HomeMy WebLinkAbout20143690.tiff RESOLUTION
RE: APPROVE HIPAA BUSINESS ASSOCIATE AGREEMENT AND AUTHORIZE CHAIR
TO SIGN - PROFESSIONAL FINANCE COMPANY, INC.
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a HIPAA Business Associate Agreement
between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Department of Accounting, and Professional
Finance Company, Inc., commencing upon full execution of signature, with further terms and
conditions being as stated in said agreement, and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that the HIPAA Business Associate Agreement between the County of Weld,
State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf
of the Department of Accounting, and Professional Finance Company, Inc., be, and hereby is,
approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to
sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 26th day of November, A.D., 2014.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST:d44400 Sfc '• g
oX Is Radema a er, air
Weld County Clerk to the
' ' � Barbara Kirkmeyer, P o-Tem
BY: r'�'
p y Clerk tote • �
Sean, P.
Conway
APPROVED AS FORM:
���� D
Mike Fr
hty Attorney
Wiliam F. Garcia
Date of signature: '91/u
Cc, O-a--f 12/24
2014-3690
AC0021
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is made between the Weld County,
on behalf of Department of Accounting (a"Covered Department" or"Covered Entity"pursuant
to the Health Insurance Portability and Accountability Act or"HIPAA"), and Professional
Finance Company, Inc. ("Contractor"). For purposes of this Agreement, the Weld County
Department of Accounting is referred to as "Covered Entity" or"CE" and the Contractor is
referred to as "Associate".
RECITALS
A. CE wishes to disclose certain information to Associate pursuant to the terms of the
Agreement, some of which may constitute Protected Health Information ("PHI") (defined
below).
B. CE and Associate intend to protect the privacy and provide for the security of PHI
disclosed to Associate pursuant to this Agreement in compliance with the Health
Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d— 1320d-8
("HIPAA") as amended by the American Recovery and Reinvestment Act of 2009
("ARRA")/HITECH Act (P.L. 111-005), and its implementing regulations promulgated
by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160, 162 and 164
(the"HIPAA Rules") and other applicable laws, as amended.
C. As part of the HIPAA Rules,the CE is required to enter into a written contract containing
specific requirements with Associate prior to the disclosure of PHI, as set forth in, but not
limited to, Title 45, Sections 160.103, 164.502(e) and 164.504(e) of the Code of Federal
Regulations ("C.F.R.") and contained in this Agreement.
The parties agree as follows:
1. Definitions.
a. Except as otherwise defined herein, capitalized terms in this Agreement shall have
the definitions set forth in the HIPAA Rules at 45 C.F.R. Parts 160, 162 and 164, as amended.
In the event of any conflict between the mandatory provisions of the HIPAA Rules and the
provisions of this Agreement, the HIPAA Rules shall control. Where the provisions of this
Agreement differ from those mandated by the HIPAA Rules, but are nonetheless permitted by
the HIPAA Rules, the provisions of this Agreement shall control.
b. "Protected Health Information"or"PHI" means any information, whether oral or
recorded in any form or medium: (i)that relates to the past, present or future physical or mental
condition of an individual; the provision of health care to an individual; or the past, present or
future payment for the provision of health care to an individual; and(ii) that identifies the
individual or with respect to which there is a reasonable basis to believe the information can be
Page I of 10
2014-3690
used to identify the individual, and shall have the meaning given to such term under the HIPAA
Rules, including, but not limited to, 45 C.F.R. Section 164.501.
c. "Protected Information" shall mean PHI provided by CE to Associate or created
received, maintained or transmitted by Associate on CE's behalf To the extent Associate is a
covered entity under HIPAA and creates or obtains its own PHI for treatment, payment and
health care operations, Protected Information under this Agreement does not include any PHI
created or obtained by Associate as a covered entity and Associate shall follow its own policies
and procedures for accounting, access and amendment of Associate's PHI.
d. "Subcontractor" shall mean a third party to whom Associate delegates a function,
activity, or service that involves CE's Protected Information, in order to carry out the
responsibilities of this Agreement.
2. Obligations of Associate.
a. Permitted Uses. Associate shall not use Protected Information except for the
purpose of performing Associate's obligations under this Agreement. Further, Associate shall
not use Protected Information in any manner that would constitute a violation of the HIPAA
Rules if so used by CE, except that Associate may use Protected Information: (i) for the proper
management and administration of Associate; (ii)to carry out the legal responsibilities of
Associate; or(iii) for Data Aggregation purposes for the Health Care Operations of CE.
Additional provisions, if any, governing permitted uses of Protected Information are set forth in
Attachment A to this Agreement. Associate accepts full responsibility for any penalties incurred
as a result of Associate's breach of the HIPAA Rules.
b. Permitted Disclosures. Associate shall not disclose Protected Information in any
manner that would constitute a violation of the HIPAA Rules if disclosed by CE, except that
Associate may disclose Protected Information: (i) in a manner permitted pursuant to this
Agreement; (ii) for the proper management and administration of Associate; (iii) as required by
law; (iv) for Data Aggregation purposes for the Health Care Operations of CE; or(v) to report
violations of law to appropriate federal or state authorities, consistent with 45 C.F.R. Section
164.502(j)(1). To the extent that Associate discloses Protected Information to a third party
Subcontractor, Associate must obtain, prior to making any such disclosure: (i)reasonable
assurances through execution of a written agreement with such third party that such Protected
Information will be held confidential as provided pursuant to this Agreement and only disclosed
as required by law or for the purposes for which it was disclosed to such third party; and that
such third party will notify Associate within two(2) business days of any breaches of
confidentiality of the Protected Information, to the extent it has obtained knowledge of such
breach. Additional provisions, if any, governing permitted disclosures of Protected Information
are set forth in Attachment A.
c. Appropriate Safeguards. Associate shall implement appropriate safeguards as are
necessary to prevent the use or disclosure of Protected Information other than as permitted by
this Agreement. Associate shall comply with the requirements of the HIPAA Security Rule at 45
C.F.R. Sections 164.308, 164.310, 164.312,and 164.316. Associate shall maintain a
Page 2 of 10
comprehensive written information privacy and security program that includes administrative,
technical and physical safeguards appropriate to the size and complexity of the Associate's
operations and the nature and scope of its activities. Associate shall review, modify, and update
documentation of, its safeguards as needed to ensure continued provision of reasonable and
appropriate protection of Protected Information.
d. Reporting of Improper Use or Disclosure. Associate shall report to CE in writing
any use or disclosure of Protected Information other than as provided for by this Agreement
within five (5) business days of becoming aware of such use or disclosure.
e. Associate's Agents. If Associate uses one or more Subcontractors or agents to
provide services under the Agreement, and such Subcontractors or agents receive or have access
to Protected Information, each Subcontractor or agent shall sign an agreement with Associate
containing the same provisions as this Agreement and further identifying CE as a third party
beneficiary with rights of enforcement and indemnification from such Subcontractors or agents
in the event of any violation of such Subcontractor or agent agreement. The Agreement between
the Associate and Subcontractor or agent shall ensure that the Subcontractor or agent agrees to at
least the same restrictions and conditions that apply to Associate with respect to such Protected
Information. Associate shall implement and maintain sanctions against agents and
Subcontractors that violate such restrictions and conditions and shall mitigate the effects of any
such violation.
f. Access to Protected Information. If Associate maintains Protected Information
contained within CE's Designated Record Set, Associate shall make Protected Information
maintained by Associate or its agents or Subcontractors in such Designated Record Sets
available to CE for inspection and copying within ten (10) business days of a request by CE to
enable CE to fulfill its obligations to permit individual access to PHI under the HIPAA Rules,
including, but not limited to, 45 C.F.R. Section 164.524. If such Protected Information is
maintained by Associate in an electronic form or format, Associate must make such Protected
Information available to CE in a mutually agreed upon electronic form or format.
g. Amendment of PHI. If Associate maintains Protected Information contained
within CE's Designated Record Set, Associate or its agents or Subcontractors shall make such
Protected Information available to CE for amendment within ten (10) business days of receipt of
a request from CE for an amendment of Protected Information or a record about an individual
contained in a Designated Record Set, and shall incorporate any such amendment to enable CE
to fulfill its obligations with respect to requests by individuals to amend their PHI under the
HIPAA Rules, including, but not limited to,45 C.F.R. Section 164.526. If any individual
requests an amendment of Protected Information directly from Associate or its agents or
Subcontractors, Associate must notify CE in writing within five (5)business days of receipt of
the request. Any denial of amendment of Protected Information maintained by Associate or its
agents or Subcontractors shall be the responsibility of CE.
h. Accounting Rights. If Associate maintains Protected Information contained
within CE's Designated Record Set, Associate and its agents or Subcontractors shall make
available to CE within ten(10) business days of notice by CE, the information required to
Page 3 of 10
provide an accounting of disclosures to enable CE to fulfill its obligations under the HIPAA
Rules, including, but not limited to, 45 C.F.R. Section 164.528. In the event that the request for
an accounting is delivered directly to Associate or its agents or Subcontractors, Associate shall
within five(5) business days of the receipt of the request forward it to CE in writing. It shall be
CE's responsibility to prepare and deliver any such accounting requested. Associate shall not
disclose any Protected Information except as set forth in Section 2(b) of this Agreement.
i. Governmental Access to Records. Associate shall keep records and make its
internal practices, books and records relating to the use and disclosure of Protected Information
available to the Secretary of the U.S. Department of Health and Human Services (the
"Secretary"), in a time and manner designated by the Secretary, for purposes of determining
CE's or Associate's compliance with the HIPAA Rules. Associate shall provide to CE a copy of
any Protected Information that Associate provides to the Secretary concurrently with providing
such Protected Information to the Secretary when the Secretary is investigating CE. Associate
shall cooperate with the Secretary if the Secretary undertakes an investigation or compliance
review of Associate's policies, procedures or practices to determine whether Associate is
complying with the HIPAA Rules, and permit access by the Secretary during normal business
hours to its facilities, books, records, accounts, and other sources of information, including
Protected Information, that are pertinent to ascertaining compliance.
j. Minimum Necessary. Associate (and its agents or subcontractors) shall only
request, use and disclose the minimum amount of Protected Information necessary to accomplish
the purpose of the request, use or disclosure, in accordance with the Minimum Necessary
requirements of the HIPAA Rules including, but not limited to 45 C.F.R. Sections 164.502(b)
and 164.514(d).
k. Data Ownership. Associate acknowledges that Associate has no ownership rights
with respect to the Protected Information.
1. Retention of Protected Information. Except upon termination of the Agreement as
provided in Section 4(d), Associate and its Subcontractors or agents shall retain all Protected
Information throughout the term of this Agreement and shall continue to maintain the
information required under Section 2(h) for a period of six (6) years.
m. Associate's Insurance. Associate shall maintain insurance to cover loss of PHI
data and claims based upon alleged violations of privacy rights through improper use or
disclosure of PHI. All such policies shall meet or exceed the minimum insurance requirements
of the Agreement(e.g., occurrence basis, combined single dollar limits, annual aggregate dollar
limits, additional insured status and notice of cancellation).
n. Notice of Privacy Practices. Associate shall be responsible for reviewing CE's
Notice of Privacy Practices, available on CE's external website, to determine any requirements
applicable to Associate per this Agreement.
o. Notification of Breach. During the term of this Agreement, Associate shall notify
CE within two (2)business days of any suspected or actual breach of security, intrusion or
Page 4 of 10
unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in
violation of any applicable federal or state laws or regulations. Associate shall not initiate
notification to affected individuals per the HIPAA Rules without prior notification and approval
of CE. Information provided to CE shall include the identification of each individual whose
unsecured PHI has been, or is reasonably believed to have been accessed, acquired or disclosed
during the breach. Associate shall take (i)prompt corrective action to cure any such deficiencies
and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and
state laws and regulations.
p. Audits, Inspection and Enforcement. Within ten (10)business days of a written
request by CE, Associate and its agents or subcontractors shall allow CE to conduct a reasonable
inspection of the facilities, systems, books, records, agreements, policies and procedures relating
to the use or disclosure of Protected Information pursuant to this Agreement for the purpose of
determining whether Associate has complied with this Agreement; provided, however, that: (i)
Associate and CE shall mutually agree in advance upon the scope, timing and location of such an
inspection; and (ii) CE shall protect the confidentiality of all confidential and proprietary
information of Associate to which CE has access during the course of such inspection. The fact
that CE inspects, or fails to inspect, or has the right to inspect, Associate's facilities, systems,
books, records, agreements, policies and procedures does not relieve Associate of its
responsibility to comply with this Agreement, nor does CE's(i) failure to detect or(ii) detection,
but failure to notify Associate or require Associate's remediation of any unsatisfactory practices,
constitute acceptance of such practice or a waiver of CE's enforcement rights under the
Agreement.
q. Safeguards During Transmission. Associate shall be responsible for using
appropriate safeguards, including encryption of PHI, to maintain and ensure the confidentiality,
integrity and security of Protected Information transmitted pursuant to the Agreement, in
accordance with the standards and requirements of the HIPAA Rules.
r. Restrictions and Confidential Communications. Within ten (10) business days of
notice by CE of a restriction upon uses or disclosures or request for confidential communications
pursuant to 45 C.F.R. Section 164.522, Associate will restrict the use or disclosure of an
individual's Protected Information. Associate will not respond directly to an individual's
requests to restrict the use or disclosure of Protected Information or to send all communication of
Protect Information to an alternate address. Associate will refer such requests to the CE so that
the CE can coordinate and prepare a timely response to the requesting individual and provide
direction to Associate.
3. Obligations of CE.
a. Safeguards During Transmission. CE shall be responsible for using appropriate
safeguards, including encryption of PHI, to maintain and ensure the confidentiality, integrity and
security of Protected Information transmitted pursuant to the Agreement, in accordance with the
standards and requirements of the HIPAA Rules.
Page 5 of 10
b. Notice of Changes. CE maintains a copy of its Notice of Privacy Practices on its
website. CE shall provide Associate with any changes in, or revocation of, permission to use or
disclose Protected Information, to the extent that it may affect Associate's permitted or required
uses or disclosures. To the extent that it may affect Associate's permitted use or disclosure of
PHI, CE shall notify Associate of any restriction on the use or disclosure of Protected
Information that CE has agreed to in accordance with 45 C.F.R. Section 164.522.
4. Termination.
a. Material Breach. In addition to any other provisions in the Agreement regarding
breach, a breach by Associate of any provision of this Agreement, as determined by CE, shall
constitute a material breach of this Agreement and shall provide grounds for immediate
termination of this Agreement by CE pursuant to the provisions of the Agreement covering
termination for cause, if any. If the Agreement contains no express provisions regarding
termination for cause,the following terms and conditions shall apply:
(1) Default. If Associate refuses or fails to timely perform any of the
provisions of this Agreement, CE may notify Associate in writing of the non-performance, and if
not promptly corrected within the time specified, CE may terminate this Agreement. Associate
shall continue performance of this Agreement to the extent it is not terminated and shall be liable
for excess costs incurred in procuring similar goods or services elsewhere.
(2) Associate's Duties. Notwithstanding termination of this Agreement, and
subject to any directions from CE, Associate shall take timely, reasonable and necessary action
to protect and preserve property in the possession of Associate in which CE has an interest.
(3) Compensation. Payment for completed supplies delivered and accepted
by CE shall be at the agreed price. In the event of a material breach under paragraph 4a, CE may
withhold amounts due Associate as CE deems necessary to protect CE against loss from third
party claims of improper use or disclosure and to reimburse CE for the excess costs incurred in
procuring similar goods and services elsewhere.
(4) Erroneous Termination for Default. If after such termination it is
determined, for any reason, that Associate was not in default, or that Associate's action/inaction
was excusable, such termination shall be treated as a termination for convenience, and the rights
and obligations of the parties shall be the same as if this Agreement had been terminated for
convenience, as described in this Agreement.
b. Reasonable Steps to Cure Breach. If CE knows of a pattern of activity or practice
of Associate that constitutes a material breach or violation of the Associate's obligations under
the provisions of this Agreement or another arrangement and does not terminate this Agreement
pursuant to Section 4(a), then CE shall take reasonable steps to cure such breach or end such
violation.. If CE's efforts to cure such breach or end such violation are unsuccessful, CE shall
either(i)terminate the Agreement, if feasible or (ii) if termination of this Agreement is not
feasible, CE shall report Associate's breach or violation to the Secretary of the Department of
Health and Human Services. If Associate knows of a pattern of activity or practice of a
Subcontractor or agent that constitutes a material breach or violation of the Subcontractor's or
Page 6 of 10
agent's obligations under the written agreement between Associate and the Subcontractor or
agent, Associate shall take reasonable steps to cure such breach or end such violation, if feasible.
c. Judicial or Administrative Proceedings. Either party may terminate the
Agreement, effective immediately, if(i) the other party is named as a defendant in a criminal
proceeding for a violation of the HIPAA Rules or other security or privacy laws or(ii) a finding
or stipulation that the other party has violated any standard or requirement of the HIPAA Rules
or other security or privacy laws is made in any administrative or civil proceeding in which the
party has been joined.
d. Effect of Termination.
(1) Except as provided in paragraph (2) of this subsection, upon termination
of this Agreement, for any reason, Associate shall return or destroy all Protected Information that
Associate or its agents or Subcontractors still maintain in any form, and shall retain no copies of
such Protected Information. If Associate elects to destroy the PHI, Associate shall certify in
writing to CE that such PHI has been destroyed.
(2) If Associate believes that returning or destroying the Protected
Information is not feasible, Associate shall promptly provide CE notice of the conditions making
return or destruction infeasible. Associate shall continue to extend the protections of Sections
2(a), 2(b), 2(c), 2(d) and 2(e) of this Agreement to such Protected Information, and shall limit
further use of such PHI to those purposes that make the return or destruction of such PHI
infeasible.
5. Injunctive Relief. CE shall have the right to injunctive and other equitable and legal
relief against Associate or any of its Subcontractors or agents in the event of any use or
disclosure of Protected Information in violation of this Agreement or applicable law.
6. No Waiver of Immunity. No term or condition of this Agreement shall be construed or
interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection,
or other provisions of the Colorado Governmental Immunity Act, CRS 24-10-101 et seg. or the
Federal Tort Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now in effect or hereafter
amended.
7. Disclaimer. CE makes no warranty or representation that compliance by Associate with
this Contractor the HIPAA Rules will be adequate or satisfactory for Associate's own purposes.
Associate is solely responsible for all decisions made by Associate regarding the safeguarding of
PHI.
8. Certification. To the extent that CE determines an examination is necessary in order to
comply with CE's legal obligations pursuant to the HIPAA Rules relating to certification of its
security practices, CE or its authorized agents or contractors, may, at CE's expense, examine
Associate's facilities, systems, procedures and records as may be necessary for such agents or
contractors to certify to CE the extent to which Associate's security safeguards comply with the
HIPAA Rules or this Agreement.
Page 7 of 10
9. Amendment.
a. Amendment to Comply with Law. The parties acknowledge that state and federal
laws relating to data security and privacy are rapidly evolving and that amendment of this
Agreement may be required to provide for procedures to ensure compliance with such
developments. The parties specifically agree to take such action as is necessary to implement the
standards and requirements of the HIPAA Rules and other applicable laws relating to the
confidentiality, integrity, availability and security of PHI. The parties understand and agree that
CE must receive satisfactory written assurance from Associate that Associate will adequately
safeguard all Protected Information and that it is Associate's responsibility to receive satisfactory
written assurances from Associate's Subcontractors and agents. Upon the request of either party,
the other party agrees to promptly enter into negotiations concerning the terms of an amendment
to this Agreement embodying written assurances consistent with the standards and requirements
of the HIPAA Rules or other applicable laws. CE may terminate this Agreement upon thirty (30)
days written notice in the event(i) Associate does not promptly enter into negotiations to amend
this Agreement when requested by CE pursuant to this Section, or(ii) Associate does not enter
into an amendment to this Agreement providing assurances regarding the safeguarding of PHI
that CE, in its sole discretion, deems sufficient to satisfy the standards and requirements of the
HIPAA Rules.
b. Amendment of Attachment A. Attachment A may be modified or amended by
mutual agreement of the parties in writing from time to time without formal amendment of this
Agreement.
10. Assistance in Litigation or Administrative Proceedings. Associate shall make itself, and
any Subcontractors, employees or agents assisting Associate in the performance of its obligations
under the Agreement, available to CE, at no cost to CE up to a maximum of 30 hours, to testify
as witnesses, or otherwise, in the event of litigation or administrative proceedings being
commenced against CE, its directors, officers or employees based upon a claimed violation of
the HIPAA Rules or other laws relating to security and privacy or PHI, except where Associate
or its Subcontractor, employee or agent is a named adverse party.
11. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended
to confer, nor shall anything herein confer, upon any person other than CE, Associate and their
respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
12. Interpretation and Order of Precedence. The provisions of this Agreement shall prevail
over any provisions in any contract that may conflict or appear inconsistent with any provision in
this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and
comply with the HIPAA Rules. The parties agree that any ambiguity in this Agreement shall be
resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. This
Agreement supercedes and replaces any previous separately executed HIPAA Agreement
between the parties.
Page 8 of 10
13. Survival of Certain Contract Terms. Notwithstanding anything herein to the contrary,
Associate's obligations under Section 4(d) ("Effect of Termination") and Section 12 ("No Third
Party Beneficiaries") shall survive termination of this Agreement and shall be enforceable by CE
as provided herein in the event of such failure to perform or comply by the Associate.
14. Representatives and Notice.
a. Representatives. For the purpose of the Agreement, the individuals listed below
are hereby designated as the parties' respective representatives for purposes of this Agreement.
Either party may from time to time designate in writing new or substitute representatives.
b. Notices. All required notices shall be in writing and shall be hand delivered or
given by certified or registered mail to the representatives at the addresses set forth below.
County/Covered Entity Representative:
Name: WFA-u tocwr( aQepjMENr
Title: CowrR&LSC
Department and Division: RCeocuvr N6r
Address: Ii 50 0 Sttker
G REFLE,/, Co 60423 I
Contractor/Business Associate Representative:
Name: Nicholas Prola
Title: Director of Compliance
Department and Division: Professional Finance Company, Inc.
Address: 5754 W. 11`1 St., Suite 100
Greeley, CO 80634
nprola@pfccollects.com
WHEREFORE, THE PARTIES HAVE EXECUTED THIS AGREEMENT AS DATED
BELOW:
CONTRACTOR
Name 1771e
Date
led
Title
Page 9 of 10
ATTEST:CJ ' • v � � BOARD OF COUNTY COMMISSIONERS
Weld County Clerk to t ` ''�Z� WELD COUNTY, COLORADO
- �.. �..� ��
BY:
D;puty Clerk to the :` ` I Sri' ougla Rademach , Chair N0V 2 6 2014
APPROVED AS TO FUNDING: APPROVED AS TO SUBSTANCE:
fYIPs
Controller Elected Official or Department Head
APPROVED AS TO FORM: A//R
•• CA J/ Director of General Services
County Attorney
AON" 31'99
ATTACHMENT A
This Attachment sets forth additional terms to the HIPAA Business Associate Agreement
between Weld County and . This Attachment may be amended from
time to time as provided in Section 10(b) of the Agreement.
1. Additional Permitted Uses. In addition to those purposes set forth in Section 2(a) of the
Agreement, Associate may use Protected Information as follows:
2. Additional Permitted Disclosures. In addition to those purposes set forth in Section 2(b)
of the Agreement, Associate may disclose Protected Information as follows:
3. Subcontractor(s). The parties acknowledge that the following subcontractors or agents of
Associate shall receive Protected Information in the course of assisting Associate in the
performance of its obligations under this Agreement:
4. Receipt. Associate's receipt of Protected Information pursuant to this Agreement shall be
deemed to occur as follows, and Associate's obligations under the Agreement shall commence
with respect to such PHI upon such receipt:
5. Additional Restrictions on Use of Data. CE is a Business Associate of certain other
Covered Entities and, pursuant to such obligations of CE, Associate shall comply with the
following restrictions on the use and disclosure of Protected Information:
6. Additional Terms. [This section may include specifications for disclosure format,
method of transmission, use of an intermediary, use of digital signatures or PKI, authentication,
additional security of privacy specifications, de-identification or re-identification of data and
other additional terms.]
Hello