(e) Business Associate will implement appropriate safeguards to prevent use or disclosure
<br /> of Protected Health Information other than as permitted in this Agreement. Business Associate will
<br /> implement administrative, physical, and technical safeguards that reasonably and appropriately protect
<br /> the confidentiality, integrity, and availability of any Electronic Protected Health Information that it
<br /> creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA
<br /> Security and Privacy Rule.
<br /> (f) To the extent applicable, Business Associate will comply with (i) Covered Entity's Notice
<br /> of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's
<br /> permission to use or disclose his or her Protected Health Information; and (iii) any restrictions to the
<br /> use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to
<br /> agree.
<br /> (g) Business Associate will make its internal practices, books and records relating to the use
<br /> and disclosure of Protected Health Information received from, or created or received by Business
<br /> Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and
<br /> Human Services for purposes of the Secretary determining Covered Entity's compliance with the terms
<br /> of the HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any
<br /> investigations and compliance reviews, permit access to information, and cooperate with any
<br /> complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order,
<br /> without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by
<br /> any governmental entity, or its designee, to review Business Associate's compliance with law or this
<br /> BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review,
<br /> complaint, audit or assessment pertains to the Arrangement Agreement or this BAA.
<br /> (h) Business Associate shall report to Covered Entity (see Exhibit A) any use or disclosure
<br /> of Protected Health Information that is not in compliance with the terms of this Agreement, as well as
<br /> any Security Incident and any actual or suspected Breach, of which it becomes aware, without
<br /> unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes
<br /> of this Agreement, "Security Incident" means the attempted or successful unauthorized access, use,
<br /> disclosure, modification, or destruction of information or interference with system operations in an
<br /> information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In
<br /> addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is
<br /> known to Business Associate of a use or disclosure of Protected Health Information by Business
<br /> Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation
<br /> to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security
<br /> Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk
<br /> assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the
<br /> event that Covered Entity determines that any third parties must be notified of a Breach, provided that
<br /> Business Associate shall not provide any such notification except at the direction of Covered Entity. To
<br /> the extent permitted by applicable law, Business Associate shall indemnify and hold harmless Covered
<br /> Entity for any injury or damages arising from any noncompliance with this Agreement or any Security
<br /> Incident attributable to the negligence of Business Associate, including the failure to execute the terms
<br /> of this Agreement. To the extent any of the parties to this Agreement are an entity of the State of North
<br /> Carolina, nothing in this Agreement is intended to affect or abrogate that party's sovereign immunity as
<br /> an entity of the State of North Carolina, including all protections and immunities granted to that party
<br /> under the North Carolina Tort Claims Act.
<br /> (i) Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of
<br /> Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a
<br /> series of inquiries that require written responses. Business Associate shall promptly and completely
<br /> Page 14 Revised October 2013
<br />
|