Orange County NC Website
3 <br />(iii) implement appropriate safeguards to prevent use or disclosure of <br />protected health information other than as permitted or required by this Agreement; <br />(iv) permit the Secretary of Health and Human Services to audit Business <br />Associate's records and practices related to use and disclosure of protected health <br />information to ensure Covered Entity's compliance with the terms of the HIPAA Security <br />and Privacy Rule; <br />(v) report to Covered Entity any use or disclosure of protected health <br />information which is not in compliance with the terms of this Agreement of which it <br />becomes aware; <br />(vi) report to Covered Entity any Security Incident of which it becomes aware. <br />For purposes of this Agreement, "Security Incident" means the attempted or successful <br />unauthorized access, use disclosure, modification, or destruction of information or <br />interference with system operations in an information system; and <br />(vii) mitigate, to the extent practicable, any harmful effect that is known to <br />Business Associate of a use or disclosure of protected health information by Business <br />Associate in violation of the requirements of this Agreement. <br />(b) Notwithstanding the prohibitions set forth in this Agreement or the Arrangement <br />Agreement, Business, Associate may use and disclose protected health information as follows: <br />(i) if necessary, for the proper management and administration of Business <br />Associate or to carry out the legal responsibilities of Business Associate, provided that <br />as to any such disclosure, the following requirements are met: <br />(A) the disclosure is required by law; or <br />(B) Business Associate obtains reasonable assurances from the <br />person to whom the information is disclosed that it will be held confidentially and <br />used or further disclosed only as required by law or for the purpose for which it <br />was disclosed to the person, and the person notifies Business Associate of any <br />instances of which it is aware in which.the confidentiality of the information has <br />been breached; <br />(ii) for data aggregation services, if such services are to be provided by <br />Business Associate for the health care operations of Covered Entity pursuant to any <br />agreements between the Parties evidencing their business relationship. <br />III. AVAILABILITY OF PROTECTED HEALTH INFORMATION <br />Business Associate shall: <br />(a) at the request of Covered Entity, provide access to protected health information in a <br />designated record set to Covered Entity or, as directed by Covered Entity, to an individual, in a time <br />and manner sufficient to permit Covered Entity to comply with the requirements of 45 CFR 164.524. <br />(b) at the request of Covered Entity or an individual, make any amendment(s) to protected <br />health information in a designated record set that are directed by or agreed to by Covered Entity, in a <br />time and manner sufficient to permit Covered Entity to comply with the requirements of 45 CFR <br />164.526. <br />(c) document disclosures of protected health information and information related to such <br />disclosures in a manner sufficient to permit Covered Entity to respond to a request by an individual for <br />an accounting of disclosures of protected health information in accordance with 45 CFR 164.528 and <br />provide such documentation to Covered Entity or an individual as directed by Covered Entity. <br />2