Business Associate Agreement Page 4
ADVERTISEMENT
1
2
3
4
5
6
7
8Health Information received from, or created or received by Business Associate on behalf of,
Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for
purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
2.11
Business Associate agrees to document such disclosures of Protected Health Information and
information related to such disclosures as would be required for Covered Entity to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR § 164.528.
2.12
Business Associate agrees to provide to Covered Entity or an Individual, within 30 days following
Covered Entity’s request, information collected in accordance with the Agreement and/or this BA
Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
2.13
If Business Associate conducts in whole or in part electronic transactions on behalf of Covered
Entity for which HHS has established standards, Business Associate will comply, and will require
any subcontractor to comply, with each applicable requirement of the Electronic Transaction
Rule. Business Associate shall also comply with the National Provider Identifier requirements, if
and to the extent applicable.
2.14
Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to
comply with the Privacy Rule and Security Rule.
III.
Permitted Uses and Disclosures by Business Associate
3.1
General Use and Disclosure Provisions.
(a)
Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities or services for, or on behalf
of, Covered Entity as specified in the Agreement, provided that such use or disclosure
would not violate the Privacy Rule if done by Covered Entity or the minimum necessary
policies and procedures of the Covered Entity.
(b)
In the event Business Associate and Covered Entity have not entered into a services
agreement, Business Associate may use or disclose Protected Health Information on
behalf of, or to provide services to, Covered Entity for the following purposes, if such use
or disclosure of Protected Health Information would not violate the Privacy Rule if done
by Covered Entity or the minimum necessary policies and procedures of the Covered
Entity:
[List Purposes].
(c)
Business Associate will, in its performance of the functions, activities, services and
operations specified above, make reasonable efforts to use, to disclose and to request
only the minimum amount of Covered Entity’s Protected Health Information reasonably
necessary to accomplish the intended purpose of the use, disclosure or request, except
that Business Associate will not be obligated to comply with this minimum necessary
limitation if neither Business Associate nor Covered Entity is required to limit its use,
disclosure or request to the minimum necessary. Business Associate and Covered Entity
acknowledge that the phrase “minimum necessary” shall be interpreted in accordance
with the Health Information Technology for Economic and Clinical Health Act (“HITECH”)
and government guidance on the definition.
Page 4 of 8
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business