Orange County NC Website
Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk <br /> assessment,if requested. Furthermore,Business Associate shall cooperate with Covered Entity in the event <br /> that Covered Entity determines that any third parties must be notified of a Breach, provided that Business <br /> Associate shall not provide any such notification except at the direction of Covered Entity. <br /> (f) Breach Reporting. Business Associate shall report in writing to Covered Entity's Privacy <br /> Officer (see Exhibit A), any use or disclosure of Protected Health Information that is not in compliance <br /> with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of <br /> which it becomes aware, without unreasonable delay, and in no event later than forty-eight(48)hours of <br /> such discovery. For purposes of this Agreement, "Security Incident" means the attempted or successful <br /> unauthorized access,use,disclosure,modification,or destruction of information or interference with system <br /> operations in an information system. Such notification shall contain the elements required by 45 C.F.R. § <br /> 164.410. <br /> (g) Compliance. To the extent applicable, Business Associate will comply with(i) Covered <br /> Entity's Notice of Privacy Practices;(ii)any limitations to which Covered Entity has agreed in regard to an <br /> Individual's permission to use or disclose his or her Protected Health Information;and(iii)any restrictions <br /> to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required <br /> to agree. <br /> (h) Government Access. Business Associate will make its internal practices, books and <br /> records available to the Secretary of the Department of Health and Human Services for purposes of <br /> determining compliance with the terms of the HIPAA Security and Privacy Rule,and, at the request of the <br /> Secretary,will comply with any investigations and compliance reviews,permit access to information, and <br /> cooperate with any complaints, as Required by Law. Without unreasonable delay and, in any event, no <br /> more than 48 hours of receipt of the request or notification,Business Associate will notify Covered Entity <br /> in writing of any request by any governmental entity,or its designee,to review Business assessment of any <br /> kind. <br /> (i) Electronic Transactions. If Business Associate conducts any Standard Transactions for or <br /> on behalf of Covered Entity, Business Associate shall comply with the requirements under the Electronic <br /> Transaction Rule. <br /> 0) Audit. Business Associate shall permit Covered Entity, in its discretion, to conduct an <br /> audit of Business Associate's compliance with this Agreement, HIPAA, and HITECH. Such audit may <br /> consist of an onsite visit, a series of inquiries that require written responses, or both. Business Associate <br /> shall promptly and completely respond to Covered Entity's requests for information in support of the audit, <br /> which shall not be conducted more than once annually except in cases of an actual or reasonably suspected <br /> Security Incident or reasonably suspected noncompliance with this Agreement,HIPAA or HITECH. Each <br /> Party shall bear its own costs associated with the audit. <br /> (k) Identity Theft. Business Associate shall implement Identity Theft Monitoring Policies and <br /> Procedures to protect any patient information that may be breached by the Business Associate to the extent <br /> applicable under the Federal Trade Commission's Red Flag Rules. <br /> (1) HITECH Compliance. Business Associate shall: <br /> A. Not receive, directly or indirectly, any impermissible remuneration in exchange <br /> for Protected Health Information or Electronic Protected Health Information, <br /> except as permitted by HITECH § 13405(d)or the HIPPA Regulations; <br /> B. Comply with the marketing and other restrictions applicable to Business <br /> Associates contained in HITECH § 13406 and the HIPPA Regulations; <br /> 3 <br /> October 2013 <br />