Specifications include, but are not limited to: Limitation on Further Use or Disclosure . VENDOR agrees not to further use or disclose PHI or EPHI received from or on behalf of Harris Health or created, compiled, or used by VENDOR pursuant to this BAA in a manner that would be prohibited by the Privacy and Security Requirements if disclosure was made by Harris Health, or if either VENDOR or Harris Health is otherwise prohibited from making such disclosure by any present or future State or Federal law, regulation, or rule. 3. Safeguarding PHI . VENDOR agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA or as required by State or Federal law, regulation, or rule. 4. Safeguarding EPHI . VENDOR agrees to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Harris Health and to comply with Subpart C of 45 C.F.R. Part 164. Specifically, VENDOR agrees to comply with the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 to Page 24 of 34 the same extent such requirements apply to Harris Health. In addition, VENDOR agrees to encrypt portable media devices (e.g., flash drives, CDs, PDAs, cell phones, and cameras), desktop, and laptop computers that contain, or are used to store or transmit, Harris Health PHI and/or EPHI. These safeguards shall include, but not be limited to, the following: a) Encryption of EPHI that VENDOR stores and transmits; b) Implementation of strong access controls, including physical locks, firewalls, and strong passwords; c) Use of updated antivirus software; d) Adoption of contingency planning policies and procedures, including data backup and disaster recovery plans; and e) Conduct periodic security training.
