Orange County NC Website
The term "Electronic Protected Health Information" means Protected Health Information that is <br /> transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in <br /> Electronic Media. <br /> Business Associate acknowledges and agrees that all Protected Health Information that is created or <br /> received by Covered Entity and disclosed or made available in any form, including paper record, oral <br /> communication, audio recording, and electronic display by Covered Entity or its operating units to <br /> Business Associate or is created or received by Business Associate on Covered Entity's behalf shall be <br /> subject to this Agreement. If Business Associate is also a Covered Entity, as that term is defined in the <br /> HIPAA Security and Privacy Rule, this Agreement does not apply to its own Protected Health <br /> Information received, created, transmitted, or maintained by Business Associate in its capacity as a <br /> Covered Entity. <br /> II. PERMITTED USES AND DISCLOSURES <br /> (a) Business Associate may use or disclose Protected Health Information only as permitted <br /> or required by this Agreement or as required by law. Except as specifically set forth herein, Business <br /> Associate may not use or disclose Protected Health Information in a manner that would violate the <br /> HIPAA Security and Privacy Rule if such use or disclosure were done by Covered Entity. Specifically, <br /> Business Associate may use or disclose Protected Health Information (1) for meeting its obligations as <br /> set forth in any agreements between the Parties evidencing their business relationship, including the <br /> Arrangement Agreement, or (2) as required by applicable law, rule or regulation, or by an accrediting or <br /> credentialing organization to whom Covered Entity is required to disclose such information, or (3) as <br /> otherwise permitted under this Agreement, the Arrangement Agreement (if consistent with this <br /> Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, or (4) <br /> as would be permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made <br /> by Covered Entity. <br /> (b) Business Associate may de-identify Protected Health Information only at the specific <br /> direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health <br /> Information except at the direction of Covered Entity and in compliance with the requirements of the <br /> HIPAA Security and Privacy Rule. <br /> (c) Notwithstanding the prohibitions set forth in this Agreement, <br /> (i) Business Associate may use Protected Health Information for the proper <br /> management and administration of Business Associate or to carry out the legal <br /> responsibilities of Business Associate; <br /> (ii) Business Associate may disclose Protected Health Information for the proper <br /> management and administration of Business Associate or to carry out the legal <br /> responsibilities of Business Associate, provided that as to any such disclosure, the <br /> following requirements are met: <br /> (A) The disclosure is required by law; or <br /> (B) Business Associate obtains reasonable assurances from the person <br /> to whom the information is disclosed that the information will remain confidential <br /> and will be used or further disclosed only as required by law or for the purpose <br /> for which it was disclosed to the person, and the person notifies Business <br /> Associate of any instances of which it is aware in which the confidentiality of the <br /> information has been breached; <br /> Page 12 Revised October 2013 <br />