Orange County NC Website
Browse       Search
information. In addition, Business Associate agrees to take reasonable <br /> steps to ensure that its employees' actions or omissions do not cause <br /> Business Associate to breach the terms of this Agreement; <br /> (iii) implement appropriate safeguards to prevent use or disclosure of <br /> protected health information other than as permitted or required by this <br /> Agreement; <br /> (iv) permit the Secretary of Health and Human Services to audit Business <br /> Associate's records and practices related to use and disclosure of <br /> protected health information to ensure Covered Entity's compliance with <br /> the terms of the HIPAA Security and Privacy Rule; <br /> (v) report to Covered Entity any use or disclosure of protected health <br /> information which is not in compliance with the terms of this Agreement of <br /> which it becomes aware; <br /> (vi) report to Covered Entity any Security Incident of which it becomes <br /> aware. For purposes of this Agreement, "Security Incident" means the <br /> attempted or successful unauthorized access, use disclosure, <br /> modification, or destruction of information or interference with system <br /> operations in an information system; and <br /> (vii) mitigate, to the extent practicable, any harmful effect that is known to <br /> Business Associate of a use or disclosure of protected health information <br /> by Business Associate in violation of the requirements of this Agreement. <br /> (b) Notwithstanding the prohibitions set forth in this Agreement or the Arrangement <br /> Agreement, Business Associate may use and disclose protected health information as <br /> follows: <br /> (i) if necessary, for the proper management and administration of Business <br /> Associate or to carry out the legal responsibilities of Business Associate, <br /> provided that as to any such disclosure, the following requirements are <br /> met: <br /> (A) the disclosure is required by law; or <br /> (B) Business Associate obtains reasonable assurances from the <br /> person to whom the information is disclosed that it will be held <br /> confidentially and used or further disclosed only as required by <br /> law or for the purpose for which it was disclosed to the person, <br /> and the person notifies Business Associate of any instances of <br /> which it is aware in which the confidentiality of the information has <br /> been breached; <br /> (ii) for data aggregation services, if such services are to be provided by <br /> Business Associate for the health care operations of Covered Entity <br /> pursuant to any agreements between the Parties evidencing their <br /> business relationship. <br /> III. AVAILABILITY OF PROTECTED HEALTH INFORMATION <br /> Business Associate shall: <br /> (a) at the request of Covered Entity, provide access to protected health information in a <br /> designated record set to Covered Entity or, as directed by Covered Entity, to an <br /> individual, in a time and manner sufficient to permit Covered Entity to comply with the <br /> requirements of 45 CFR 164.524. <br /> 3 <br />