Common use of Security Rule Obligations Clause in Contracts

Security Rule Obligations. The following provisions of this Section apply to the extent that Onpoint creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Onpoint shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Upon request from Covered Entity, Onpoint shall provide Covered Entity an overview of its information security program which shall include available documentation regarding its security policies and procedures. 17.2 Onpoint shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Onpoint must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Onpoint shall provide a copy of the written agreement to Covered Entity upon Covered Entity’s request. Onpoint, in its sole discretion, may redact from such written agreement any confidential or proprietary information. Onpoint may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity, which consent shall not be unreasonably withheld, conditioned or delayed. Notwithstanding the above, with respect to any Agent or Subcontractor engaged by Onpoint prior to the Effective Date, Onpoint’s contract with the Agent or Subcontractor is not required to identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. However, if Onpoint renews or enters into a new contract with the Agent or Subcontractor after the Effective Date, it must identify Covered Entity as a third party beneficiary as required above, and must provide a copy of the written agreement upon Covered Entity’s request. With respect to any Agent or Subcontractor engaged by Onpoint prior to the Effective Date, as identified by Onpoint prior to the Effective Date, Covered Entity hereby consents to the disclosure of Electronic PHI to such Subcontractors. 17.3 Onpoint shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Onpoint or its Agent or Subcontractor). Onpoint shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than three

Security Rule Obligations. The following provisions of this Section apply to the extent that Onpoint Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Onpoint 16.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Upon request from Covered Entity, Onpoint Business Associate shall provide Covered Entity an overview of its information security program which shall include available documentation regarding its security policies and procedures. 17.2 Onpoint 16.2 Business Associate shall ensure that any Agent and Subcontractor agent (including a subcontractor) to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Onpoint Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractoragent. The written agreement with such agent must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Onpoint Business Associate shall provide a copy of the written agreement to Covered Entity upon Covered Entity’s request. OnpointBusiness Associate, in its sole discretion, may redact from such written agreement any confidential or proprietary information. Onpoint Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor agent without the prior written consent of Covered Entity, which consent shall not be unreasonably withheld, conditioned or delayed. Notwithstanding the above, with respect to any Agent or Subcontractor agent engaged by Onpoint Business Associate prior to the Effective Date, OnpointBusiness Associate’s contract with the Agent or Subcontractor agent is not required to identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. However, if Onpoint Business Associate renews or enters into a new contract with the Agent or Subcontractor agent after the Effective Date, it must identify Covered Entity as a third party beneficiary as required above, and must provide a copy of the written agreement upon Covered Entity’s request. With respect to any Agent or Subcontractor agent engaged by Onpoint Business Associate prior to the Effective Date, as identified by Onpoint Business Associate prior to the Effective Date, Covered Entity hereby consents to the disclosure of Electronic PHI to such Subcontractorsagents. 17.3 Onpoint 16.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Onpoint Business Associate or its Agent or Subcontractoran agent, including a subcontractor). Onpoint Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, without unreasonable delay and in no case later than threeten (10) business days after it becomes aware of the incident. Upon request by Covered Entity, Business Associate shall provide Covered Entity the information necessary for Covered Entity to investigate the Security Incident to meet its obligations under HIPAA. 16.4 Business Associate shall comply with reasonable policies and procedures Covered Entity implements regarding the services performed by Business Associate on behalf of Covered Entity to allow Covered Entity to meet its obligations under HIPAA, provided that Covered Entity provides Business Associate with timely notice of such policies and procedures.