Common use of Safeguards and Security Clause in Contracts

Safeguards and Security. 9.2.1 Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by this Agreement. Such safeguards shall be based on applicable Federal Information Processing Standards (FIPS) Publication 199 protection levels. 9.2.2 Business Associate shall, at a minimum, utilize a National Institute of Standards and Technology Special Publication (NIST SP) 800-53 compliant security framework when selecting and implementing its security controls and shall maintain continuous compliance with NIST SP 800-53 as it may be updated from time to time. The current version of NIST SP 800-53, Revision 5, is available online at; updates will be available online through the Computer Security Resource Center website. 9.2.3 Business Associate shall employ FIPS 140-2 validated encryption of PHI at rest and in motion unless Business Associate determines it is not reasonable and appropriate to do so based upon a risk assessment, and equivalent alternative measures are in place and documented as such. FIPS 140-2 validation can be determined online through the Cryptographic Module Validation Program Search, with information about the Cryptographic Module Validation Program under FIPS 140-2. In addition, Business Associate shall maintain, at a minimum, the most current industry standards for transmission and storage of PHI and other confidential information. 9.2.4 Business Associate shall apply security patches and upgrades, and keep virus software up-to-date, on all systems on which PHI and other confidential information may be used. 9.2.5 Business Associate shall ensure that all members of its workforce with access to PHI and/or other confidential information sign a confidentiality statement prior to access to such data. The statement must be renewed annually. 9.2.6 Business Associate shall identify the security official who is responsible for the development and implementation of the policies and procedures required by 45 CFR Part 164, Subpart C.