Obligations and Activities of Business Associates (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Delivery and Acceptance of the Manuscript The Author shall deliver the Contribution to the Editor (or, if requested by the Publisher, to the Publisher) on or before Delivery Date (the “Delivery Date”) electronically in the Publisher's standard requested format or in such other form as may be agreed in writing with the Publisher. The Author shall retain a duplicate copy of the Contribution. The Contribution shall be in a form acceptable to the Publisher (acting reasonably) and in line with the instructions contained in the Publisher’s guidelines as provided to the Author by the Publisher. The Author shall provide at the same time, or earlier if the Publisher reasonably requests, any editorial, publicity or other information (and in such form or format) reasonably required by the Publisher. The Publisher may exercise such additional quality control of the manuscript as it may decide at its sole discretion including through the use of plagiarism checking systems and/or peer review by internal or external reviewers of its choice. If the Publisher decides at its sole discretion that the final manuscript does not conform in quality, content, structure, level or form to the stated requirements of the Publisher, the Publisher shall be entitled to terminate this Agreement in accordance with the provisions of this Clause. The Author must inform the Publisher at the latest on the Delivery Date if the sequence of the naming of any co-authors entering into this Agreement shall be changed. If there are any changes in the authorship (e.g. a co-author joining or leaving), then the Publisher must be notified by the Author in writing immediately and the Parties will amend this Agreement accordingly. The Publisher shall have no obligation to consider publication under this Agreement in the absence of such agreed amendment. If the Author fails to deliver the Contribution in accordance with the provisions of this Clause above by the Delivery Date (or within any extension period given by the Publisher at its sole discretion) or if the Author (or any co-author) dies or becomes incapacitated or otherwise incapable of performing the Author’s obligations under this Agreement, the Publisher shall be entitled to either: (a) elect to continue to perform this Agreement in accordance with its terms and the Publisher may commission an appropriate and competent person (who, in the case of co-authors having entered into this Agreement, may be a co-author) to complete the Contribution; or (b) terminate this Agreement with immediate effect by written notice to the Author or the Author's successors, in which case all rights granted by the Author to the Publisher under this Agreement shall revert to the Author/Author's successors (subject to the provisions of the Clause "Termination"). The Author agrees, at the request of the Publisher, to execute all documents and do all things reasonably required by the Publisher in order to confer to the Publisher all rights intended to be granted under this Agreement. The Author warrants that the Contribution is original except for any excerpts from other works including pre-published illustrations, tables, animations, text quotations, photographs, diagrams, graphs or maps, and whether reproduced from print or electronic or other sources ("Third Party Material") and that any such Third Party Material is in the public domain (or otherwise unprotected by copyright/other rights) or has been included with written permission from or on behalf of the rights holder (and if requested in a form prescribed or approved by the Publisher) at the Author's expense unless otherwise agreed in writing, or is otherwise used in accordance with applicable law. On request from the Publisher, the Author shall in writing indicate the precise sources of these excerpts and their location in the manuscript. The Author shall also retain the written permissions and make them available to the Publisher on request.
Obligations and Activities of Business Associate Business Associate agrees to:
1. Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law.
2. Use appropriate safeguards, and comply with Subpart C of 45 CFR, Part 164 with respect to protected electronic health information and to prevent use or disclosure of protected health information other than as provided for by this Agreement.
3. Report to Covered Entity any use or disclosure of protected health information not provided for by this Agreement of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR 164.410, and any security incident of which it becomes aware. Business Associate agrees to promptly notify Covered Entity following the discovery of a Breach of unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach.
4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. Business Associate agrees to mitigate, to the extent possible, any harmful resulting from use or disclosure of PHI by Business Associate or its agents or subcontractors, in violation of the requirements of this Agreement.
6. Maintain and make available protected health information in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524. If an Individual makes a request for access to the protected health information directly to Business Associate, business associate shall notify covered entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual.
7. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. If an Individual makes a request for amendment to the protected health information directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual.
8. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. If an Individual makes a request for accounting of disclosures directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual.
9. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligations(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
10. Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.