Orange County NC Website
first obtaining the written authorization of the individual or the individual's representative,unless: <br /> 1. such payment is for a communication regarding a drug or biologic currently <br /> prescribed for the individual and is reasonable in amount(as defined by the Secretary); or <br /> 2. the communication is made on behalf of Covered Entity and is consistent with <br /> the terms of this Agreement. <br /> in. Business Associate agrees that if it uses or discloses patients' Protected Health <br /> Information for marketing purposes, it will obtain such patients' authorization before making any such <br /> use or disclosure. <br /> IV. BUSINESS ASSOCIATE'S MITIGATION AND BREACH NOTIFICATION OBLIGATIONS <br /> a. Business Associate agrees to mitigate,to the extent practicable, any harmful effect that is <br /> known to Business Associate of a use or disclosure of Protected Health Information by Business <br /> Associate in violation of the requirements of this Agreement. <br /> b. Following the discovery of a Breach of Unsecured Protected Health Information, <br /> Business Associate shall notify Covered Entity of such Breach without unreasonable delay and in no case <br /> later than forty-five (45) calendar days after discovery of the Breach. A Breach shall be treated as <br /> discovered by Business Associate as of the first day on which such Breach is known to Business <br /> Associate or, through the exercise of reasonable diligence, would have been known to Business <br /> Associate. <br /> C. Notwithstanding the provisions of Section IV.b., above, if a law enforcement official <br /> states to Business Associate that notification of a Breach would impede a criminal investigation or cause <br /> damage to national security,then: <br /> 1. if the statement is in writing and specifies the time for which a delay is required, <br /> Business Associate shall delay such notification for the time period specified by the official;or <br /> 2. if the statement is made orally, Business Associate shall document the statement, <br /> including the identity of the official making it, and delay such notification for no longer than <br /> thirty(30) days from the date of the oral statement unless the official submits a written statement <br /> during that time. <br /> Following the period of time specified by the official,Business Associate shall promptly deliver a copy of <br /> the official's statement to Covered Entity. <br /> d. The Breach notification provided shall include,to the extent possible: <br /> 1. the identification of each individual whose Unsecured Protected Health <br /> Information has been, or is reasonably believed by Business Associate to have been, accessed, <br /> acquired,used,or disclosed during the Breach; <br /> 2. a brief description of what happened, including the date of the Breach and the <br /> date of discovery of the Breach, if known; <br /> 3. a description of the types of Unsecured Protected Health Information that were <br /> involved in the Breach (such as whether full name, social security number, date of birth, home <br /> 6 <br />