Orange County NC Website
Browse       Search
Consolidated Agreement-FY14 Page 21 of 23 <br /> AMENDMENT TO THE NORTH CAROLINA DEPARTMENT OF HEALTH AND HUMAN <br /> SERVICES BUSINESS ASSOCIATE ADDENDUM TO CONSOLIDATED AGREEMENT <br /> This document amends North Carolina Department of Health and Human Services Business Associate <br /> Addendum to the Consolidated A eement. This amendment is made effective the 1"day of July, 2012, <br /> by and between 0f0-f' (name of Local Health Department or"Covered <br /> Entity")and the Division o ublic Health Business Associate") (collectively the"Parties")for the <br /> purpose of specifying the breach reporting and notification requirements following an unauthorized <br /> disclosure of unsecured Protected Health Information(PHI). <br /> I. DEFINITIONS: <br /> The terms defined below shall have the following meaning in this Amendment: <br /> a. `Breach"means the acquisition,access,use,or disclosure of PHI in a manner not permitted <br /> under the HIPAA Privacy Rule which compromises the security or privacy of the PHI. For the <br /> purpose of this definition,"compromises the security or privacy of the PHI'means poses a <br /> significant risk of financial,reputational,or other harm to the individual. A use or disclosure <br /> of PHI that does not include the identifiers listed at§ 164.514(e)(2),limited data set,date of <br /> birth, and zip code does not compromise the security or privacy of the PHI. <br /> Breach excludes: <br /> • Any unintentional acquisition,access or use of PHI by a workforce member or person <br /> acting under the authority of a Covered Entity(CE)or Business Associate(BA)if such <br /> acquisition, access,or use was made in good faith and within the scope of authority and <br /> does not result in further use or disclosure in a manner not permitted under the HIPAA <br /> Privacy Rule. <br /> • Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to <br /> another person authorized to access PHI at the same CE or BA,or organized health care <br /> arrangement in which the CE participates, and the information received as a result of such <br /> disclosure is not further used or disclosed in a manner not permitted under the HIPAA <br /> Privacy Rule; or <br /> • A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person <br /> to whom the disclosure was made could not have expected to use or further disclose that <br /> information. <br /> b. "HITECH Act"means the"Health Information Technology for Economic and Clinical Health <br /> ("HITECH")Act,Title XIII of Division A of the American Recovery and Reinvestment Act of <br /> 2009 (P.L. 111-5). <br /> C. "Security breach"means an incident of unauthorized access to and acquisition of unencrypted and <br /> un-redacted records or data containing personal information where illegal use of the personal <br /> information has occurred or is reasonably likely to occur or that creates a material risk of harm to a <br /> consumer. Any incident of unauthorized access to and acquisition of encrypted records or data <br />