Common use of Responsibilities of the Parties With Respect to Phi Clause in Contracts

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA Agreement or as otherwise required by law. To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA Agreement. Business Associate acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate acknowledges that: (i) the foregoing requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (ii) Business Associate shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA Agreement to agree, in a written Business Associate Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this BA Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity during normal business hours at Business Associate’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Covered Entity’s PHI to determine the Business Associate’s compliance with the terms of this BA Agreement. Business Associate agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate further agrees, within 30 days of receiving a written request from the Covered Entity, to provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate agrees to notify the Covered Entity within seventy-two (72) hours of discovery of:

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business AssociateSubcontractor. With regard to its use and/or disclosure of PHI, the Business Associate Subcontractor hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA HIPAA Subcontractor Agreement or as otherwise required by law. To the extent the business associate subcontractor is to carry out one or more of covered entityBusiness Associate and/or Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA HIPAA Subcontractor Agreement. Business Associate Subcontractor acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate Subcontractor by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate Subcontractor acknowledges that: (i) that the foregoing requirements shall apply to Business Associate Subcontractor in the same manner that such requirements apply to Covered Entity; Business Associate, and (ii) Business Associate Subcontractor shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered EntityBusiness Associate, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate Subcontractor agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Business Associate and/or Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA HIPAA Subcontractor Agreement to agree, in a written Business Associate HIPAA Subcontractor Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate Subcontractor pursuant to this BA HIPAA Subcontractor Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity Business Associate during normal business hours at Business AssociateSubcontractor’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Business Associate and/or Covered Entity’s PHI to determine the Business AssociateSubcontractor’s compliance with the terms of this BA HIPAA Subcontractor Agreement. Business Associate Subcontractor agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate Subcontractor further agrees, within 30 days of receiving a written request from the Covered EntityBusiness Associate, to provide to the Covered Entity Business Associate such information as is requested by the Covered Entity Business Associate to permit the Business Associate and/or Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate Subcontractor agrees to notify the Covered Entity Business Associate within seventy-two (72) hours of discovery of:

Responsibilities of the Parties With Respect to Phi. Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: Use and/or disclose the PHI only as permitted or required by this BA Agreement or as otherwise required by law. To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). Use appropriate safeguards to protect the privacy and security of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information (EPHI), to prevent use or disclosure of PHI other than as provided for by this BA Agreement. Business Associate acknowledges its obligations under HIPAA and agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Agreement made applicable to Business Associate by HIPAA on the applicable effective date and any subsequent regulations promulgated under HIPAA and/or guidance thereto. Business Associate acknowledges that: (i) the foregoing requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (ii) Business Associate shall be subject to the civil and criminal enforcement provisions set forth at 42 USC 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the requirements and any applicable guidance subsequently issued by the Secretary of the Department of Health and Human Services (“Secretary”) with respect to such requirements. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Business Associate agrees that any EPHI it creates, receives, maintains, or transmits will be maintained or transmitted in a manner that is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Covered Entity’s PHI. Require all of its subcontractors and agents that receive, use, or have access to PHI under this BA Agreement to agree, in a written Business Associate Agreement, to adhere to the same or more stringent restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this BA Agreement. Make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary for purposes of investigating or determining compliance with HIPAA. Upon prior written request, make available to the Covered Entity during normal business hours at Business Associate’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Covered Entity’s PHI to determine the Business Associate’s compliance with the terms of this BA Agreement. Business Associate agrees to document any and all disclosures of PHI that require an accounting of disclosures as would be required under 45 CFR §164.528. Business Associate further agrees, within 30 days of receiving a written request from the Covered Entity, to provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 CFR §164.528. The Business Associate agrees to notify the Covered Entity within seventy-two fifteen (7215) hours business days of discovery of: