Common use of Governmental Access to Records Clause in Contracts

Governmental Access to Records. Business Associate shall make its facilities, internal practices, books, records, and other sources of information, including PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules in accordance with 45 C.F.R. 160.310. Audit, Inspection and Enforcement. Business Associate shall obtain and update at least annually a written assessment performed by an independent third party reasonably acceptable to Covered Entity, which evaluates the Information Security of the applications, infrastructure, and processes that interact with the Covered Entity data Business Associate receives, manipulates, stores and distributes. Upon request by Covered Entity, Business Associate shall provide to Covered Entity the executive summary of the assessment. Business Associate, upon the request of Covered Entity, shall fully cooperate with Covered Entity’s efforts to audit Business Associate’s compliance with applicable HIPAA Rules. If, through audit or inspection, Covered Entity determines that Business Associate’s conduct would result in violation of the HIPAA Rules or is in violation of the Contract or this Agreement, Business Associate shall promptly remedy any such violation and shall certify completion of its remedy in writing to Covered Entity. Appropriate Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided in this Agreement. Business Associate shall safeguard the PHI from tampering and unauthorized disclosures. Business Associate shall maintain the confidentiality of passwords and other data required for accessing this information. Business Associate shall extend protection beyond the initial information obtained from Covered Entity to any databases or collections of PHI containing information derived from the PHI. The provisions of this section shall be in force unless PHI is de-identified in conformance to the requirements of the HIPAA Rules. Safeguard During Transmission. Business Associate shall use reasonable and appropriate safeguards including, without limitation, Information Security measures to ensure that all transmissions of PHI are authorized and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall not transmit PHI over the internet or any other insecure or open communication channel unless the PHI is encrypted or otherwise safeguarded with a FIPS-compliant encryption algorithm. Reporting of Improper Use or Disclosure and Notification of Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of a Breach, notify Covered Entity of any use or disclosure of PHI not provided for by this Agreement, including a Breach of Unsecured Protected Health Information as such notice is required by 45 C.F.R. 164.410 or a breach for which notice is required under §00-00-000, C.R.S. Such notice shall include the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of any Security Incident that does not constitute a Breach, notify Covered Entity of such incident. Business Associate shall have the burden of demonstrating that all notifications were made as required, including evidence demonstrating the necessity of any delay. Business Associate’s Insurance and Notification Costs. Business Associate shall bear all costs of a Breach response including, without limitation, notifications, and shall maintain insurance to cover: loss of PHI data; Breach notification requirements specified in HIPAA Rules and in §00-00-000, C.R.S.; and claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. All such policies shall meet or exceed the minimum insurance requirements of the Contract or otherwise as may be approved by Covered Entity (e.g., occurrence basis, combined single dollar limits, annual aggregate dollar limits, additional insured status, and notice of cancellation). Business Associate shall provide Covered Entity a point of contact who possesses relevant Information Security knowledge and is accessible 24 hours per day, 7 days per week to assist with incident handling. Business Associate, to the extent practicable, shall mitigate any harmful effect known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this Agreement. Subcontractors and Breaches. Business Associate shall enter into a written agreement with each of its Subcontractors and agents, who create, receive, maintain, or transmit PHI on behalf of Business Associate. The agreements shall require such Subcontractors and agents to report to Business Associate any use or disclosure of PHI not provided for by this Agreement, including Security Incidents and Breaches of Unsecured Protected Health Information, on the first day such Subcontractor or agent knows or should have known of the Breach as required by 45 C.F.R. 164.410. Business Associate shall notify Covered Entity of any such report and shall provide copies of any such agreements to Covered Entity on request. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. Upon request by Covered Entity, Business Associate immediately shall provide Covered Entity with any keys to decrypt information that the Business Association has encrypted and maintains in encrypted form, or shall provide such information in unencrypted usable form. Retention of PHI. Except upon termination of this Agreement as provided in Section below, Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of this Agreement, and shall continue to maintain the accounting of disclosures required under Section above, for a period of six years. Obligations of Covered Entity Safeguards During Transmission. Covered Entity shall be responsible for using appropriate safeguards including encryption of PHI, to maintain and ensure the confidentiality, integrity, and security of PHI transmitted pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Rules. Notice of Changes. Covered Entity maintains a copy of its Notice of Privacy Practices on its website. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission to use or disclose PHI, to the extent that it may affect Business Associate’s permitted or required uses or disclosures. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that it may affect Business Associate’s permitted use or disclosure of PHI. Termination

Governmental Access to Records. Business Associate shall make its facilities, internal practices, books, records, and other sources of information, including PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules in accordance with 45 C.F.R. 160.310. Audit, Inspection and Enforcement. Business Associate shall obtain and update at least annually a written assessment performed by an independent third party reasonably acceptable to Covered Entity, which evaluates the Information Security of the applications, infrastructure, and processes that interact with the Covered Entity data Business Associate receives, manipulates, stores and distributes. Upon request by Covered Entity, Business Associate shall provide to Covered Entity the executive summary of the assessment. Business Associate, upon the request of Covered Entity, shall fully cooperate with Covered Entity’s efforts to audit Business Associate’s compliance with applicable HIPAA Rules. If, through audit or inspection, Covered Entity determines that Business Associate’s conduct would result in violation of the HIPAA Rules or is in violation of the Contract or this Agreement, Business Associate shall promptly remedy any such violation and shall certify completion of its remedy in writing to Covered Entity. Appropriate Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided in this Agreement. Business Associate shall safeguard the PHI from tampering and unauthorized disclosures. Business Associate shall maintain the confidentiality of passwords and other data required for accessing this information. Business Associate shall extend protection beyond the initial information obtained from Covered Entity to any databases or collections of PHI containing information derived from the PHI. The provisions of this section shall be in force unless PHI is de-identified in conformance to the requirements of the HIPAA Rules. Safeguard During Transmission. Business Associate shall use reasonable and appropriate safeguards including, without limitation, Information Security measures to ensure that all transmissions of PHI are authorized and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall not transmit PHI over the internet or any other insecure or open communication channel unless the PHI is encrypted or otherwise safeguarded with a FIPS-compliant encryption algorithm. Reporting of Improper Use or Disclosure and Notification of Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of a Breach, notify Covered Entity of any use or disclosure of PHI not provided for by this Agreement, including a Breach of Unsecured Protected Health Information as such notice is required by 45 C.F.R. 164.410 or a breach for which notice is required under §00-00-000, C.R.S. Such notice shall include the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of any Security Incident that does not constitute a Breach, notify Covered Entity of such incident. Business Associate shall have the burden of demonstrating that all notifications were made as required, including evidence demonstrating the necessity of any delay. Business Associate’s Insurance and Notification Costs. Business Associate shall bear all costs of a Breach response including, without limitation, notifications, and shall maintain insurance to cover: loss of PHI data; Breach notification requirements specified in HIPAA Rules and in §00-00-000, C.R.S.; and claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. All such policies shall meet or exceed the minimum insurance requirements of the Contract or otherwise as may be approved by Covered Entity (e.g., occurrence basis, combined single dollar limits, annual aggregate dollar limits, additional insured status, and notice of cancellation). Business Associate shall provide Covered Entity a point of contact who possesses relevant Information Security knowledge and is accessible 24 hours per day, 7 days per week to assist with incident handling. Business Associate, to the extent practicable, shall mitigate any harmful effect known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this Agreement. Subcontractors and Breaches. Business Associate shall enter into a written agreement with each of its Subcontractors and agents, who create, receive, maintain, or transmit PHI on behalf of Business Associate. The agreements shall require such Subcontractors and agents to report to Business Associate any use or disclosure of PHI not provided for by this Agreement, including Security Incidents and Breaches of Unsecured Protected Health Information, on the first day such Subcontractor or agent knows or should have known of the Breach as required by 45 C.F.R. 164.410. Business Associate shall notify Covered Entity of any such report and shall provide copies of any such agreements to Covered Entity on request. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. Upon request by Covered Entity, Business Associate immediately shall provide Covered Entity with any keys to decrypt information that the Business Association has encrypted and maintains in encrypted form, or shall provide such information in unencrypted usable form. Retention of PHI. Except upon termination of this Agreement as provided in Section 5, below, Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of this Agreement, and shall continue to maintain the accounting of disclosures required under Section 3.h, above, for a period of six years. Obligations of Covered Entity Safeguards During Transmission. Covered Entity shall be responsible for using appropriate safeguards including encryption of PHI, to maintain and ensure the confidentiality, integrity, and security of PHI transmitted pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Rules. Notice of Changes. Covered Entity maintains a copy of its Notice of Privacy Practices on its website. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission to use or disclose PHI, to the extent that it may affect Business Associate’s permitted or required uses or disclosures. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that it may affect Business Associate’s permitted use or disclosure of PHI. Termination

Governmental Access to Records. Business Associate shall make its facilities, internal practices, books, records, and other sources of information, including PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules in accordance with 45 C.F.R. 160.310. Audit, Inspection and Enforcement. Business Associate shall obtain and update at least annually a written assessment performed by an independent third party reasonably acceptable to Covered Entity, which evaluates the Information Security of the applications, infrastructure, and processes that interact with the Covered Entity data Business Associate receives, manipulates, stores and distributes. Upon request by Covered Entity, Business Associate shall provide to Covered Entity the executive summary of the assessment. Business Associate, upon the request of Covered Entity, shall fully cooperate with Covered Entity’s efforts to audit Business Associate’s compliance with applicable HIPAA Rules. If, through audit or inspection, Covered Entity determines that Business Associate’s conduct would result in violation of the HIPAA Rules or is in violation of the Contract or this Agreement, Business Associate shall promptly remedy any such violation and shall certify completion of its remedy in writing to Covered Entity. Appropriate Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided in this Agreement. Business Associate shall safeguard the PHI from tampering and unauthorized disclosures. Business Associate shall maintain the confidentiality of passwords and other data required for accessing this information. Business Associate shall extend protection beyond the initial information obtained from Covered Entity to any databases or collections of PHI containing information derived from the PHI. The provisions of this section shall be in force unless PHI is de-identified in conformance to the requirements of the HIPAA Rules. Safeguard During Transmission. Business Associate shall use reasonable and appropriate safeguards including, without limitation, Information Security measures to ensure that all transmissions of PHI are authorized and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall not transmit PHI over the internet or any other insecure or open communication channel unless the PHI is encrypted or otherwise safeguarded with a FIPS-compliant encryption algorithm. Reporting of Improper Use or Disclosure and Notification of Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of a Breach, notify Covered Entity of any use or disclosure of PHI not provided for by this Agreement, including a Breach of Unsecured Protected Health Information as such notice is required by 45 C.F.R. 164.410 or a breach for which notice is required under §00-00-000, C.R.S. Such notice shall include the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall, as soon as reasonably possible, but immediately after discovery of any Security Incident that does not constitute a Breach, notify Covered Entity of such incident. Business Associate shall have the burden of demonstrating that all notifications were made as required, including evidence demonstrating the necessity of any delay. Business Associate’s Insurance and Notification Costs. Business Associate shall bear all costs of a Breach response including, without limitation, notifications, and shall maintain insurance to cover: loss of PHI data; Breach notification requirements specified in HIPAA Rules and in §00-00-000, C.R.S.; and claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. All such policies shall meet or exceed the minimum insurance requirements of the Contract or otherwise as may be approved by Covered Entity (e.g., occurrence basis, combined single dollar limits, annual aggregate dollar limits, additional insured status, and notice of cancellation). Business Associate shall provide Covered Entity a point of contact who possesses relevant Information Security knowledge and is accessible 24 hours per day, 7 days per week to assist with incident handling. Business Associate, to the extent practicable, shall mitigate any harmful effect known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this Agreement. Subcontractors and Breaches. Business Associate shall enter into a written agreement with each of its Subcontractors and agents, who create, receive, maintain, or transmit PHI on behalf of Business Associate. The agreements shall require such Subcontractors and agents to report to Business Associate any use or disclosure of PHI not provided for by this Agreement, including Security Incidents and Breaches of Unsecured Protected Health Information, on the first day such Subcontractor or agent knows or should have known of the Breach as required by 45 C.F.R. 164.410. Business Associate shall notify Covered Entity of any such report and shall provide copies of any such agreements to Covered Entity on request. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. Upon request by Covered Entity, Business Associate immediately shall provide Covered Entity with any keys to decrypt information that the Business Association has encrypted and maintains in encrypted form, or shall provide such information in unencrypted usable form. Retention of PHI. Except upon termination of this Agreement as provided in Section below, Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of this Agreement, and shall continue to maintain the accounting of disclosures required under Section above, for a period of six years. Obligations of Covered Entity Safeguards During Transmission. Covered Entity shall be responsible for using appropriate safeguards including encryption of PHI, to maintain and ensure the confidentiality, integrity, and security of PHI transmitted pursuant to this Agreement, in accordance with the standards and requirements of the HIPAA Rules. Notice of Changes. Covered Entity maintains a copy of its Notice of Privacy Practices on its website. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission to use or disclose PHI, to the extent that it may affect Business Associate’s permitted or required uses or disclosures. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that it may affect Business Associate’s permitted use or disclosure of PHI. Termination.