PRIVACY AND SECURITY REQUIREMENTS FOR
PERSONALLLY IDENTIFIABLE HEALTH INFORMATION
As part of the Services provided by Subcontractor to NMHA in connection with the Grant, Subcontractor agrees treat all PIHI it receives, accesses, transmits, uses, or discloses, including without limitation information regarding an individuals' medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, as though it was PHI under HIPAA, regardless of whether it qualifies as such, and as to all PIHI to comply with the following requirements of the final regulations issued by the U.S. Department of Health and Human Services ("DHHS") pursuant to HIPAA, governing the privacy of individually identifiable health information obtained, created or maintained by certain entities, including health care providers (the "Privacy Standards"), and the security of electronic PHI collected, maintained, used, or transmitted by certain entities, including health care providers (the “Security Standards”).
All terms used, but not otherwise defined, in the Agreement or this Exhibit shall have the same meaning as the respective terms in 45 C.F.R. §§ 160.103, 164.501, 164.304 and 164.402 ("HIPAA Definitions"); provided that: (i) any reference to PHI in the HIPAA Definitions shall be understood to mean "PIHI", as defined in and for purposes of the Agreement and this Exhibit; (ii) any reference to "Covered Entity" in the HIPAA Definitions shall be understood to mean "NMHA" for purposes of this Exhibit; and (iii) any reference to "Business Associate" in the HIPAA Definitions shall be understood to mean "Subcontractor" for purposes of this Exhibit.
(a) Subcontractor agrees to not use or further disclose PIHI other than as required by law, or as permitted or required by the Agreement.
(b) Subcontractor agrees to use appropriate safeguards as outlined in HIPAA to prevent use or disclosure of the PIHI other than as provided for by this Agreement.
(c) Subcontractor agrees to report to NMHA any use or disclosure of the PIHI not provided for by this Agreement. NMHA, at its discretion, may require a written report. If a written report is requested, the written report or verbal report of disclosure should include:
(i) A description of the circumstances of the unauthorized use or disclosure
(ii) The PIHI used or disclosed
(iii) The person or persons making the unauthorized disclosure
(iv) The person or persons that received the unauthorized disclosure
(d) Subcontractor agrees to ensure that any agents, including a subcontractor, to whom it provides PIHI received from, or created or received by Subcontractor on behalf of NMHA agrees to the same restrictions and conditions that apply through this Exhibit to Subcontractor with respect to such information.
(e) Subcontractor agrees to make internal practices, books, and records relating to the use and disclosure of PIHI received from, or created or received by the Subcontractor on behalf of NMHA, to NMHA, for purposes of determining Subcontractor’s compliance with the Agreement including this Exhibit.
(f) Subcontractor agrees to make any amendments or corrections to PIHI maintained by Subcontractor within thirty (30) business days following a written request by the NMHA.
(g) Subcontractor agrees to comply with sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards), 164.316 (policies, procedures and documentation requirements) of the Security Rule, and the additional requirements of Title XIII of the Health Information Technology for Economic and Clinical Health Act contained in Public Law 111-5 (the “HITECH Act”) and any associated regulations that relate to security, with respect to the PIHI received from, or created or received by the Subcontractor on behalf of NMHA.
(h) Subcontractor agrees to ensure that any and all of Subcontractor’s subcontractors or agents to whom Subcontractor provides electronic PIHI agree to implement reasonable and appropriate safeguards to protect such electronic PIHI.
(i) Subcontractor agrees that it shall report promptly to NMHA any Security Incident of which Subcontractor becomes aware. The parties acknowledge and agree that this Section constitutes notice to Subcontractor by NMHA of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to NMHA shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Subcontractor’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PIHI.
(j) In the event of a Breach of any Unsecured PIHI that Subcontractor accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of NMHA, Subcontractor shall provide notice of such Breach to NMHA immediately, but in no event more than three (3) days or the time after discovering the Breach, or such lesser time as may be required under applicable federal or state law.
Notice of a Breach shall include, at a minimum: (i) the identification of each individual whose PIHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) the scope of the Breach, and (iv) a description of the Subcontractor’s response to the Breach.
In the event of a Breach, Subcontractor shall, in consultation with NMHA, mitigate, to the extent practicable, any harmful effect of such Breach that is known to Subcontractor.
(k) Subcontractor shall secure all electronic PIHI by a technology standard that renders the PIHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by Section 13101 of the HITECH Act.
(l) Subcontractor shall provide PIHI information in the electronic format to NMHA upon request.
(a) Except as otherwise limited in this Exhibit, Subcontractor may use PIHI for the proper management and administration of Subcontractor or to carry out the legal or contractual responsibilities of Subcontractor.
(b) Except as otherwise limited in this Agreement, Subcontractor may disclose PIHI for the proper management and administration of Subcontractor, provided that disclosures are required by law, or Subcontractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.
(c) Subcontractor agrees to restrict any disclosures of PIHI to the extent directed by NMHA.
(a) Subcontractor shall not sell PIHI or otherwise, directly or indirectly, receive remuneration in exchange for any PIHI.
(b) Subcontractor shall not directly or indirectly receive payment for any use or disclosure of PIHI for marketing purposes except where permitted by the Agreement and consistent with applicable law.
(a) Term. Notwithstanding termination of the Agreement, this Exhibit shall terminate when all of the PIHI provided by NMHA to Subcontractor, or created or received by Subcontractor on behalf of NMHA, is destroyed or returned to NMHA, or, if it is infeasible to return or destroy PIHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Effect of Termination.
(i) Except as provided in paragraph (ii) of this Section, upon termination of the Agreement, for any reason, Subcontractor shall return or destroy all PIHI received from NMHA, or created or received by Subcontractor on behalf of NMHA. This provision shall apply to PIHI that is in the possession of subcontractors or agents of Subcontractor. Subcontractor shall retain no copies of the PIHI.
(ii) In the event that Subcontractor determines that returning or destroying the PIHI is infeasible, Subcontractor shall provide to NMHA notification of the conditions that make return or destruction infeasible. If the NMHA agrees that return or destruction of PHI is infeasible, Subcontractor shall extend the protections of this Exhibit to such PIHI and limit further uses and disclosures of such PIHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PIHI.
(c) The respective rights and obligations of Subcontractor under Section 5 (b) of this Exhibit shall survive the termination of the Agreement.
(a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.
(b) Interpretation. Any ambiguity in this Exhibit shall be resolved in favor of a meaning that would permits NMHA to comply with the Privacy Rule if the PIHI were PHI.