Common use of SAFEGUARDS FOR PROTECTED HEALTH INFORMATION Clause in Contracts

SAFEGUARDS FOR PROTECTED HEALTH INFORMATION. A. The Business Associate shall implement appropriate safeguards to prevent use or disclosure of Personal Health Information other than as permitted by this Agreement. The Business Associate shall provide the City with information concerning such safeguards as the City may from time to time request. Upon reasonable request, the Business Associate shall give the City access for inspection and copying to the Business Associate’s facilities used for the maintenance and processing of Personal Health Information, and to its books, records, practices, policies, and procedures concerning the use and disclosure of Personal Health Information. B. The Business Associate and any Agent or Subcontractor shall comply with the minimum necessary requirements set forth in the HIPAA Rules when using or disclosing Personal Health Information. The Business Associate also agrees to mitigate, to the extent possible, any harmful effects of an improper use or disclosure of Personal Health Information by the Business Associate in violation of the requirements of this Agreement. The Business Associate shall make its internal practices, books, records, including policies and procedures, related to the use and disclosures of protected health information available to the Secretary of the United States Department of Health and Human Services, for purposes of determining compliance with HIPAA. C. The Business Associate shall maintain a record of all Personal Health Information disclosures made other than for the permitted purposes of this Agreement, including the date of disclosure, the name and, if known, the address of the recipient of the Personal Health Information, a brief description of the Personal Health Information disclosed, and the purposes of the disclosures. D. The Business Associate shall comply with all written directions from the City concerning: i. any special limitations on the use or disclosure of Protected Health Information beyond the requirements of the HIPAA Rules; ii. any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information that may affect the Business Associate’s use or disclosure of such information; and iii. any restriction on the use or disclosure of Protected Health Information that the City has agreed to that may affect the Business Associate’s use or disclosure of such information. E. Within ten (10) calendar days of notice by the City to the Business Associate that the City has received a request for an accounting of disclosures of Personal Health Information regarding an individual, the Business Associate shall make available to the City such information as is in the Business Associate’s possession and is required for the City to make the accounting. F. Within five (5) business days of becoming aware of a use or disclosure of Personal Health Information in violation of this Agreement by the Business Associate, Agent or Subcontractor, the Business Associate shall report such disclosure or use in writing to the City and describe the remedial action taken or proposed to be taken with respect to such use or disclosure. G. The Business Associate shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the City pursuant to 45 CFR Part 164.526, or take other measures as necessary to satisfy the City’s obligations under 45 CFR Part 164.526. H. The Business Associate acknowledges that the additional requirements of the HITECH Act (Health Information Technology for Economic and Clinic Health Act enacted as part of the American Recovery and Reinvestment Act of 2009) and the Final Rule (also known as the Omnibus Rule) issued by the U.S. Department of Health and Human Services on January 25, 2013 are applicable to the Business Associate. The Business Associate further acknowledges restrictions on the sales and marketing of protected health information without the explicit authorization of the individual. I. To the extent the Business Associate is to carry out one of more of the City’s obligations under Subpart E of 45 C.F.R. Part1 164, the Business Associate will comply with the requirements of Subpart E that apply to the City in the performance of such obligations. J. The Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the City except for the specific uses and disclosures set forth below: i. The Business Associate may disclose protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information remains confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances in which it is aware in which the confidentiality of the information has been breached. ii. The Business Associate may provide data aggregation services related to the health care operations of the City.

SAFEGUARDS FOR PROTECTED HEALTH INFORMATION. A. The Business Associate shall implement appropriate safeguards to prevent use or disclosure of Personal Health Information other than as permitted by this Agreement. The Business Associate shall provide the City with information concerning such safeguards as the City may from time to time request. Upon reasonable request, the Business Associate shall give the City access for inspection and copying to the Business Associate’s facilities used for the maintenance and processing of Personal Health Information, and to its books, records, practices, policies, and procedures concerning the use and disclosure of Personal Health Information. B. The Business Associate and any Agent or Subcontractor shall comply with the minimum necessary requirements set forth in the HIPAA Rules when using or disclosing Personal Health Information. The Business Associate also agrees to mitigate, to the extent possible, any harmful effects of an improper use or disclosure of Personal Health Information by the Business Associate in violation of the requirements of this Agreement. The Business Associate shall make its internal practices, books, records, including policies and procedures, related to the use and disclosures of protected health information available to the Secretary of the United States Department of Health and Human Services, for purposes of determining compliance with HIPAA. C. The Business Associate shall maintain a record of all Personal Health Information disclosures made other than for the permitted purposes of this Agreement, including the date of disclosure, the name and, if known, the address of the recipient of the Personal Health Information, a brief description of the Personal Health Information disclosed, and the purposes of the disclosures. D. The Business Associate shall comply with all written directions from the City concerning: i. any special limitations on the use or disclosure of Protected Health Information beyond the requirements of the HIPAA Rules; ii. any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information that may affect the Business Associate’s use or disclosure of such information; and iii. any restriction on the use or disclosure of Protected Health Information that the City has agreed to that may affect the Business Associate’s use or disclosure of such information. E. Within ten (10) calendar days of notice by the City to the Business Associate that the City has received a request for an accounting of disclosures of Personal Health Information regarding an individual, the Business Associate shall make available to the City such information as is in the Business Associate’s possession and is required for the City to make the accounting. F. Within five (5) business days of becoming aware of a use or disclosure of Personal Health Information in violation of this Agreement by the Business Associate, Agent or Subcontractor, the Business Associate shall report such disclosure or use in writing to the City and describe the remedial action taken or proposed to be taken with respect to such use or disclosure. G. The Business Associate shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the City pursuant to 45 CFR Part 164.526, or take other measures as necessary to satisfy the City’s obligations under 45 CFR Part 164.526. H. The Business Associate acknowledges that the additional requirements of the HITECH Act (Health Information Technology for Economic and Clinic Health Act enacted as part of the American Recovery and Reinvestment Act of 2009) and the Final Rule (also known as the Omnibus Rule) issued by the U.S. Department of Health and Human Services on January 25, 2013 are applicable to the Business Associate. The Business Associate further acknowledges restrictions on the sales and marketing of protected health information without the explicit authorization of the individual. I. To the extent the Business Associate is to carry out one of more of the City’s obligations under Subpart E of 45 C.F.R. Part1 164, the Business Associate will comply with the requirements of Subpart E that apply to the City in the performance of such obligations. J. ▇. The Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the City except for the specific uses and disclosures set forth below: i. The Business Associate may disclose protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information remains confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances in which it is aware in which the confidentiality of the information has been breached. ii. The Business Associate may provide data aggregation services related to the health care operations of the City.