|
(iii) Minimum Necessary. The Business Associate will, in Its performance of the functions, activities, services,
<br />and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum
<br />amount of the Covered Entity's Protected Health Information reasonably necessary to accomplish the intended
<br />purpose of the use, disclosure or request, except that the Business Associate will not be obligated to comply
<br />with this minimum -necessary limitation if neither the Business Associate nor the Covered Entity is required to
<br />limit Its use, disclosure or request to the minimum necessary. The Business Associate and the Covered Entity
<br />acknowledge that the phrase "minimum necessary' shall be interpreted in accordance with the HITECH Act.
<br />(b) Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose the
<br />Covered Entity's Protected Health Information, except as permitted or required by this Agreement or in writing by
<br />the Covered Entity or as Required by Law. This Agreement does not authorize the Business Associate to use or
<br />disclose the Covered Entity's Protected Health Information in a manner that will violate Subpart E of 45 CFR Part
<br />164 if done by the Covered Entity.
<br />(c) information Safeguards.
<br />(i) Privacy of the Covered Entity's Protected Health information. The Business Associate will develop,
<br />Implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the
<br />privacy of the Covered Entity's Protected Health Information. The safeguards must reasonably protect the
<br />Covered Entity's Protected Health Information from any Intentional or unintentional use or disclosure in violation
<br />of the Privacy Rule and limit incidental uses or disclosures made to a use or disclosure otherwise permitted by
<br />this Agreement.
<br />(ti) Security of the Covered Entity's Electronic Protected Health Information. The Business Associate will
<br />develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and
<br />appropriately protect the confidentiality, Integrity, and availability of Electronic Protected Health Information that
<br />the Business Associate creates, receives, maintains, or transmits on the Covered Entity's behalf as required by
<br />the Security Rule. The Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to
<br />Electronic Protected Health Information, to prevent use or disclosure of protected health information other than
<br />as provided for by the Agreement,
<br />(iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health
<br />Information outside the United States without the prior written consent of the Covered Entity. In this context, a
<br />"transfer" outside the United States occurs if Business Associate's workforce members, agents, or
<br />subcontractors physically located outside the United States are able to access, use, or disclose Protected
<br />Health Information.
<br />(iv) Policies and Procedures. The Business Associate shall maintain written policies and procedures, conduct
<br />a risk analysis, and train and discipline its workforce.
<br />(d) Subcontractors and Agents. In accordance with 45 CFR 164.502(e)(1)(11) and 164.308(b)(2), if applicable, the
<br />Business Associate will ensure that any of Its Subcontractors and agents that create, receive, maintain, or transmit
<br />Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and
<br />requirements that apply to the Business Associate with respect to such Information.
<br />(e) Prohibition on Sale of Records. As of the effective date specified by HHS in final regulations to be Issued on
<br />this topic, the Business Associate shall not directly or Indirectly receive remuneration in exchange for any Protected
<br />Health Information of an individual unless the Covered Entity or Business Associate obtained from the individual, in
<br />accordance with 45 CFR §164.508, a valid authorization that includes a specification of whether the Protected
<br />Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information
<br />of that individual, except as otherwise allowed under the HITECH Act.
<br />(f) Prohibition on Use or Disclosure of Genetic Information. Business Associate shall not use or disclose
<br />Genetic Information for underwriting purposes in violation of the HIPAA rules.
<br />(g) Penalties For Noncompliance. The Business Associate acknowledges that it is subject to civil and criminal
<br />enforcement for failure to comply with the privacy rule and security rule under the HIPAA Rules, as
<br />amended by the HITECH Act.
<br />25A-15
<br />
|