Orange County NC Website
5 <br />October 2013 <br />(f) Covered Entity Authorization for Additional Uses. Any use of Protected Health <br />Information by Business Associate, its affiliate or Contractor, other than those purposes of this <br />Agreement, shall require express written authorization by the Covered Entity, and a Business Associate <br />Agreement or amendment as necessary. Activities which are prohibited include, but are not limited to, <br />Marketing, as defined by 45 CFR § 164.503 or the sharing for Commercial Use or any purpose construed <br />by Covered Entity as Marketing or Commercial Use, even if such sharing would be permitted by federal <br />or state laws. <br /> <br />(g) Business Associate may de-identify Protected Health Information only at the specific <br />direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health <br />Information except at the direction of Covered Entity and in compliance with the requirements of the <br />HIPAA Security and Privacy Rule. <br /> <br />IV. AVAILABILITY OF PHI <br /> <br /> (a) Access to Protected Health Information. Business Associate agrees, in the event the <br />Business Associate maintains protected health information in a Designated Record Set, to make available, <br />within ten (10) days of a request by Covered Entity in a time and manner designated by Covered Entity, <br />Protected Health Information in a Designated Record Set, to Covered Entity or as directed by Covered <br />Entity, to an individual in order to meet the requirements of 45 CFR § 164.524 of the HIPAA Security <br />and Privacy Rule. <br /> <br />(b) Amendments to Protected Health Information. In the event that the Business Associate <br />maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make <br />any amendment(s) to Protected Health Information in a designated record set that the Covered Entity <br />directs or agrees to pursuant to the HIPAA Security and Privacy Rule at the request of Covered Entity of <br />an individual, within ten (10) days of receipt of a request from Covered Entity and in the time and manner <br />designated by Covered Entity. <br /> <br />(c) Accounting of Disclosures. Business Associate agrees to maintain and make available <br />the information required to provide an accounting of disclosures, as required by 45 CFR § 164.528 of the <br />HIPAA Security and Privacy Rule. Business Associate will comply with Covered Entity’s policy <br />regarding accounting of disclosures. <br /> <br />(d) Document Disclosures. In the event an Individual makes a request under this Section of <br />the Agreement directly to Business Associate, Business Associate will notify Covered Entity of such <br />request within three (3) business days and shall cooperate with, and act only at the direction of Covered <br />Entity in responding to such request. <br /> <br />V. OBLIGATIONS OF COVERED ENTITY <br /> <br /> (a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the <br />notice of privacy practice that Covered Entity produces in accordance with 45 CFR § 164.520, as well as <br />any changes to that notice. <br /> <br /> (b) Notice of Changes in Individual’s Access or Protected Health Information. Covered <br />Entity shall provide Business Associate with any changes in, or revocation of, permission by an <br />Individual to use or disclose Protected Health Information, is such changes affect Business Associate’s <br />permitted or required uses. <br /> <br /> (c) Notice of Restriction in Individual’s Access to Protected Health Information. Covered <br />Entity shall notify Business Associate of any restrictions to the use or disclosure of Protected Health <br />Information that Covered Entity has agreed in accordance with 45 CFR § 164.522 to the extent that such <br />restriction may affect Business Associate’s use of Protected Health Information. <br />DocuSign Envelope ID: 5280C1B1-51A7-4D85-BDBA-2A9524E399BB