2.3.2. Recipient shall use appropriate safeguards to protect the PHI from misuse or
inappropriate disclosure and to prevent any use or disclosure of the PHI other
than as provided in this DUA or as otherwise required by law or regulation.
2.3.3. Recipient shall not attempt to identify the individuals to whom the PHI
pertains, or attempt to contact such individuals.
2.3.4. Recipient shall report to Covered Entity any use or disclosure of the PHI not
provided for in this DUA of which Recipient becomes aware. Recipient will take
reasonable steps to limit any further such use or disclosure.
3. TERM AND TERMINATION.
3.1. Term. The Term of this DUA shall be effective as of the date first written above, and
shall terminate when all of the PHI provided by Covered Entity to Recipient is
destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI,
protections are extended to such information, in accordance with the termination
provisions in this Section.
3.2. Termination for Cause. Should Recipient commit a material breach of this DUA,
which is not cured within thirty (30) days after Recipient receives notice of such
breach from the Covered Entity, then the Covered Entity will discontinue disclosure
of PHI and will report the breach to the Secretary, Department of Health and Human
Services.
3.3. Effects of Termination.
3.3.1. Except as provided in paragraph (ii) of this subsection, within ten (10) days
upon termination of this DUA, Recipient shall return or destroy all PHI received
from Covered Entity. This provision shall apply to PHI that is in the possession
of subcontractors or agents of Recipient. Recipient shall retain no copies of the
PHI.
3.3.2. In the event that Recipient determines that returning or destroying the PHI is
infeasible, Recipient shall provide to Covered Entity notification of the conditions
that make return or destruction infeasible. Upon mutual agreement of the Parties
that return or destruction of PHI is infeasible, Recipient shall extend the
protections of this DUA to such PHI and limit further uses and disclosures of
such PHI to those purposes that make the return or destruction infeasible, for so
long as Recipient maintains such PHI.
4. Mitigation. Recipient agrees to mitigate, to the extent practicable, any harmful effect that
is known to Recipient of a use or disclosure of PHI or the Limited Data Set by Recipient
or by any person to whom Recipient has disclosed PHI or the Limited Data Set pursuant
to Section 2 in violation of the requirements of this Agreement.
5. Indemnification. Recipient agrees to indemnify and hold harmless and defend Covered
Entity from and against any claim, action, suit, right, damage, loss, expense, or cost
(including, but not limited to, reasonable attorney’s fees and court costs) arising out of an
act, or omission to act, on the part of the Recipient, its agents, or employees pursuant to
this Agreement. This agreement to indemnify and hold harmless Covered Entity shall
apply to both third-party claims and second-party claims, including, but not limited to,
claims, actions, damages, losses, expenses, or costs (including, but not limited to,
reasonable attorneys’ fees and court costs) incurred by Covered Entity as a result of an