Orange County NC Website
(d) Business Associate may provide data aggregation services relating to the health care <br /> operations of Covered Entity pursuant to any agreements between the Parties evidencing their business <br /> relationship as permitted by 45 CFR§ 164.504(e)(2)(i)(B). <br /> t <br /> (e) Other Uses Strictly Limited. Nothing in this Agreement shall permit the Business <br /> Associate to share Protected Health Information with Business Associate's affiliates or contractors except <br /> for the purposes of the Service Agreement(s) between the Covered Entity and Business Associate(s) <br /> identified in Section I(a)of this Agreement. <br /> (f) Covered Entity Authorization for Additional Uses. Any use of Protected Health <br /> Information by Business Associate, its affiliate or Contractor, other than those purposes of this <br /> Agreement, shall require express written authorization by the Covered Entity, and a Business Associate <br /> Agreement or amendment as necessary. Activities which are prohibited include, but are not limited to, <br /> Marketing, as defined by 45 CFR§ 164.503 or the sharing for Commercial Use or any purpose construed <br /> by Covered Entity as Marketing or Commercial Use, even if such sharing would be permitted by federal <br /> or state laws. <br /> (g) Business Associate may de-identify Protected Health Information only at the specific <br /> direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health <br /> Information except at the direction of Covered Entity and in compliance with the requirements of the <br /> HIPAA Security and Privacy Rule. <br /> IV. AVAILABILITY OF PHI <br /> (a) Access to Protected Health Information. Business Associate agrees, in the event the <br /> Business Associate maintains protected health information in a Designated Record Set,to make available, <br /> within ten (10) days of a request by Covered Entity in a time and manner designated by Covered Entity, <br /> Protected Health Information in a Designated Record Set, to Covered Entity or as directed by Covered <br /> Entity, to an individual in order to meet the requirements of 45 CFR § 164.524 of the HIPAA Security <br /> and Privacy Rule. <br /> (b) Amendments to Protected Health Information. In the event that the Business Associate <br /> maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make <br /> any amendment(s) to Protected Health Information in a designated record set that the Covered Entity <br /> directs or agrees to pursuant to the HIPAA Security and Privacy Rule at the request of Covered Entity of <br /> an individual,within ten(10)days of receipt of a request from Covered Entity and in the time and manner <br /> designated by Covered Entity. <br /> (c) Accounting of Disclosures. Business Associate agrees to maintain and make available <br /> the information required to provide an accounting of disclosures, as required by 45 CFR§ 164.528 of the <br /> HIPAA Security and Privacy Rule. Business Associate will comply with Covered Entity's policy <br /> regarding accounting of disclosures. <br /> (d) Document Disclosures. In the event an Individual makes a request under this Section of <br /> the Agreement directly to Business Associate, Business Associate will notify Covered Entity of such <br /> request within three (3) business days and shall cooperate with, and act only at the direction of Covered <br /> Entity in responding to such request. <br /> V. OBLIGATIONS OF COVERED ENTITY <br /> (a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the <br /> notice of privacy practice that Covered Entity produces in accordance with 45 CFR § 164.520, as well as <br /> any changes to that notice. <br /> 5 <br /> October 2013 <br />