Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Use and Disclosure of PHI. Business Associate may receive PHI from multiple sources, including but not limited to: (a) Covered Entity pursuant to the Collaborative Services Agreement; (b) other covered entities pursuant to Covered Entity’s collaborative services agreements with such other covered entities; and (c) other Camden Health Information Exchange (“HIE”) participants through Business Associate’s participation in the HIE. Business Associate may use and disclose HIE data and any PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity only as permitted or required by the Collaborative Services Agreement, this Agreement or as otherwise permitted or required by law. The services provided by Business Associate under the Collaborative Services Agreement include care management, certain consulting services, and HIE coordination. All such uses and disclosures also shall be in compliance with each applicable requirement of 45 C.F.R. § 164.504(e). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such manner by Covered Entity. Except as otherwise provided limited in this BAAAgreement, Business Associate may use or disclose PHI as reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of the Business Associate’s business and Associate or to carry out its the legal responsibilitiesresponsibilities of the Business Associate. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for its the proper management and administrationadministration or to carry out the legal responsibilities of the Business Associate, provided that (i) the disclosures are Required by law; Law (as defined under 45 C.F.R. § 164.103), or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) obtains reasonable assurances from this third party the person to whom the information is disclosed that the PHI it will be held remain confidential as provided under this BAA and used or further disclosed only as required Required by law Law or for the purpose for which it was disclosed to this third party the person, and (b) an agreement from this third party to notify the person notifies the Business Associate immediately of any breaches instances of which it is aware in which the confidentiality of the PHI, to the extent it information has knowledge of the breachbeen breached. Business Associate will not use or disclose PHI in a manner other than Except as provided otherwise limited in this BAAAgreement, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. Business Associate may use PHI to report violations of law provide data aggregation services to appropriate Federal and State authorities, consistent with the Covered Entity as permitted by 45 CFR §164.502(j)(1C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI can be further exchanged for remuneration by Business Associate.

Use and Disclosure of PHI. Except as otherwise provided in this BAA, Business Associate may use or and disclose PHI as reasonably to provide the services described in the Agreement to received from Covered Entity, and to undertake other activities of Entity or created or received by Business Associate on behalf of Covered Entity only as permitted or required of Business Associate by this BAA or as required by law. Except To the extent that the Business Associate is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such manner by Covered Entity, except as otherwise limited by in this BAA Agreement. Business Associate may only use or federal disclose protected health information it receives or state law, is provided from the Covered Entity authorizes Business Associate necessary to use perform the PHI services set forth in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilitiesattached Participation Agreement. Business Associate may disclose PHI for its the proper management and administrationadministration or to carry out the legal responsibilities of the Business Associate, provided that (i) the disclosures are Required by law; Law (as defined under 45 C.F.R. § 164.103), or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) obtains reasonable assurances from this third party the person to whom the information is disclosed that the PHI it will be held remain confidential as provided under this BAA and used or further disclosed only as required Required by law Law or for the purpose for which it was disclosed to this third party the person, and (b) an agreement from this third party to notify the person notifies the Business Associate immediately of any breaches instances of which it is aware in which the confidentiality of the PHI, to the extent it information has knowledge of the breachbeen breached. Business Associate will not use or disclose PHI in a manner other than Except as provided otherwise limited in this BAAAgreement, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. Business Associate may use PHI to report violations of law provide data aggregation services to appropriate Federal the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI can be further exchanged for remuneration by Business Associate. Business Associate agrees to make uses and State authorities, consistent with disclosures for protected health information subject to the Minimum Necessary requirements in 45 CFR §164.502(j)(1)C.F.R. § 164.502(b) and § 164.514.

Use and Disclosure of PHI. Business Associate may use and disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity only as permitted or required by the Exchange Agreement, this BAA, or as otherwise permitted or required by law. To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations. All such uses and disclosures also shall be in compliance with each applicable requirement of 45 C.F.R. § 164.504(e). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents, including subcontractors, do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such manner by Covered Entity. Except as otherwise provided limited in this BAA, Business Associate may use or disclose PHI as reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of the Business Associate’s business and Associate or to carry out its the legal responsibilities. responsibilities of the Business Associate may disclose PHI for its proper management and administrationAssociate, provided that (i) the disclosures are Required by law; Law (as defined under 45 C.F.R. § 164.103), or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) obtains reasonable assurances from this third party the person to whom the information is disclosed that the PHI it will be held remain confidential as provided under this BAA and used or further disclosed only as required Required by law Law or for the purpose for which it was disclosed to this third party the person, and (b) an agreement from this third party to notify the person notifies the Business Associate immediately of any breaches instances of which it is aware in which the confidentiality of the PHI, to the extent it information has knowledge of the breachbeen breached. Business Associate will not use or disclose PHI in a manner other than Except as provided otherwise limited in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. Business Associate may use PHI to report violations of law provide data aggregation services to appropriate Federal and State authorities, consistent with the Covered Entity as permitted by 45 CFR §164.502(j)(1C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI can be further exchanged for remuneration by Business Associate.

Use and Disclosure of PHI. Except Business Associate shall use and/or disclose PHI: (a) only to the extent necessary to perform its duties under the Agreement; (b) to comply with its obligations or as otherwise provided in permitted under this BAA, (c) as required by law and in compliance with each applicable requirement of 45 CFR §164.504(e); and (d) to the extent necessary for Business Associate’s proper management and administration. In addition to the uses and disclosures permitted below, Business Associate may also use or and disclose PHI as reasonably PHI: (i) to provide the services described create a limited data set in the Agreement to Covered Entityaccordance with 45 CFR §164.514, which limited data set may be used and to undertake other activities of disclosed by Business Associate as permitted by law, including HIPAA; (ii) to respond to requests for PHI either accompanied by an authorization that meets the requirements of 45 CFR §164.508 or required of from a covered entity or health care provider in accordance with 45 CFR §164.506(c) and (iii) as otherwise authorized in writing by Covered Entity or Plan Sponsor on its behalf. In all disclosures, Business Associate by this BAA shall comply with: (1) the applicable provisions of Title 45, Part 164 of the CFR and (2) applicable State privacy laws, rules and regulations not preempted pursuant to Title 45, Part 160, Subpart B of the CFR or the Employee Retirement Income Security Act of 1974 (“ERISA”), as required by law. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilitiesamended. Business Associate may disclose such PHI as necessary for its Business Associate’s proper management and administration, administration or to carry out Business Associate’s legal responsibilities provided that (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party that: (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as disclosure is required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. Business Associate may use PHI including to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §§ 164.502(j)(1).); or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Business Associate pursuant to this BAA), and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached