WHEREAS, Business Associate may maintain, transmit create or receive data for or
from Covered Entity that constitutes Protected Health Information (as defined at 45 CFR
§160.103) to perform tasks on behalf of Covered Entity;
WHEREAS, Covered Entity is or may be subject to the requirements of 42 U.S.C.
1320d et seq. enacted by the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”), the Health Information Technology for Economic and Clinical Health Act
(“HITECH”) and the implementing regulations set forth at 45 CFR Parts 160, 162 and 164
(“HIPAA Regulations”). As used herein, “PHI” refers to Protected Health Information
maintained, transmitted, created or received by Business Associate for or from Covered
Entity.
WHEREAS, to the extent required by the HIPAA Regulations and applicable state
law, Business Associate is or may be directly subject to certain privacy and security
obligations and penalty provisions of HIPAA, HITECH, the HIPAA Regulations and state
law.