Required BAA Elements Sample Clauses

Required BAA Elements. ▇. ▇▇▇▇ must include the following elements as specified in the HIPAA Privacy Rule: 1. A description of the permitted and required uses of PHI by the Business Associate; 2. Provide that the Business Associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; 3. Require that the Business Associate use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the BAA; 4. Require that the Business Associate use reasonable and required administrative, technical and physical safeguards to protect PHI and electronic PHI (ePHI); 5. Report to the Components’ Privacy Coordinator, the Director of Compliance and Privacy for Health Affairs with the Office of Compliance and Integrity, the HIPAA Security Officer with the Information Technology Division, the Office of General Counsel, the Components’ Director or Designee, or other FIU Workforce members as required by the terms of the BAA, contract, or other written document, any use or disclosure not permitted by the contract or law, including any suspected security incidents relating to ePHI; 6. Ensure that any agents, including subcontractors, to whom it provides PHI/ePHI received from FIU or its HIPAA Components, or created or received by the Business Associate on behalf of FIU or its HIPAA Components, agent(s), including subcontractors, agrees to the same restrictions and conditions that apply to the Business Associate with respect to such information; 7. Make available to the HIPAA Component(s) the information necessary for the Component(s) to comply with patient rights to have access their PHI (FIU Policy and Procedure #1660.050) (Patient Access to Protected Health Information), to request amendment of their PHI (FIU Policy and Procedure #1660.055) (Amendment of Protected Health Information), and receive an accounting of disclosures of their PHI (FIU Policy and Procedure #1660.060) (Accounting of Disclosures of Protected Health Information); 8. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of FIU or the HIPAA Component(s) available to the Secretary of Health and Human Services for purposes of determining the HIPAA Component’s and/or the Business Associate’s compliance with the HIPAA Privacy and/or Security Rules; and 9. At termination of the contract, if feasible, return or destroy all PHI/ePHI rec...