2013-356 DSS - UNC Hospitals To provide Income Maintenance Worker and Su[ervisor to UNC Hospital $49,587

Browse Search

implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. (f) To the extent applicable, Business Associate will comply with (i) Covered Entity's Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's permission to use or disclose his or her Protected Health Information; and (iii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. (g) Business Associate will make its internal practices, books and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the terms of the HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Without unreasonable delay and, in any event, no more than 48 hours of receipt of the request or notification, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind. (h) Business Associate shall report to Covered Entity (see Exhibit B) any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than forty-eight (48) hours of such discovery. For purposes of this Agreement, "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. Business Associate shall indemnify and hold harmless Covered Entity for any injury or damages arising from any noncompliance with this Agreement or any Security Incident attributable to the negligence of Business Associate, including the failure to execute the terms of this Agreement. 0) Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of an onsite visit, a series of inquiries that require written responses, or both. Business Associate shall promptly and completely respond to Covered Entity's requests for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.