Business Associate acknowledges and agrees that all Protected Health Information that is created, maintained, transmitted or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate, or Protected Health Information which, on behalf of Covered Entity, is created, maintained, transmitted or received by Business Associate or a Subcontractor, shall be subject to this BAA.
(a) Business Associate agrees:
(i) it is aware of and will comply with all provisions of HIPAA that are directly applicable to business associates;
(ii) in the event it enters into an agreement with a Subcontractor under which Protected Health Information could or would be disclosed or made available to the Subcontractor, to have in place an appropriate Business Associate Agreement with the Subcontractor before any Protected Health Information is disclosed or made available to the Subcontractor;
(iii) to use or disclose any Protected Health Information solely as would be permitted by HIPAA if such use or disclosure were made by Covered Entity: (1) for meeting its obligations as set forth in the Terms of Service, or any other agreements between the parties evidencing their business relationship or (2) as required by applicable law, rule or regulation, or as otherwise permitted under this BAA, the Terms of Service (if consistent with this BAA and HIPAA), or HIPAA;
(iv) at the request of the Secretary, to comply with any investigations and compliance reviews, permit access to information, provide records and compliance reports, and cooperate with any complaints, pursuant to 45 CFR § 160.310;
(v) at termination of this BAA or the Terms of Service, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Business Associate will extend the protections of this BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible;
(vi) to ensure that its Subcontractors to whom it provides Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agrees to, pursuant to 45 CFR § 164.314, implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity and ensure that any Subcontractors to whom it provides such information agree to implement reasonable and appropriate safeguards to protect it;
(vii) Business Associate shall, following the discovery of a breach of unsecured Protected Health Information (as defined in HIPAA) notify Covered Entity of such breach of unsecured Protected Health Information pursuant to the terms of 45 CFR § 164.410 and cooperate in Covered Entity's breach analysis procedures, including risk assessment, if requested. A breach of unsecured Protected Health Information shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay. Such notification will contain the elements required in 45 CFR § 164.410, to the extent known. Covered Entity shall be solely responsible to determine any required actions with respect to any such breach of unsecured Protected Health Information, and Business Associate shall reasonably cooperate with Covered Entity and comply with such actions; and
(b) Notwithstanding the prohibitions set forth in this BAA, Business Associate may use and disclose Protected Health Information as follows:
(i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
(A) the disclosure is required by law; or
(B) Business Associate obtains satisfactory assurances through a written Business Associate Agreement from the Subcontractor to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the Subcontractor, and the Subcontractor notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
(ii) for Data Aggregation services, if to be provided by Business Associate for the Health Care Operations of Covered Entity pursuant to the Terms of Service or any other agreements between the parties evidencing their business relationship.
(iii) Business Associate and its Subcontractors may disclose information that is not individually identifiable health information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.
Business Associate will implement appropriate safeguards, and comply, where applicable, with Subpart C of 45 CFR 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as permitted in this BAA.
The Secretary of Health and Human Services shall have the right to audit Business Associate's records and practices related to the use and disclosure of Protected Health Information to ensure Covered Entity's and Business Associate's compliance with the terms of HIPAA.
Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this BAA of which it becomes aware. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware promptly and in the manner required by Covered Entity to permit compliance with the requirements of HIPAA. The parties agree that this section satisfies any notices necessary by the Business Associate to the Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to the Covered Entity shall be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on the firewall of the Business Associate, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic Protected Health Information.