Orange County NC Website
Browse       Search
if such return or destruction is not feasible, Business Associate will extend the <br />protections of this Agreement to the information and limit further uses and <br />disclosures to those purposes that make the return or destruction of the <br />information not feasible; and <br />(v) to ensure that its agents, including a subcontractor, to whom it <br />provides Protected Health Information received from or created by Business <br />Associate on behalf of Covered Entity, agrees to the same restrictions and <br />conditions that apply to Business Associate with respect to such information, and <br />agrees to implement reasonable and appropriate safeguards to protect any of <br />such information which is Electronic Protected Health Information. In addition, <br />Business Associate agrees to take reasonable steps to ensure that its <br />employees' actions or omissions do not cause Business Associate to breach the <br />terms of this Agreement. <br />(b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate <br />may use and disclose Protected Health Information as follows: <br />(i) if necessary, for the proper management and administration of <br />Business Associate or to carry out the legal responsibilities of Business <br />Associate, provided that as to any such disclosure, the following requirements <br />are met: <br />(A) the disclosure is required by law; or <br />(B) Business Associate obtains reasonable assurances from <br />the person to whom the information is disclosed that it will be held <br />confidentially and used or further disclosed only as required by law or for <br />the purpose for which it was disclosed to the person, and the person <br />notifies Business Associate of any instances of which it is aware in which <br />the confidentiality of the information has been breached; <br />(ii) for data aggregation services, if to be provided by Business <br />Associate for the health care operations of Covered Entity pursuant to any <br />agreements between the Parties evidencing their business relationship. For <br />purposes of this Agreement, data aggregation services means the combining of <br />Protected Health Information by Business Associate with the protected health <br />information received by Business Associate in its capacity as a business <br />associate of another covered entity, to permit data analyses that relate to the <br />health care operations of the respective covered entities. <br />(c) Business Associate will implement appropriate safeguards to prevent use or <br />disclosure of Protected Health Information other than as permitted in this Agreement. Business <br />Associate will implement administrative, physical, and technical safeguards that reasonably and <br />appropriately protect the confidentiality, integrity, and availability of any Electronic Protected <br />Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity <br />as required by the HIPAA Security and Privacy Rule. <br />(d) The Secretary of Health and Human Services shall have the right to audit <br />Business Associate's records and practices related to use and disclosure of Protected Health <br />Information to ensure Covered Entity's compliance with the terms of the HIPAA Security and <br />Privacy Rule. <br />(e) Business Associate shall report to Covered Entity (see Exhibit A) any use or <br />disclosure of Protected Health Information which is not in compliance with the terms of this <br />