/Docs/G/MI-Business-Associate-Agt-CmA/0.md
  Source views: Source JSON(ish) on GitHub (VSCode)   Doc views: Document (&k=3.r00t): Visual Print Technical: OpenParameters Xray
GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
  1. Use and Disclosure.
    Business Associate agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity's obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement and/or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
  2. Appropriate Safeguards.
    Business Associate shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.
  3. Compliance.
    Comply with each applicable requirements of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity
  4. Mitigation.
    Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement's requirements.
  5. Breaching.
    Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this Agreement, including Breach of Unsecured PHI or Security Incident, without unreasonable delay.
  6. Reporting of Breaches.
    Business Associate will report any Breach of Unsecured PHI that Business Associate may discover to the extent required by 45 C.F.R. § 164.410. Business Associate will make such report without unreasonable delay, and in no case later than 60 calendar days after discovery of such breach
  7. Reporting of Security Incidents.
    Business Associate will report on no less than a quarterly basis any Security Incidents involving PHI of which Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
  8. Notification.
    Business Associate's notification shall be supplemented as soon as practicable, and will include, as information becomes available: (i) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; (iii) a description of the types of Unsecured PHI that were involved in the Breach, (iv) any steps individuals should take to protect themselves from potential harm resulting from the Breach; and (v) a brief description of what the Business Associate is doing to investigate the breach, mitigate harm to individuals, and protect against any further Breaches.
  9. Acknowledgment.
    The Parties acknowledge and agree that this Section 3.9 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no further notice to Covered Entity by Business Associate shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, interception of encrypted information where the key is not compromised, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
  10. Subcontractors.
    Business Associate shall require any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, to agree, in writing, to restrictions, conditions and requirements at least as restrictive as those restrictions, conditions and requirements that apply to the Business Associate under this Agreement.
  11. Access to PHI.
    Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity in accordance with 45 C.F.R. § 164.524. If an Individual makes a request for access pursuant to directly to Business Associate, or inquiries about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
  12. Amendment of PHI.
    Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an Individual makes a request for amendment directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward the request or inquiry to Covered Entity. Any response to such request or inquiry shall be the responsibility of Covered Entity.
  13. Accounting of Disclosures.
    Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall provide to Covered Entity information collected in accordance with Section 3.15 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
  14. Access to Policies and Records.
    Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules.
  15. Documentation of Disclosures.
    Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45C.F.R. § 164.528. Business Associate shall Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include: (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) a brief statement of the purpose of and basis for the disclosure, and (v) any additional information Required by Law.