Orange County NC Website
Browse       Search
3.4 shall be responsible for using administrative,physical and technical safeguards at all times to maintain <br /> and ensure the confidentiality,privacy and security of PHI transmitted to Business Associate pursuant <br /> to the Agreement, including this BAA, in accordance with the standards and requirements of HIPAA, <br /> before and during the transmission of such PHI to Business Associate. <br /> 3.5 shall obtain any consent or authorization that may be required by applicable federal or state laws and <br /> regulations prior furnishing to Business Associate the PHI for use and disclosure in accordance with <br /> this BAA. <br /> 4. PERMITTED USES AND DISCLOSURES OF PM <br /> Unless otherwise limited in this BAA, in addition to any other uses and/or disclosures permitted or required by <br /> this BAA or the Agreement,Business Associate may: . <br /> 4.1 make any and all uses and disclosures of PHI necessary to provide the Services to Covered Entity. <br /> 4.2 use and disclose PHI,if necessary,for proper management and administration of Business Associate or <br /> to carry out the legal responsibilities of Business Associate,provided that the disclosures are Required <br /> by Law or any third party to which Business Associate discloses PHI for those purposes provides <br /> written assurances in advance that: (i) the information will be held confidentially and used or further <br /> disclosed only for the purpose for which it was disclosed to the third party or as Required by Law;and <br /> (ii)the third party promptly will notify Business Associate of any instances of which it becomes aware <br /> in which the confidentiality of the information has been breached. <br /> 4.3 De-identify any and all PHI received or created by Business Associate under this BAA, which De- <br /> identified information shall not be subject to this BAA and may be used and disclosed on Business <br /> Associate's own behalf,all in accordance with the De-identification requirements of the Privacy Rule. <br /> 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in <br /> accordance with the Privacy Rule. <br /> 4.5 identify Research projects conducted by Business Associate, its Affiliates or third parties for which <br /> PHI may be relevant;obtain on behalf of Covered Entity documentation of individual authorizations or <br /> an Institutional Review Board or privacy board waiver that meets the requirements of 45 C.F.R. <br /> 164.512(i)(1) (each an"Authorization" or"Waiver") related to such projects; provide Covered Entity <br /> with copies of such Authorizations or Waivers, subject to confidentiality obligations ("Required <br /> Documentation"); and disclose PHI for such Research provided that Business Associate does not <br /> receive Covered Entity's disapproval in writing within ten (10) days of Covered Entity's receipt of <br /> Required Documentation. <br /> 4.6 make PHI available for reviews preparatory to Research and obtain and maintain written <br /> representations in accord with 45 C.F.R. 164.512(i)(1)(ii) that the requested PHI is sought solely as <br /> necessary to prepare a Research protocol or for similar purposes preparatory to Research,that the PHI <br /> is necessary for the Research,and that no PHI will be removed in the course of the review. <br /> 4.7 use the PHI to create a Limited Data Set("LDS")in compliance with 45 C.F.R. 164.514(e). <br /> 4.8 use and disclose the LDS referenced in Section 4.7 solely for Research or Public Health purposes or <br /> for the Health Care Operations of the Covered Entity, provided that Business Associate shall: (i) not <br /> use or further disclose the information other than as permitted by this Section 4.8 or as otherwise <br /> Required by Law; (ii)use appropriate safeguards to prevent use or disclosure of the information other <br /> than as provided for by this Section 4.8; (iii) report to Covered Entity any use or disclosure of the <br /> information not provided for by this Section 4.8 of which Business Associate becomes aware; (iv) <br /> ensure that any agents to whom Business Associate provides the LDS agree to the same restrictions <br /> and conditions that apply to Business Associate with respect to such information; and (v) not identify <br /> the information or contact the Individuals. <br /> 5. TERMINATION <br /> 5.1 Termination. If either Party knows of a pattern of activity or practice of the other Party that constitutes <br /> a material breach or violation of this BAA then the non-breaching Party shall provide written notice of <br /> the breach or violation to the other Party that specifies the nature of the breach or violation. The <br /> 31 <br />