Orange County NC Website
(e) Business Associate will implement appropriate safeguards to prevent use or disclosure <br /> of Protected Health Information other than as permitted in this Agreement. Business Associate will <br /> implement administrative, physical, and technical safeguards that reasonably and appropriately protect <br /> the confidentiality, integrity, and availability of any Electronic Protected Health Information that it <br /> creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA <br /> Security and Privacy Rule. <br /> (f) To the extent applicable, Business Associate will comply with (i) Covered Entity's Notice <br /> of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's <br /> permission to use or disclose his or her Protected Health Information; and (iii) any restrictions to the <br /> use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to <br /> agree. <br /> (g) Business Associate will make its internal practices, books and records relating to the use <br /> and disclosure of Protected Health Information received from, or created or received by Business <br /> Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and <br /> Human Services for purposes of the Secretary determining Covered Entity's compliance with the terms <br /> of the HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any <br /> investigations and compliance reviews, permit access to information, and cooperate with any <br /> complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order, <br /> without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by <br /> any governmental entity, or its designee, to review Business Associate's compliance with law or this <br /> BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, <br /> complaint, audit or assessment pertains to the Arrangement Agreement or this BAA. <br /> (h) Business Associate shall report to Covered Entity (see Exhibit A) any use or disclosure <br /> of Protected Health Information that is not in compliance with the terms of this Agreement, as well as <br /> any Security Incident and any actual or suspected Breach, of which it becomes aware, without <br /> unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes <br /> of this Agreement, "Security Incident" means the attempted or successful unauthorized access, use, <br /> disclosure, modification, or destruction of information or interference with system operations in an <br /> information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In <br /> addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is <br /> known to Business Associate of a use or disclosure of Protected Health Information by Business <br /> Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation <br /> to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security <br /> Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk <br /> assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the <br /> event that Covered Entity determines that any third parties must be notified of a Breach, provided that <br /> Business Associate shall not provide any such notification except at the direction of Covered Entity. To <br /> the extent permitted by applicable law, Business Associate shall indemnify and hold harmless Covered <br /> Entity for any injury or damages arising from any noncompliance with this Agreement or any Security <br /> Incident attributable to the negligence of Business Associate, including the failure to execute the terms <br /> of this Agreement. To the extent any of the parties to this Agreement are an entity of the State of North <br /> Carolina, nothing in this Agreement is intended to affect or abrogate that party's sovereign immunity as <br /> an entity of the State of North Carolina, including all protections and immunities granted to that party <br /> under the North Carolina Tort Claims Act. <br /> (i) Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of <br /> Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a <br /> series of inquiries that require written responses. Business Associate shall promptly and completely <br /> Page 14 Revised October 2013 <br />