Business Associate Agreement Page 3
ADVERTISEMENT
1
2
3
4
5
6
7
81.16
Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have
the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
II.
Obligations and Activities of Business Associate
2.1
Business Associate agrees not to use or disclose Protected Health Information other than as
permitted or required by this BA Contract or as Required by Law.
2.2
Business Associate agrees to develop, implement, maintain and use appropriate administrative,
technical and physical safeguards to prevent use or disclosure of the Protected Health
Information, other than as provided for by this BA Contract.
2.3
Business Associate will develop, implement, maintain and use administrative, technical and
physical safeguards that reasonably and appropriately protect the confidentiality, integrity and
availability of Electronic Protected Health Information that Business Associate creates, receives,
maintains or transmits on Covered Entity’s behalf as required by the Security Rule.
2.4
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a use or disclosure of Protected Health Information by Business
Associate in violation of the requirements of this BA Contract.
2.5
Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health
Information, including Electronic Protected Health Information, not provided for by this BA
Contract of which it becomes aware and/or any Security Incident of which it becomes aware.
2.6
Business Associate agrees to ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information and/or Electronic Protected Health Information received
from, or created or received by Business Associate on behalf of Covered Entity agrees to the
same restrictions and conditions that apply through this BA Contract to Business Associate with
respect to such information. Moreover, Business Associate shall ensure that any such
subcontractor or agent agrees to implement reasonable and appropriate safeguards to protect
Covered Entity’s Protected Health Information.
2.7
As of the effective date specified by HHS in final regulations to be issued on this topic, Business
Associate shall not directly or indirectly receive remuneration in exchange for any Protected
Health Information of an individual unless the Covered Entity or Business Associate obtains from
the individual, in accordance with 45 CFR § 164.508, a valid authorization that includes a
specification of whether the Protected Health Information can be further exchanged for
remuneration by the entity receiving Protected Health Information of that individual, except as
otherwise allowed under HIPAA.
2.8
To the extent it maintains a Designated Record Set, Business Associate agrees to provide
access, at the request of Covered Entity, as soon as administratively practical and in no event
later than 30 days following the Covered Entity’s request, to Protected Health Information in a
Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in
order to meet the requirements under 45 CFR § 164.524.
2.9
To the extent it maintains a Designated Record Set, Business Associate agrees to make any
amendment(s) to Protected Health Information in a Designated Record Set that the Covered
Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an
Individual, as soon as administratively practicable.
2.10
Business Associate agrees to make internal practices, books, and records, including policies and
procedures and Protected Health Information, relating to the use and disclosure of Protected
Page 3 of 8
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business