Orange County NC Website
information. In addition, Business Associate agrees to take reasonable <br />steps to ensure that its employees' actions or omissions do not cause <br />Business Associate to breach the terms of this Agreement; <br />(iii) implement appropriate safeguards to prevent use or disclosure of <br />protected health information other than as permitted or required by this <br />Agreement; <br />(iv) permit the Secretary of Health and Human Services to audit Business <br />Associate's records and practices related to use and disclosure of <br />protected health information to ensure Covered Entity's compliance with <br />the terms of the HIPAA Security and Privacy Rule; <br />(v) report to Covered Entity any use or disclosure of protected health <br />information which is not in compliance with the terms of this Agreement of <br />which it becomes aware; <br />(vi) report to Covered Entity any Security Incident of which it becomes <br />aware. For purposes of this Agreement, "Security Incident" means the <br />attempted or successful unauthorized access, use disclosure, <br />modification, or destruction of information or interference with system <br />operations in an information system; and <br />(vii) mitigate, to the extent practicable, any harmful effect that is known to <br />Business Associate of a use or disclosure of protected health information <br />by Business Associate in violation of the requirements of this Agreement. <br />(b) Notwithstanding the prohibitions set forth in this Agreement or the Arrangement <br />Agreement, Business Associate may use and disclose protected health information as <br />follows: <br />(i) if necessary, for the proper management and administration of Business <br />Associate or to carry out the legal responsibilities of Business Associate, <br />provided that as to any such disclosure, the following requirements are <br />met: <br />(A) the disclosure is required by law; or <br />(B) Business Associate obtains reasonable assurances from the <br />person to whom the information is disclosed that it will be held <br />confidentially and used or further disclosed only as required by <br />law or for the purpose for which it was disclosed to the person, <br />and the person notifies Business Associate of any instances of <br />which it is aware in which the confidentiality of the information has <br />been breached; <br />(ii) for data aggregation services, if such services are to be provided by <br />Business Associate for the health care operations of Covered Entity <br />pursuant to any agreements between the Parties evidencing their <br />business relationship. <br />III. AVAILABILITY OF PROTECTED HEALTH INFORMATION <br />Business Associate shall: <br />(a) at the request of Covered Entity, provide access to protected .health information in a <br />designated record set to Covered Entity or, as directed by Covered Entity, to an <br />individual, in a time and manner sufficient to permit Covered Entity to comply with the <br />requirements of 45 CFR 164.524. <br />3 <br />