Common use of Responsibilities of the Parties With Respect to Phi Clause in Contracts

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA Agreement or as otherwise required by law. To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA Agreement. Business Associate acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate acknowledges that: (i) the foregoing requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (ii) Business Associate shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA Agreement to agree, in a written Business Associate Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this BA Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity during normal business hours at Business Associate’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Covered Entity’s PHI to determine the Business Associate’s compliance with the terms of this BA Agreement. Business Associate agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate further agrees, within 30 days of receiving a written request from the Covered Entity, to provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate agrees to notify the Covered Entity within seventy-two (72) hours of discovery of:

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA Agreement or as otherwise required by law. To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA Agreement. Business Associate acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate acknowledges that: (i) the foregoing requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (ii) Business Associate shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA Agreement to agree, in a written Business Associate Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this BA Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity during normal business hours at Business Associate’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Covered Entity’s PHI to determine the Business Associate’s compliance with the terms of this BA Agreement. Business Associate agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate further agrees, within 30 days of receiving a written request from the Covered Entity, to provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate agrees to notify the Covered Entity within seventy-two fifteen (7215) hours business days of discovery of:

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the As a Business Associate hereby agrees under the HIPAA Security and Privacy Rule, ▇▇▇▇ agrees: i. to do use or disclose any PHI for the following: Use and/or proper management and administration of services in Appendix A. ii. to disclose the PHI only as permitted or required by this BA Agreement or as otherwise when required by law. iii. To the extent the business associate is to carry out one or more only use PHI for purposes relevant to CHIS as allowed by law. For example, MIHO may aggregate data by combining PHI of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply MIHO with the requirements of Subpart E PHI received by another organization participating in providing CHIS for a patient to permit data analyses that apply relate to the covered entity in the performance of such obligation(s)healthcare operations. iv. Use to implement appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA permitted in Agreement. Business Associate acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate acknowledges that: (i) the foregoing requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (ii) Business Associate shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6MIHO will implement administrative, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third partiesphysical, and request from technical safeguards that reasonably and appropriately protect the Covered Entityconfidentiality, only the minimum integrity, and availability of any PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate agrees ePHI that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified as required by the Secretary in the guidance issued under section 13402(h)(2) HIPAA Security and Privacy Rule. v. to take reasonable steps to ensure that actions or omissions do not cause a breach of Public Law 111-5Agreement. vi. Establish procedures for mitigating, to the greatest extent possible, implement reasonable and appropriate safeguards to protect any deleterious effects from PHI. vii. to report to Covered Entity any improper use and/or or disclosure of PHI which is not in compliance with the terms of Agreement of which it becomes aware. MIHO shall report to Covered Entity’s PHI. Require all Entity of its subcontractors and agents that receivethe attempted or successful unauthorized access, use, disclosure, modification, or have access destruction of information or interference with system operations in an information system. viii. to PHI under this BA Agreement to agree, in a written Business Associate Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this BA Agreement. Make make available all records, books, agreements, policies, and procedures relating related to the use and/or or disclosure of PHI to the Secretary of HHS for purposes of investigating or determining Covered Entity’s compliance with HIPAAthe Privacy Rule. Upon Covered Entity under the HIPAA Security and Privacy Rule, agrees: i. to obtain any patient consent or authorization that may be required by the Privacy Rule or applicable state law prior written requestto furnishing MIHO any PHI pertaining to an individual. ii. to only use PHI as allowed by law. iii. to not furnish MIHO with PHI that violates any restrictions on use or disclosure as provided for in 45 C.F.R. §164.522. iv. to notify ▇▇▇▇, in writing, of any PHI in ▇▇▇▇’s possession that Covered Entity seeks to make available to a patient pursuant to 45 C.F.R. §164.524 and agree with ▇▇▇▇ as to the Covered Entity during normal business hours at Business Associate’s offices all recordstime, books, agreements, policiesmanner, and procedures relating form in which MIHO shall provide such access. v. to the take reasonable steps to ensure that actions or omissions do not cause a breach of Agreement. vi. to implement reasonable and appropriate safeguards to protect any PHI. vii. to report to MIHO any use and/or or disclosure of Covered Entity’s PHI to determine the Business Associate’s which is not in compliance with the terms of this BA AgreementAgreement of which it becomes aware. viii. Business Associate agrees to document notify ▇▇▇▇, in writing, of any and all disclosures amendment(s) to the PHI in the possession of MIHO that Covered Entity believes are necessary because of its belief that the PHI that require an accounting is the subject of disclosures as would the amendment(s) has been or could be required under 45 CFR §164.528. Business Associate further agrees, within 30 days of receiving a written request from the Covered Entity, to provide relied upon by ▇▇▇▇ or others to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting detriment of the disclosures individual who is the subject of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate agrees to notify the Covered Entity within seventy-two (72) hours of discovery of:PHI.

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business AssociateSubcontractor. With regard to its use and/or disclosure of PHI, the Business Associate Subcontractor hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA HIPAA Subcontractor Agreement or as otherwise required by law. To the extent the business associate subcontractor is to carry out one or more of covered entityBusiness Associate and/or Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA HIPAA Subcontractor Agreement. Business Associate Subcontractor acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate Subcontractor by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate Subcontractor acknowledges that: (i) that the foregoing requirements shall apply to Business Associate Subcontractor in the same manner that such requirements apply to Covered Entity; Business Associate, and (ii) Business Associate Subcontractor shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered EntityBusiness Associate, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate Subcontractor agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Business Associate and/or Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA HIPAA Subcontractor Agreement to agree, in a written Business Associate HIPAA Subcontractor Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate Subcontractor pursuant to this BA HIPAA Subcontractor Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity Business Associate during normal business hours at Business AssociateSubcontractor’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Business Associate and/or Covered Entity’s PHI to determine the Business AssociateSubcontractor’s compliance with the terms of this BA HIPAA Subcontractor Agreement. Business Associate Subcontractor agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate Subcontractor further agrees, within 30 days of receiving a written request from the Covered EntityBusiness Associate, to provide to the Covered Entity Business Associate such information as is requested by the Covered Entity Business Associate to permit the Business Associate and/or Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate Subcontractor agrees to notify the Covered Entity Business Associate within seventy-two (72) hours of discovery of: