Orange County NC Website
Browse       Search
(f) Covered Entity Authorization for Additional Uses. Any use of Protected Health <br /> Information by Business Associate,its affiliate or Contractor,other than those purposes of this Agreement, <br /> shall require express written authorization by the Covered Entity, and a Business Associate Agreement or <br /> amendment as necessary. Activities which are prohibited include, but are not limited to,Marketing, as <br /> defined by 45 CFR § 164.503 or the sharing for Commercial Use or any purpose construed by Covered <br /> Entity as Marketing or Commercial Use,even if such sharing would be permitted by federal or state laws. <br /> (g) Business Associate may de-identify Protected Health Information only at the specific <br /> direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health <br /> Information except at the direction of Covered Entity and in compliance with the requirements of the <br /> HIPAA Security and Privacy Rule. <br /> IV. AVAILABILITY OF PHI <br /> (a) Access to Protected Health Information. Business Associate agrees, in the event the <br /> Business Associate maintains protected health information in a Designated Record Set, to make available, <br /> within ten(10) days of a request by Covered Entity in a time and manner designated by Covered Entity, <br /> Protected Health Information in a Designated Record Set, to Covered Entity or as directed by Covered <br /> Entity,to an individual in order to meet the requirements of 45 CFR§ 164.524 of the HIPAA Security and <br /> Privacy Rule. <br /> (b) Amendments to Protected Health Information. In the event that the Business Associate <br /> maintains Protected Health Information in a Designated Record Set,Business Associate agrees to make any <br /> amendment(s)to Protected Health Information in a designated record set that the Covered Entity directs or <br /> agrees to pursuant to the HIPAA Security and Privacy Rule at the request of Covered Entity of an individual, <br /> within ten(10)days of receipt of a request from Covered Entity and in the time and manner designated by <br /> Covered Entity. <br /> (c) Accounting of Disclosures. Business Associate agrees to maintain and make available the <br /> information required to provide an accounting of disclosures, as required by 45 CFR § 164.528 of the <br /> HIPAA Security and Privacy Rule. Business Associate will comply with Covered Entity's policy regarding <br /> accounting of disclosures. <br /> (d) Document Disclosures. In the event an Individual makes a request under this Section of <br /> the Agreement directly to Business Associate, Business Associate will notify Covered Entity of such <br /> request within three (3) business days and shall cooperate with, and act only at the direction of Covered <br /> Entity in responding to such request. <br /> V. OBLIGATIONS OF COVERED ENTITY <br /> (a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the <br /> notice of privacy practice that Covered Entity produces in accordance with 45 CFR § 164.520, as well as <br /> any changes to that notice. <br /> (b) Notice of Changes in Individual's Access or Protected Health Information. Covered Entity <br /> shall provide Business Associate with any changes in, or revocation of,permission by an Individual to use <br /> or disclose Protected Health Information,is such changes affect Business Associate's permitted or required <br /> uses. <br /> (c) Notice of Restriction in Individual's Access to Protected Health Information. Covered <br /> Entity shall notify Business Associate of any restrictions to the use or disclosure of Protected Health <br /> Information that Covered Entity has agreed in accordance with 45 CFR § 164.522 to the extent that such <br /> restriction may affect Business Associate's use of Protected Health Information. <br /> 5 <br /> October 2013 <br />