N. “Security Incident” means the attempted or successful unauthorized
access, use, disclosure, modification, or destruction of information or
interference with system operations in an information system.
O. “Security Rule” means the Security Standards for the Protection of
Electronic Health Information provided in 45 CFR Part 160 & Part 164,
Subparts A and C.
P. “Unsecured Protected Health Information” or “Unsecured PHI” means any
“protected health information” as defined in 45 CFR §§164.501 and
160.103 that is not rendered unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a technology or methodology
specified by the HHS Secretary in the guidance issued pursuant to the
HITECH Act and codified at 42 USC § 17932(h).
2. Use and Disclosure of PHI.
A. Except as otherwise provided in this BAA, Business Associate may use or
disclose PHI as reasonably to provide the services described in the
Agreement to Covered Entity, and to undertake other activities of
Business Associate permitted or required of Business Associate by this
BAA or as required by law.
B. Except as otherwise limited by this BAA or federal or state law, Covered
Entity authorizes Business Associate to use the PHI in its possession for
the proper management and administration of Business Associate’s
business and to carry out its legal responsibilities. Business Associate
may disclose PHI for its proper management and administration, provided
that (i) the disclosures are by law; or (ii) Business Associate obtains, in
writing, prior to making any disclosure to a third party (a) reasonable
assurances from this third party that the PHI will be held confidential as
provided under this BAA and used or further disclosed only as required by
law or for the purpose for which it was disclosed to this third party and (b)
an agreement from this third party to notify Business Associate
immediately of any breaches of the confidentiality of the PHI, to the extent
it has knowledge of the breach.
C. Business Associate will not use or disclose PHI in a manner other than as
provided in this BAA, as permitted under the Privacy Rule, or as required
by law. Business Associate will use or disclose PHI, to the extent
practicable, as a limited data set or limited to the minimum necessary
amount of PHI to carry out the intended purpose of the use or disclosure,
in accordance with Section 13405(b) of the HITECH ACT (codified as 42
USC § 17935(b)) and any of the act’s implementing regulations adopted
by HHS, for each use or disclosure of PHI.
D. Upon request, Business Associate will make available to Covered Entity
any of Covered Entity’s PHI that Business Associate or any of its agents
or subcontractors have in their possession.
E. Business Associate may use PHI to report violations of law to appropriate
Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
3. Safeguards Against Misuse of PHI. Business Associate will use appropriate
safeguards to prevent the use or disclosure of PHI other than as provided by the