Use and Disclosure of PHI Clause Samples

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For the proper management and administration of Business Associate or to carry out its legal responsibilities when: (i) such Disclosure is Required by Law, provided that Business Associate shall not, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person to whom the PHI is being Disclosed that: (i) such person will hold the PHI confidentially; (ii) such person will not Use or Disclose such PHI except as Required by Law or for the purpose(s) for which Business Associate Disclosed it to them, and (iii) such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. 2.1.4. To the extent permitted in the Underlying Agreement or otherwise approved in writing by Covered Entity, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations of Covered Entity provided, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without the express written permission of Covered Entity.

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI:

Use and Disclosure of PHI. A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses or disclosures of PHI: a. Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract.

Use and Disclosure of PHI. VRC shall use and disclose PHI to the minimal amount necessary (i) for purposes of performing under the Agreement; (ii) as permitted or required by this Agreement; or (iii) as Required by Law.

Use and Disclosure of PHI. MMBS may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS shall not use or disclose PHI received from the Medical Practice in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS carries out any of the Medical Practice’s obligations under the HIPAA Privacy Rule, MMBS shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice in the performance of such obligations. Without limiting the generality of the foregoing, MMBS is permitted to use or disclose PHI as set forth below: (a) MMBS may use PHI internally for MMBS’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS may disclose PHI to a third party for MMBS’s proper management and administration, provided that the disclosure is Required by Law or MMBS obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS may use, create, sell, disclose to third parties and otherwise exploit de- identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required by Law. Business Associate may: (a) use or disclose PHI to perform the Services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity; (b) use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate and disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (c) use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B); and (d) use PHI to report violations of law or certain other conduct to appropriate federal and state authorities or other designated officials in a manner consistent with 45 CFR § 164.502(j)(1).

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use, disclose or make amendment to PHI except as necessary to provide its services to Covered Entity as set forth in the an agreement for services between the Parties or as expressly authorized herein, and shall not use or disclose PHI that would violate the Privacy Rule if used or disclosed by Covered Entity.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use, maintain, transmit or disclose PHI except as necessary to provide services to or on behalf of Covered Entity and except as required by Law. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases: 3.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in HIPAA and this Agreement; 3.1.2 obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; 3.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by HIPAA.