Orange County NC Website
units to Business Associate or is created or received by Business Associate on Covered Entity's behalf <br /> shall be subject to this Agreement. <br /> b. Business Associate agrees to not use or further disclose Protected Health Information <br /> other than as permitted or required by this Agreement or as required by law, <br /> C. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of <br /> Protected Health Information other than as provided for by this Agreement. Specifically, Business <br /> Associate will: <br /> 1. implement the administrative, physical, and technical safeguards set forth in <br /> Sections 164.308, 164.310, and 164.312 of the HIPAA Privacy and Security Rules that <br /> reasonably and appropriately protect the confidentiality, integrity, and availability of any <br /> Protected Health Information that it creates, receives, maintains, or transmits on behalf of <br /> Covered Entity, and, in accordance with Section 164.316 of the HIPAA Privacy and Security <br /> Rules, implement and maintain reasonable and appropriate policies and procedures to enable it to <br /> comply with the requirements outlined in Sections 164.308, 164.310,and 164.312; and <br /> 1 2. report to Covered Entity any use or disclosure of Protected Health Information <br /> not provided for by this Agreement of which Business Associate becomes aware. Business <br /> Associate shall report to Covered Entity any Security Incident of which it becomes aware. For <br /> purposes of this Agreement, "Security Incident" means the successful unauthorized access, use, <br /> disclosure, modification, or destruction of Protected Health Information or interference with <br /> system operations in an information system, of which Business Associate has knowledge or <br /> should, with the exercise of reasonable diligence, have knowledge, excluding (i) "pings" on an <br /> information system firewall; (ii) port scans; (iii) attempts to log on to an information system or <br /> enter a database with an invalid password or user name; (iv) denial-of-service attacks that do not <br /> result in a server being taken offline; or(v)malware(e.g., a worms or a virus)that does not result <br /> in unauthorized access, use, disclosure, modification or destruction of Protected Health <br /> Information. <br /> d. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it <br /> provides Protected Health Information received from, or created or received by Business Associate on <br /> behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement <br /> to Business Associate with respect to such information. <br /> e. Business Associate agrees to comply with any requests for restrictions on certain <br /> disclosures of Protected Health Information to which Covered Entity has agreed in accordance with <br /> Section 164.522 of the HIPAA Privacy and Security Rules and of which Business Associate has been <br /> notified by Covered Entity. In addition, and notwithstanding the provisions of Section 164.522(a)(1)(ii), <br /> Business Associate agrees to comply with an individual's request to restrict disclosure of Protected Health <br /> Information to a health plan for purposes of carrying out payment or health care operations if the <br /> Protected Health Information pertains solely to a health care item or service for which Covered Entity has <br /> been paid by in full by the individual or the individual's representative. <br /> f. At the request of Covered Entity and in a reasonable time and manner, Business <br /> Associate agrees to make available Protected Health Information required for Covered Entity to respond <br /> to an individual's request for access to his or her Protected Health Information in accordance with Section <br /> 164.524 of the HIPAA Privacy and Security Rules. If Business Associate maintains Protected Health <br /> Information electronically, it agrees to make such Protected Health Information available electronically to <br /> 4 <br />