Security Rule Obligations Clause Samples

Security Rule Obligations. The following provisions of this section apply to the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall identify in writing upon request from Covered Entity all of the safeguards that it uses to protect such Electronic PHI. 17.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity. 17.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than two (2) business days after it becomes aware of the incident. Business Associate shall provide Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident. 17.4 Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule.
View SourceView Similar (246)
Security Rule Obligations. Business Associate acknowledges that 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 apply to Business Associate in the same manner that such sections apply to covered entities, and are incorporated into this Agreement by reference. The additional requirements of the HITECH Act that relate to security and that apply to covered entities also apply to Business Associate and are incorporated into this Agreement by reference. Business Associate agrees to implement the technical safeguards provided in guidance issued annually by the Secretary of the U.S. Department of Health and Human Services (“HHS”) for carrying out the obligations under the Code of Federal Regulation sections cited in this Section and the security standards in 45 C.F.R. Part 164 Subpart C.
View SourceView Similar (2)
Security Rule Obligations. The following provisions of this Section apply to the extent that Onpoint creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Onpoint shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Upon request from Covered Entity, Onpoint shall provide Covered Entity an overview of its information security program which shall include available documentation regarding its security policies and procedures. 17.2 Onpoint shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Onpoint must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Onpoint shall provide a copy of the written agreement to Covered Entity upon Covered Entity’s request. Onpoint, in its sole discretion, may redact from such written agreement any confidential or proprietary information. Onpoint may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity, which consent shall not be unreasonably withheld, conditioned or delayed. Notwithstanding the above, with respect to any Agent or Subcontractor engaged by Onpoint prior to the Effective Date, Onpoint’s contract with the Agent or Subcontractor is not required to identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. However, if Onpoint renews or enters into a new contract with the Agent or Subcontractor after the Effective Date, it must identify Covered Entity as a third party beneficiary as required above, and must provide a copy of the written agreement upon Covered Entity’s request. With respect to any Agent or Subcontractor engaged by Onpoint prior to the Effective Date, as identified by Onpoint prior to the Effective Date, Cov...
View SourceView Similar (2)
Security Rule Obligations. The following provisions of this section apply to the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. 17.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity. 17.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than two (2) business days after it becomes aware of the incident. Business Associate shall provide Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident.
View Source
Security Rule Obligations. In addition to complying with Covered Entity’s policies and procedures as provided in Section 2.3.14, Business Associate will comply with all aspects of the Security Rule and the HITECH Act, including (i) implementing Safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule and the HITECH Act and (ii) developing and implementing all required policies and procedures.
View Source

Related to Security Rule Obligations

  • Processor Obligations 4.1 The Processor may collect, process or use Personal Data only within the scope of this DPA. 4.2 The Processor confirms that it shall process Personal Data on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data shall only process the Personal Data on the documented instructions of the Controller. 4.3 The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach any Data Protection Law. 4.4 The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA. 4.5 The Processor shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 4.6 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 4.7 The technical and organisational measures detailed in Exhibit B shall be at all times adhered to as a minimum security standard. The Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Processor may use alternative suitable measures to those detailed in the attachments to this DPA. 4.8 The Controller acknowledges and agrees that, in the course of providing the Services to the Controller, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the Services. All such access by the Processor will be limited to those purposes.

  • Security Rule “Security Rule” shall mean the Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.

  • Disclosure Obligations LAUSD expects Contractors and their Representatives to satisfy the following public disclosure obligations:

  • ▇▇▇▇▇ OBLIGATIONS A ▇▇▇▇▇▇▇'s acceptance of funds directly under the Grant or indirectly through a subaward acts as acceptance of the authority of the State, under the direction of the legislative audit committee, to conduct an audit or investigation in connection with those funds. In accordance with the legislative audit committee, DFPS can request any documentation, at any time, to be sent to DFPS to a location DFPS chooses. Examples of documentation that DFPS may request include, but are not limited to: 1. Participant files in their entirety. This includes, but is not limited to: a. Progress notes. b. Action plans. c. Registration forms. d. Surveys. e. Sign-in sheets. f. Monthly tracking forms.

  • Nondisclosure Obligations (a) Except as otherwise specifically contemplated by Section 2.7 or as provided in this Article 6, during the Term of this Agreement and for a period of five (5) years thereafter, both Parties shall maintain in confidence (i.e., not disclose to any third party) and use only for purposes specifically authorized under this Agreement confidential information and data received from the other Party, whether such information is contained in a written or electronic document, whether it is oral or whether it is disclosed by means of inspection. (b) For purposes of this Article 6, information and data described in clause (a) shall be referred to as “Information.” To the extent it is reasonably necessary or appropriate to fulfill its obligations or exercise its rights under this Agreement, a Party may disclose Information it is otherwise obligated under this Section not to disclose, to its Affiliates, employees, officers, directors, lenders, sublicensees, consultants, outside contractors and clinical investigators on a need-to-know basis and on condition that such entities or persons agree in writing to keep the Information confidential for the same time periods and to the same extent as such Party is required to keep the Information confidential; notwithstanding the foregoing the Party so disclosing Information will be liable to the other Party hereunder for any misuse or improper disclosure of any such Information by any such firms or individuals. A Party or its sublicensees may disclose such Information to government or other regulatory authorities to the extent that such disclosure is reasonably necessary to obtain patents or authorizations to conduct clinical trials of, and to commercially market, the Product. The obligation not to disclose Information shall not apply to any part of such Information that (i) is or becomes part of the public domain other than by unauthorized acts of the Party obligated not to disclose such Information or its Affiliates or sublicensees, (ii) can be shown by written documents to have been disclosed to the receiving Party or its Affiliates or sublicensees by a third party, provided such Information was not obtained by such third party directly or indirectly from the other Party under this Agreement pursuant to a confidentiality agreement, (iii) prior to disclosure under this Agreement can be shown by written documents to have been already in the possession of the receiving Party or its Affiliates or sublicensees, provided such Information was not obtained directly or indirectly from the other Party under this Agreement pursuant to a confidentiality agreement, (iv) can be shown by written documents to have been independently developed by the receiving Party or its Affiliates without breach of any of the provisions of this Agreement, or (v) is disclosed by the receiving Party pursuant to oral questions, interrogatories, requests for information or documents, subpoena, civil investigative demand of a court or governmental agency, provided that the receiving Party notifies the other Party immediately upon receipt of any such official requests (and provided that the disclosing Party furnishes only that portion of the Information which is legally required). The Party asserting the applicability of one of the exclusions set forth in the immediately preceding sentence shall have the burden of proving the applicability of any such exclusion in any particular circumstance.