Orange County NC Website
Browse       Search
(d) Duty to Report Violations. NC HIE agrees to report to Covered Entity <br /> Participants any use or Disclosure of PHI by NC HIE not allowed for by the Privacy Rule, the <br /> Security Rule or this Agreement of which it becomes aware. NC HIE agrees to report to <br /> Covered Entity Participants any Security Incident of which it becomes aware, except that, for <br /> purposes of this reporting requirement,the term"Security Incident"shall not include: (i)"pings" <br /> on NC HIE's firewall(s); (b)port scans;(c) attempts to log on to NC HIE's systems or to enter a <br /> database of NC HIE with an invalid security credential; (d) denial-of-service attacks that do not <br /> result in a server being taken offline; or(e)malware, (e.g., a worm or virus)that does not result <br /> in unauthorized access, use, disclosure, modification or destruction of Electronic Protected <br /> Health Information. <br /> (e) Duty to Report Breaches. NC HIE also agrees to report any other <br /> Breaches of PHI If a Breach occurs,NC HIE shall cooperate and assist in any steps taken by <br /> Covered Entity Participant to mitigate and address the Breach in accordance with Section 10 of <br /> this Agreement.Business Associate shall maintain evidence to demonstrate that any notifications <br /> required under this Section were made by Business Associate. <br /> (f) Subcontractors and Agents. NC HIE agrees to ensure that any <br /> subcontractor or agent to whom it provides PHI agrees in writing to the same restrictions and <br /> conditions that apply through this Agreement to NC HIE with respect to such PHI. NC HIE will <br /> ensure that any agent,including a subcontractor,to whom it provides Electronic Protected Health <br /> Information, agrees to implement reasonable and appropriate safeguards to protect such <br /> Electronic Protected Health Information. Personel data made available to NC HE by Covered <br /> Entity Participant for the performance or administration of this Agreement shall be used only for <br /> those purposes and shall not be used in any other way without the prior written approval of the <br /> Covered Entity Participant. <br /> (g) Access to PHI Upon request by Covered Entity Participant, NC HIE <br /> agrees to provide access to PHI in a Designated Record Set in NC HIE's possession and control <br /> to Covered Entity Participant or,at the direction of Covered Entity Participant to an Individual in <br /> order to meet the requirements of 45 C.F.R. § 164.524. <br /> (h) Amendment of PHI.Upon request by Covered Entity Participant,NC HIE <br /> agrees to make available to the Covered Entity Participant, PHI in a Designated Record Set in <br /> NC HIE's possession and control, as required for amendment of such PHI, and shall make and <br /> incorporate any amendment(s) to the PHI that the Provider agrees to pursuant to 45 C.F.R. § <br /> 164.526. <br /> (i) IMection of Books and Records.Upon reasonable notice,NC HIE agrees <br /> to make its internal practices, books, and records relating to the use and disclosure of PER <br /> available to Covered Entity Participant or, at the request of Covered Entity Participant, to the <br /> Secretary in a time and manner designated by Provider or the Secretary for purposes of the <br /> Secretary determining Provider's compliance with the Privacy Rule or Security Rule. <br /> (j) Accounting of Disclosures. NC HIE agrees to provide to Covered Entity <br /> Participants,upon request,information regarding disclosures of PHI by NC HIE through the HIE <br /> Network to permit Covered Entity Participants to respond to a request by an Individual for an <br /> accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. <br /> 20 <br />