Orange County NC Website
Browse       Search
(ii) With respect to which there is a reasonable basis to believe the <br />information can be used to identify the individual. <br />The term "Protected Health Information" means Individually Identifiable Health Information: <br />(a) Except as provided in subparagraph (b) below, that is: <br />(i) transmitted by electronic media; <br />(ii) Maintained in any medium described in the definition of electronic media <br />at § 162.103 of the HIPAA Privacy Rule; or <br />(iii) Transmitted or maintained in any other form or medium. <br />(b) Protected Health Information excludes Individually Identifiable Health Information in: <br />(i) Education records covered by the Family Educational Rights and Privacy <br />Act (FERPA), as amended, 20 U.S.C. 1232g; <br />(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and <br />(iii) Employment records held by a covered entity in its role as employer. <br />Business Associate acknowledges and agrees that all Protected Health Information that is created or <br />received by Covered Entity and disclosed or made available in any form, including paper record, oral <br />communication, audio recording, and electronic display by Covered Entity or its operating units to <br />Business Associate or is created or received by Business Associate on Covered Entity's behalf shall be <br />subject to this Agreement. <br />CONFIDENTIALITY REQUIREMENTS <br />(a) Business Associate agrees: <br />(i) to use or disclose any Protected Health Information solely: (1) for meeting <br />its obligations as set forth in any agreements between the Parties evidencing their <br />business relationship or (2) as required by applicable law, rule or regulation, or by <br />accrediting or credentialing organization to whom Covered Entity is required to disclose <br />such information or as otherwise permitted under this Agreement, the Arrangement <br />Agreement (if consistent with this Agreement and the HIPAA Privacy Rule), or the <br />HIPAA Privacy Rule, and (3) as would be permitted by the HIPAA Privacy Rule if such <br />use or disclosure were made by Covered Entity; <br />(ii) at termination of this Agreement, the Arrangement Agreement (or any <br />similar documentation of the business relationship of the Parties), or upon request of <br />Covered Entity, whichever occurs first, if feasible, Business Associate will return or <br />destroy all Protected Health Information received from or created or received by <br />Business Associate on behalf of Covered Entity that Business Associate still maintains in <br />any form and retain no copies of such information, or if such return or destruction is not <br />feasible, Business Associate will extend the protections of this Agreement to the <br />information and limit further uses and disclosures to those purposes that make the return <br />or destruction of the information not feasible; and <br />(iii) to ensure that its agents, including a subcontractor, to whom it provides <br />Protected Health Information received from or created by Business Associate on behalf <br />of Covered Entity, agrees to the same restrictions and conditions that apply to Business <br />Associate with respect to such information. In addition, Business Associate agrees to <br />take reasonable steps to ensure that its employees' actions or omissions do not cause <br />Business Associate to breach the terms of this Agreement. <br />(b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may <br />use and disclose Protected Health Information as follows: <br />2 <br />