4.
Nondisclosure.
a. As Provided In Agreement. BA shall not use or further disclose CE’s PHI except as
permitted or required by this Agreement.
b. Disclosures Required By Law. BA shall not, without the prior written consent of CE,
disclose any PHI on the basis that such disclosure is required by law without notifying
CE so that CE shall have an opportunity to object to the disclosure and to seek
appropriate relief. If CE objects to such disclosure, BA shall refrain from disclosing the
PHI until CE has exhausted all alternatives for relief. BA shall require reasonable
assurances from persons receiving PHI in accordance with Section 3.b. hereof that such
persons will provide CE with similar notice and opportunity to object before disclosing
PHI on the basis that such disclosure is required by law.
c. Additional Restrictions. If CE notifies BA that CE has agreed to be bound by
additional restrictions on the uses or disclosures of CE’s PHI pursuant to HIPAA or the
HIPAA Regulations, BA shall be bound by such additional restrictions and shall not
disclose CE’s PHI in violation of such additional restrictions.
5.
Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards.
BA shall use any and all appropriate administrative, physical and
technical safeguards to (i) prevent use or disclosure of CE’s PHI otherwise than as
provided by this Agreement, and (ii) protect the confidentiality, integrity and availability
of any electronic PHI.
b. BA’s Agents. BA shall not disclose PHI to any agent or subcontractor of BA except
with the prior written consent of CE.
BA shall ensure that any agents, including
subcontractors, to whom it provides PHI, agree in writing to be bound by the same
restrictions and conditions that apply to BA with respect to such PHI; provided, however,
that BA shall not disclose or provide access to CE’s PHI to any subcontractor or agent
without the prior consent of CE.
c. Reporting. BA shall report to CE [as soon as practicable] [within
of
days
BA becoming aware of any use or disclosure of CE’s PHI in violation of this Agreement
or applicable law. BA shall also report to CE within the same time-frame any Security
Incident of which it becomes aware [OPTIONS INCLUDE] [as soon as reasonably
practicable][within
].
days
d. Mitigation. BA shall have procedures in place to mitigate, to the maximum extent
practicable, any deleterious effect from any use or disclosure of CE’s PHI in violation of
this Agreement or applicable law.
e. Sanctions. BA shall have and apply appropriate sanctions against any employee,
subcontractor or agent who uses or discloses CE’s PHI in violation of this Agreement or
applicable law.
-4-
9100767.3