covered Entity to perform the functions, activities, or services set forth in any future Participation Agreement between Covered Entity and Business Associate. b. Business Associate may use for, or disclose PHI as Required by Law. c. Business Associate agrees to make uses and disclosures and requests for PHI consistent with the minimum necessary standards at 45 CFR 164.502(b) and the Covered Entity’s policies regarding minimum necessary. d. Business Associate may not use or disclose PHI in a manner that would violate Supart E of 45 CFR Part 164 if done by the on behalf of, Covered Entity, except for provided that such Use or Disclosure complies with HIPAA. Business Associate acknowledges and agrees that it acquires no title or rights to the specific Uses PHI, including any de-identified information, as a result of this Addendum. (b) Specific Use and Disclosures set forth below:Disclosure Provisions (1) Business Associate may use only Use or Disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Covered Entity to fulfill its obligations under the Underlying Agreement, provided that such Use or Disclosure would not violate the Privacy Rule or Security Rule if done by the Covered Entity. (2) Business Associate agrees to make Uses and Disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures. (3) Business Associate may Use and disclose PHI for the proper and necessary management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures that, as to any such Disclosure, the following requirements are met: (i) the Disclosure is required by law, or ; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (34) Except as otherwise limited in this Addendum, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity, relating to the Health Care operations Operations of the Covered Entity. (5) If the Underlying Agreement permits or requires Business Associate to Use de-identified PHI, the PHI must be de-identified in accordance with 45 CFR 164.514 (a)-(c).

Permitted Uses and Disclosures of Phi by Business Associate. a. Except as otherwise provided in this Agreement, Business Associate may use or disclose PHI as permitted by HIPAA as necessary to further the HCDS discussions between the Parties on behalf of or to perform the provide services set forth in any future Participation Agreement between to Covered Entity and Business Associate. b. Business Associate may for the purposes specified in this Agreement, if such use or disclose disclosure of PHI as Required by Law. c. Business Associate agrees to make uses and disclosures and requests for PHI consistent with would not violate the minimum necessary standards at 45 CFR 164.502(b) and the Covered Entity’s policies regarding minimum necessary. d. Business Associate may not use or disclose PHI in a manner that would violate Supart E of 45 CFR Part 164 Privacy Rule if done by the Covered Entity. Unless otherwise limited herein, except for the specific Uses and Disclosures set forth belowBusiness Associate may: (1) Business Associate may i. use PHI for the its proper management and administration of the Business Associate or to carry out the fulfill any present or future legal responsibilities of the Business Associate.; (2) Business Associate may ii. disclose PHI for the its proper management and administration or to fulfill any present or future legal responsibilities of Business Associate, provided that that; (i) the disclosures are required by law, ; or (ii) Business Associate obtains reasonable assurances from the any person to whom the information PHI is disclosed that it such PHI will remain be kept confidential and will be used or further disclosed only as required Required by law Law or for the purpose purpose(s) for which it was disclosed to the person, and the person notifies the commits to notifying Business Associate of any instances of which it is aware in which the confidentiality of the information PHI has been breached.; (3) iii. disclose PHI to report violations of law to appropriate federal and state authorities; or iv. aggregate the PHI with other data in its possession for purposes of Covered Entity’s Health Care Operations; v. make uses and disclosures and requests for protected health information consistent with Covered Entity’s minimum necessary policies and procedures; vi. de-identify any and all PHI obtained by Business Associate may provide Data Aggregation services relating to under this BAA, and use such de-identified data, all in accordance with the Health Care operations de-identification requirements of the Covered EntityPrivacy Rule [45 C.F.R. § (d)(1)].

Permitted Uses and Disclosures of Phi by Business Associate. a. Except as otherwise limited in this Agreement, Business Associate may use or disclose de-identified PHI for purposes of evaluation and analysis in determining appropriate and mutually agreed-upon scientific research and/or educational training and related studies, as permitted approved by HIPAA as necessary to further the HCDS discussions between the Parties or to perform the services set forth in any future Participation Agreement between Covered Entity and Business Associate. b. Entity. Business Associate may use the de-identified PHI only in accordance with the purposes and procedures set forth in an approved study protocol, its internal policies and, for funded research, as outlined in any subsequent, separately executed Research Agreement, provided that such use or disclose PHI disclosure would not violate the Privacy Rule if done by Covered Entity. Any such use or disclosure shall be limited to those reasons and those individuals as Required by Law. c. necessary to meet the Business Associate’s obligations under the Research Agreement. In all circumstances, Business Associate agrees to make shall limit such uses and disclosures and requests for PHI consistent with to the minimum amount of de-identified PHI that is necessary standards at 45 CFR 164.502(b) and the Covered Entity’s policies regarding minimum necessary. d. Business Associate may not use or disclose PHI in a manner that would violate Supart E of 45 CFR Part 164 if done by the Covered Entity, except for the specific to fulfill those obligations. Uses and Disclosures set forth below: (1) of PHI for Management, Administration, and Legal Responsibilities. Business Associate may use PHI PHI, if necessary, for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) . If Business Associate provides Data Aggregation services, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B), except as otherwise provided by this Agreement. Business Associate may disclose PHI PHI, if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required provided: The disclosure is Required by law, Law and approved by authorized officials of Business Associate; or Business Associate obtains reasonable proper written assurances from the person to whom the information PHI is disclosed that it will remain confidential and will be used or further disclosed only as required Required by law Law or for the purpose for which it was disclosed to the person, and the person promptly notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information PHI has been breached. Obligations of Business Associate. (3) Business Associate may provide Data Aggregation services relating to the Health Care operations of the Covered Entity.

Permitted Uses and Disclosures of Phi by Business Associate. a. Business Associate may use Use or disclose Disclose PHI as permitted by HIPAA as necessary to further the HCDS discussions between the Parties or to perform the services set forth in any future the Participation Agreement between Covered Entity Participant and Business Associate. b. Business Associate may use Use or disclose Disclose PHI as Required by Law. c. Business Associate agrees to make uses Uses and disclosures Disclosures and requests for PHI consistent with the minimum necessary standards at 45 CFR 164.502(b) and the Covered Entity’s any policies provided to it by Participant regarding minimum necessary. d. Business Associate may not use Use or disclose Disclose PHI in a manner that would violate Supart Subpart E of 45 CFR Part 164 if done by the applicable Covered Entity, except for the specific Uses and Disclosures set forth below: (1) Business Associate may use Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) Business Associate may disclose Disclose PHI for the proper management and administration of Business Associate, provided that disclosures Disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (3) Business Associate may provide Data Aggregation services relating to the Health Care operations of the applicable Covered Entity. (4) Business Associate may de-identify any and all PHI provided that the information is de-identified in accordance with HIPAA standards. De-identified information does not constitute PHI and is not subject to the terms and conditions of this Addendum, provided, however that such de-identified information may not be used for commercial purposes or shared with third parties.