(b)
(c)
(d)
City of Nashua
Use appropriate safeguards to prevent use or disclosure of the Protected Health
Information other than as provided for by this Agreement and mitigate to the extent
practicable, any harmful effect known to PDA of use or disclosure of Protected Health
Information in violation of this Agreement;
Report to the Health Plan Administrator, for the benefit of the Health Plan, any use or
disclosure of the Protected Health Information not provided for by this Agreement of
which it becomes aware, including any potential “breach” of Protected Health Information
that may require notification to Individuals, the media, and/or the Secretary pursuant to 45
CFR 164.400 et. seqg., and any Security Incident of which it becomes aware.
PDA agrees to assist Health Plan, or Health Plan Administrator on behalf of the Health
Plan, as it determines, in its sole discretion, whether any impermissible use or disclosure of
Protected Health Information constitutes a breach of Protected Health Information for
purposes of Subtitle D of the Health Information Technology for Economic and Clinical
Health Act of 2009 (42 U.S.C. 17921-53) and its implementing regulations (““HITECH”)
and the Privacy Rule, and whether such breach requires notification by the Health Plan to
Individuals, the media, and/or the Secretary.
In furtherance of the foregoing, in the event PDA discovers a breach of Protected Health
Information, PDA agrees:
(i) To provide the Health Plan with relevant information, including without
limitation, a brief description of the incident, the date of the incident, the
Individuals potentially affected, the date of discovery, the type of Protected
Health Information involved, any recommendations that should be made to
Individuals for their protection, a description of how PDA is and proposes to
mitigate any harm to Individuals, a description of how PDA is and will prevent
future incidents, and any other information reasonably requested by the Health
Plan so that it may comply with its obligations under HITECH and its
implementing regulations, and the Privacy Rule.
(ii) To assist the Health Plan to further investigate any breach incident, to assist in
making notifications to Individuals as necessary, to mitigate any harm resulting
or that may reasonably result from a breach incident, and to assist in taking any
other actions that the Health Plan deems reasonably necessary to comply with
HITECH and its implementing regulations, and the Privacy Rule.
Ensure that any agent, including a subcontractor, to whom it provides Protected Health
Information received from the Health Plan, or that creates, receives, maintains, or
transmits Protected Health Information on behalf of PDA, enters into an agreement that
contains the same or more stringent restrictions and conditions that apply through this
Agreement to PDA with respect to such information, including without limitation,
ensuring that any such agent or subcontractor agrees to implement administrative, physical
and technical safeguards as required by the Security Standards that reasonably and
appropriately protect the security, confidentiality, integrity, and availability of any ePHI
that PDA creates, receives, maintains, or transmits on behalf of the Health Plan; provided
that the Health Plan shall not have any right to disapprove any subcontractors of PDA or to
review any agreements with such subcontractors, except to the extent specifically provided
herein;
3 BAA Revised October 2013
