|
(iii) Minimum Necessary. The Business Associate will, in Its performance of the functions, activities, services,
<br />and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum
<br />amount of the Covered Entity's Protected Health Information reasonably necessary to accomplish the intended
<br />purpose of the -use, disclosure or request, except that the Business Associate will riot be obligated to comply
<br />with this minimum -necessary limitation if neither the Business Associate nor the Covered Entity is required to
<br />limit its use, disclosure or request to the minimum necessary. The Business Associate and the Covered Entity
<br />acknowledge that the phrase "minimum. necessary" shall be Interpreted In accordance with the HiTECH Act.
<br />(b) Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose the
<br />Covered Entity's Protected Health Information, except as permitted or required by this Agreement or in writing by
<br />the Covered Entity or as Required by Law, This Agreement does not authorize the Business Associate to use or
<br />disclose the Covered Entity's Protected Health Information in a manner that will violate Subpart E of 45 CFR Part
<br />164 If done by the Covered Entity.
<br />(c) information Safeguard's;
<br />(t) Privacy of the Covered Entity's Protected Health information, The Business Associate will develop,
<br />Implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the
<br />privacy of the Covered Entity's Protected Health Information. The safeguards must reasonably protect the
<br />Covered Enttty's Protected Health Information from any intentional or unintentional use or disclosure in violation
<br />of the Privacy Rule and limit Incidental uses or disclosures made to a use or disclosure otherwise permitted by
<br />this Agreement.
<br />(ti) Security of. the Covered Entity's Electronic Protected Health Information. The Business Associate will
<br />develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and
<br />appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that
<br />the Business Associate creates, receives, maintains, or transmits on the Covered Entity's behalf as required by
<br />the Security Rule. The Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to
<br />Electronic. Protected Health Information, to prevent use or disclosure of protected health information other than
<br />as provided for by the Agreement.
<br />(iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected. Health
<br />Information outside the United States without the prior written consent of the Covered Entity. In this context,'a
<br />"transfer" outside the United States occurs if Business Associate's workforce members, agents, or
<br />subcontractors physically located outside the United States are able to access, use, or disclose Protected
<br />Health Information,
<br />(iv) Policies and Procedures. The Business Associate shall maintain written policies and procedures, conduct
<br />a risk analysis, and train and discipline its workforce.
<br />Of Subcontractors and Agents. In accordance with 45 CFR 164.502(e)(1)(11) and 164.308(b)(2), if applicable, the
<br />Business Associate will ensure that any of its Subcontractors and agents that create, receive,, maintain, or transmit
<br />Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and
<br />requirements that apply to the Business Associate with respect to such information.
<br />(e) Prohibition on, Sale of Records. As of the effective date specified by NHS In final regulations to be issued an
<br />this topic, the Business Associate shall not directly or indirectly receive remuneration In exchange for any Protected
<br />Health Information of an individual unless the Covered Entity or Business Associate obtained from the Individual, in
<br />accordance with 45 CFR §164.568, a valid authorization that includes a specification of whether the Protected
<br />Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information
<br />of that Individual, except as otherwise allowed under the HITECH Act.
<br />(1) Prohibition on Use or Disclosure of Genetic information. Business Associate shall not use or disclose
<br />Genetic Information for underwriting purposes In violation of the HIPAA rules.
<br />(g) Penalties For Noncompliance. The, Business Associate acknowledges that it is subject to civil and criminal
<br />enforcement for failure to comply with the privacy rule and security rule under the HIPAA Rules, as
<br />amended by the HITECH Act.
<br />
|