1. DEFINITIONS. For the purposes of this Exhibit, a term shall have the definition given in HIPAA, unless otherwise defined in this Exhibit or elsewhere in the Agreement. HIPAA means the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR part 160 and Part 164, the HITECH Act, and the Omnibus Rules adopted in 2013. “PHI” shall mean Protected Health Information limited to that received, created, maintained, or transmitted by TC, in its role as a business associate, from or on behalf of Company. The “Privacy Rule” means Standards for Privacy of Individually Identifiable Health Information. The “Security Rule” means Security Standards for the Protection of Electronic Protected Health Information. The “Breach Notification Rule” means the Notification in the Case of Breach of Unsecured Protected Health Information Rule.
2. OBLIGATIONS OF TC. To the extent TC is acting as Company’s business associate, TC agrees as follows:
2.1 Use and Disclosure of PHI. TC shall not use or disclose PHI other than as permitted or required by this Exhibit or as permitted or required by law and shall not use or disclose PHI in a manner that violates HIPAA if used or disclosed in the same manner by Company (unless specifically permitted for a business associate under HIPAA). Subject to the restrictions set forth in this Exhibit, TC may use and disclose PHI: (a) as necessary or appropriate to perform its other obligations under the Agreement; (b) as necessary for the proper management and administration of TC; (c) to carry out the legal responsibilities of TC pursuant to the Agreement; and/or (d) to provide data aggregation services, to de-identify PHI and to use or disclose de-identified information, and/or to create limited data sets. With respect to any disclosure, TC also shall (i) obtain reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed and (ii) obligate the person to notify TC of any instances of which it is aware in which the confidentiality of the PHI has been breached.
2.2 Safeguards. TC shall implement and maintain appropriate safeguards to prevent use or disclosure of PHI other than as provided in this Exhibit. TC also shall comply with the applicable provisions of the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) with respect to electronic PHI.
2.3 Access to Books and Records. TC shall permit the Secretary of the Department of Health and Human Services to access TC’s internal practices, books, and records as they pertain to the use and disclosure of PHI to determine whether Company is in compliance with the requirements of HIPAA. Notwithstanding this provision, no legal privilege or discovery protection will be deemed waived by TC or Company as a result of this Section 2.3.
2.4 Access of Individuals to Information. If so requested by Company, TC shall make available to Company PHI maintained in a designated record set to permit Company to comply with its access requirements under HIPAA. In the event any individual requests access to PHI directly from TC, TC shall forward the request to Company. Any denial of access to the PHI requested shall be the responsibility of Company.
2.5 Amendment of Information. If so requested by Company, TC shall provide PHI maintained in a designated record set to Company for amendment and shall incorporate any amendment to permit Company to meet its amendment requirements under HIPAA. In the event any individual directly requests TC to amend PHI, TC shall forward the request to Company. Company shall be responsible for making determinations regarding amendments to PHI.
2.6 Accounting for Disclosures of PHI. If so requested by Company, TC shall provide to Company an accounting of each Disclosure of PHI made by TC for which an accounting is required under HIPAA. In the event any individual requests an accounting of disclosure of PHI directly from TC, TC, to the extent permitted by law, shall forward the request to Company.
2.7 Disclosures to Subcontractors. TC shall require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of TC to comply with the applicable provisions of the Security Rule and agree to the same restrictions and conditions that apply to TC pursuant to this Exhibit with respect to PHI.
2.8 Reporting. TC shall report to Company: (a) a breach of unsecured PHI as required pursuant to 45 CFR §164.410 of the Breach Notification Rule; (b) use or disclosure of PHI not permitted by this Exhibit; and/or (c) a “successful” Security Incident involving PHI. TC routinely experiences unsuccessful attempts at unauthorized acquisition, access, use, disclosure, modification, destruction, or interference with Systems operations, such as “pings” on a firewall, unsuccessful logon attempts, or access to encrypted information without access to the key. This Exhibit shall serve as ongoing notice to Company of these unsuccessful attempts, and no further notice is required.
2.9 Performance of Covered Functions. To the extent TC is to carry out any of Company’s covered entity obligations under the Privacy Rule, TC shall comply with the requirements of the Privacy Rule in the performance of the obligations.
2.10 Return/Destruction of PHI upon Termination. The Parties agree that the return or destruction of PHI is not feasible. Upon termination of the Agreement for any reason, TC shall extend the protections of this Exhibit to the PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction infeasible, for as long as TC maintains the PHI. This Section 2.10 shall survive termination of the Agreement.
3. OBLIGATIONS OF COMPANY. Company warrants that Company, its officers, directors, Workforce, affiliates, agents, and representatives: (a) shall comply with HIPAA, including the Security Rule; (b) shall comply with the Privacy Rule in using, disclosing, and/or requesting PHI; (c) shall not use or disclose PHI in any manner that violates applicable Laws; (d) shall not request TC to use or disclose PHI in any manner that violates applicable Laws or this Exhibit; (e) may request TC to disclose PHI directly to another party only for the purposes allowed by the Privacy Rule; (f) shall give TC the right to approve any notification to any individuals, the media, and/or the Department of Health and Human Services that references TC, prior to dissemination of the notification; (g) shall transmit PHI to TC only in a secure manner; and (h)” hall obtain any authorizations, consents, acknowledgements, permissions, and releases necessary or appropriate so that TC can perform its obligations under this Agreement.