Responsibilities of the Business Associate Sample Clauses
The "Responsibilities of the Business Associate" clause defines the obligations that a business associate must fulfill when handling protected information or performing services on behalf of a covered entity, typically in the context of healthcare data under HIPAA. This clause outlines requirements such as safeguarding protected health information (PHI), reporting breaches or unauthorized disclosures, and ensuring that any subcontractors also comply with relevant privacy and security standards. Its core practical function is to ensure that sensitive data is properly protected and that liability and compliance requirements are clearly allocated between the parties.
Responsibilities of the Business Associate. Regarding the use or disclosure of PHI and PII, the Business Associate agrees to:
1. Only use or disclose the PHI and PII as allowed under this Addendum or otherwise by applicable law.
2. Only use or disclosure PHI and PII in a manner that would not violate the HIPAA Privacy and Security Rules, or FIPA, if done so by a Covered Entity.
3. Establish and implement appropriate procedures, physical, and technical safeguards to prevent improper access, uses, transmissions, or disclosures of PHI and PII for mitigating, to the greatest extents possible under the circumstances, any deleterious effects from any improper access, use, or disclosure of PHI and PII that the Business Associate reports to the County. Safeguards shall include, but are not limited to: (a) the implementation and use of electronic security measures to safeguard electronic data; (b) requiring employees to agree to access, use, or disclose PHI and PII only as permitted or required by this Addendum; and (c) taking related disciplinary action for inappropriate access, use or disclosure as necessary.
4. Ensure that the Business Associate’s subcontractors or agents to whom the Business Associate provides PHI or PII, created received, maintained, or transmitted on behalf County agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI and PII, and ensure that its subcontractors or agents agree to establish and implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of all PHI and PII that it creates receives, maintains, or transmits on behalf of the County.
5. Make the Business Associate’s records, books, accounts, agreements, policies, and procedures available to the Secretary of HHS for determining the County’s compliance with the HIPAA Privacy and Security Rules, and also, with the State of Florida’s Department of Legal Affairs to determine the County’s compliance with FIPA.
6. Limit use by, or disclosure to, its subcontractors, agents, and other third parties, to the minimum PHI and PII necessary to perform or fulfill a specific function required or permitted hereunder.
7. Provide information to the County to permit the County to respond to a request by an individual for an accounting of disclosures within five (5) days of receiving a written request from the County, if the Business Associate maintains a Designated Records Set on behalf of the County.
8. At the request of, and in the time and manner ...
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law;
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
F.3.1.1. Not use or disclose PHI other than as permitted or required by this Attachment F or the Purchase Order or as required by law;
F.3.1.2. Implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized Use and Disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Regulations. Without limiting the foregoing, Business Associate agrees to comply with the requirements of the HIPAA Rules;
F.3.1.3. Report, in writing, to Covered Entity within five (5) business days any use or disclosure of PHI not provided for by this Attachment F or the Purchase Order of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR §164.410, and any security incident of which it becomes aware, and cooperate with the Covered Entity in any mitigation or breach reporting efforts. Such notification shall include: (i) the identification of each individual who may be, has been or is reasonably believed to have been affected by the Breach; (ii) the date of the Breach; (iii) the date of discovery of the Breach; (iv) the scope and nature of the Breach; and (v) any steps Business Associate has taken to mitigate any harmful effects of the Breach and to protect against further Breaches. In all cases, the information included in Business Associate’s notification shall be in accordance with any regulations and guidance provided by the Secretary of the United States Department of Health and Human Services (“Secretary”);
3.1.3.1. Notwithstanding the above, the Parties recognize and agree that there are and will be a significant number of attempts to, without authorization, access use, disclose, modify or destroy e-PHI through activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above (collectively “Unsuccessful Security Incidents”). As long as no such Unsuccessful Security Incident results in unauthorized access, use, disclosure, modification or destruction of electronic PHI or interference with information system operations related to the ePHI, Parties further agree that this subsection 3.1.3.1 satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existenc...
Responsibilities of the Business Associate. With regard to the uses or disclosures of PHI per- mitted by this Agreement, Business Associate hereby agrees to the following: PROTECTION OF PHI
Responsibilities of the Business Associate. With regard to the use and/or disclosure of PHI by the Subcontractor, the Business Associate hereby agrees: To inform the Subcontractor of any changes in the notice of privacy practices (“Notice”) that the Business Associate and/or Covered Entity provides to individuals pursuant to 45 CFR §164.520 that affect Subcontractor’s use or disclosure of PHI, and provide to the Subcontractor, upon request, a copy of the Notice currently in use. To inform the Subcontractor of any changes in, or revocation of, the authorization provided to the Business Associate and/or Covered Entity by individuals pursuant to 45 CFR §164.508, to the extent relevant to the Services being provided under the Agreement. To inform the Subcontractor of any opt-outs exercised by any individual from fundraising activities of the Business Associate and/or Covered Entity pursuant to 45 CFR §164.514(f), to the extent relevant to the Services being provided under the Agreement. To notify the Subcontractor, in writing and in a timely manner, of any arrangements permitted or required of the Business Associate and/or Covered Entity under 45 CFR § part 160 and 164 that may impact in any manner the use and/or disclosure of PHI required by the Subcontractor under this HIPAA Subcontractor Agreement, including, but not limited to, agreed upon restrictions regarding the use and/or disclosure of PHI as provided for in 45 CFR §164.522. Additional Responsibilities of the Subcontractor with Respect to Handling of Designated Record Set. To the extent the Subcontractor creates, receives, maintains, or transmits PHI in a Designated Record Set on behalf of Business Associate, the Subcontractor hereby agrees to do the following: Within fifteen (15) days of request of the Business Associate, provide Business Associate access to the PHI so that Business Associate can respond to a request for access or request for copies of PHI by an individual who is the subject of the PHI, or his/her personal representative in accordance with 45 CFR §164.524. Within thirty (30) days of request of the Business Associate, provide Business Associate with access to PHI in the custody of Subcontractor so that Business Associate can make any amendment(s) to the PHI in accordance with 45 CFR §164.526.
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. Not use or disclose PHI other than as permitted or required by the Underlying Arrangement or as required by law, subject to Section 3(c) below.
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to secure and protect electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement, and to protect the integrity and availability of PHI.
c. Report, in writing, to the UCMC privacy officer within five (5) business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI, and any security incident of which it becomes aware, and cooperate with UCMC in any mitigation or breach reporting efforts. The notice will provide as much information as Business Associate has gathered as of that time. A subsequent notice, which Business Associate will provide no later than thirty (30) days after the first discovery of the use or disclosure, will include the identification of each individual whose PHI has been or is reasonably believed by Business Associate to have been affected by or during such use or disclosure. Business Associate will make no public disclosure of such use or disclosure without the approval of UCMC.
d. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
e. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America.
f. Within five (5) business days request of UCMC, make available PHI in a designated record set, if a pp lica ble , to UCMC, as necessary to satisfy UCMC’s obligations under 45 CFR § 164.524.
g. Within five (5) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by UCMC pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy UCMC’s obligations under 45 CFR § 164.526.
h. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy UCMC’s o...
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required by law.
b. report to the designated Privacy Officer and/or Security Officer of the Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware within 7 business days of the Business Associate’s discovery of such unauthorized use and/or disclosure. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by the Covered Entity in its notification of affected individuals. Business Associates shall comply with all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entities. Business Associates agree to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R §. 164.528.
c. establish procedures for a mutually satisfactory resolution, regarding any deleterious effects form any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity.
d. use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such PHI.
e. require all of its subcontractors and agents that receive or use, or have access to, PHI under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement.
f. make available all internal practices, records, books agreements, policies, procedures and PHI relating to the use and/or disclosure of PHI received from, or created or received by Business Associate, on behalf of covered Entity, available to Covered Entity or to the Secretary of HHS in a prompt and commercially reasonable manner for purposes of determining (i) the Business Associate’s compliance with the terms of this Agreement and (ii) compliance by the Business Associate and the Covered Entity with all applicable statutory provisions and regulations of and under HIPAA and the HITECH Act, subject to attorney...
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. Not use or disclose PHI other than as permitted or required by the Underlying Arrangement or as required by law, subject to Section 3(c) below.
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to secure and protect electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement, and to protect the integrity and availability of PHI.
c. Report, in writing, to the UCMC privacy officer within five (5) business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI, and any security incident of which it becomes aware, and cooperate with UCMC in any mitigation or breach reporting efforts. The UCMC will determine whether the Business Associate or the UCMC will be responsible to send breach notification to affected individuals. If the UCMC provides the breach notification, the Business Associate will reimburse the UCMC for all related expenses which can include but are not limited to the investigation and notification. This can include but is not limited to: outside legal counsel, forensic fees, vendor fees for notification purposes, credit monitoring for affected individuals. All outside counsel and vendors utilized for investigation and breach notification will be chosen by the UCMC. The notice will provide as much information as Business Associate has gathered as of that time. A subsequent notice, which Business Associate will provide no later than fifteen (15) days after the first discovery of the use or disclosure, will include the identification of each individual whose PHI has been or is reasonably believed by Business Associate to have been affected by or during such use or disclosure and the type of PHI disclosed for each individual affected. Business Associate will make no public disclosure including to the media of such use or disclosure without the approval of UCMC. Business Associate will make no public disclosure of such use or disclosure without the approval of UCMC.
d. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to s...
Responsibilities of the Business Associate. To the extent applicable and with the understanding by the County that Business Associate will not respond to requests from, or provide PHI directly to, any individuals whose PHI is governed by this Agreement, the Business Associate agrees to the following:
a. The Business Associate shall use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required by law;
b. The Business Associate shall use appropriate safeguards to maintain the privacy and security of PHI, and prevent unauthorized use and/or disclosure of PHI in violation of this Agreement.
c. The Business Associate shall report to the designated Privacy Officer of the County, in writing, any use or disclosure of PHI not provided for in this Agreement, including Security Incidents and Breaches of uPHI, of which Business Associate becomes aware.
(1) Business Associate shall provide such notice without unreasonable delay, but in any event no later than five (5) business days from the Business Associate’s discovery of such Security Incident or Breach. Such written notice shall include:
A. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
B. The scope of the incident, including the types of uPHI involved such as full name, social security number, date of birth, home address, account number, billing code, disability code, or other types of similar information;
C. The identification of each individual whose uPHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach, including the individual’s first and last name, mailing address, street address, phone number, email address, if known;
D. The identification of the party responsible for causing the Breach or Security Incident, including first and last name, mailing address, street address, phone number, email address, if known;
E. The steps individuals should take to protect themselves from potential harm resulting from the Breach or Security Incident;
F. A description of what the Business Associate is doing to investigate the Breach or Security Incident, to mitigate losses and to protect against any further breaches or incidents; and
G. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free number, an e- mail address, web site, or postal address.
(2) The Business Associate shall have a continuing duty to inform the Coun...
Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. use and/or disclose the Protected Health Information only as permitted or required by this BA Agreement or as otherwise required by law.
b. report to the designated Privacy Officer of the Covered Entity, in writing, and promptly, but no later than five (5) business days after discovery, of any access to, use or disclosure of PHI not provided for or allowed by this BA Agreement, or any Security Incident, or Breach of Unsecured PHI of which Business Associate becomes aware. For purposes of this BA Agreement, “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system. “Unsecured Protected Health Information” shall have the meaning as set forth in 45 CFR 164.402. With respect to a Breach of Unsecured Protected Health Information, Business Associate must include in its report to the Covered Entity the information required by 45 CFR 164.410, but must not delay initial notification of the suspected Breach for purposes of collecting such information.