Orange County NC Website
3 <br />October 2013 <br />Information by Business Associate in violation of the requirements of this Agreement, as well as to <br />provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such <br />noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity’s breach <br />analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with <br />Covered Entity in the event that Covered Entity determines that any third parties must be notified of a <br />Breach, provided that Business Associate shall not provide any such notification except at the direction of <br />Covered Entity. <br /> <br />(f) Breach Reporting. Business Associate shall report in writing to Covered Entity’s Privacy <br />Officer (see Exhibit A), any use or disclosure of Protected Health Information that is not in compliance <br />with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of <br />which it becomes aware, without unreasonable delay, and in no event later than forty-eight (48) hours of <br />such discovery. For purposes of this Agreement, “Security Incident” means the attempted or successful <br />unauthorized access, use, disclosure, modification, or destruction of information or interference with <br />system operations in an information system. Such notification shall contain the elements required by 45 <br />C.F.R. § 164.410. <br /> <br />(g) Compliance. To the extent applicable, Business Associate will comply with (i) Covered <br />Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to <br />an Individual’s permission to use or disclose his or her Protected Health Information; and (iii) any <br />restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed <br />or is required to agree. <br /> <br />(h) Government Access. Business Associate will make its internal practices, books and <br />records available to the Secretary of the Department of Health and Human Services for purposes of <br />determining compliance with the terms of the HIPAA Security and Privacy Rule, and, at the request of <br />the Secretary, will comply with any investigations and compliance reviews, permit access to information, <br />and cooperate with any complaints, as Required by Law. Without unreasonable delay and, in any event, <br />no more than 48 hours of receipt of the request or notification, Business Associate will notify Covered <br />Entity in writing of any request by any governmental entity, or its designee, to review Business <br />assessment of any kind. <br /> <br />(i) Electronic Transactions. If Business Associate conducts any Standard Transactions for or <br />on behalf of Covered Entity, Business Associate shall comply with the requirements under the Electronic <br />Transaction Rule. <br /> <br />(j) Audit. Business Associate shall permit Covered Entity, in its discretion, to conduct an <br />audit of Business Associate’s compliance with this Agreement, HIPAA, and HITECH. Such audit may <br />consist of an onsite visit, a series of inquiries that require written responses, or both. Business Associate <br />shall promptly and completely respond to Covered Entity’s requests for information in support of the <br />audit, which shall not be conducted more than once annually except in cases of an actual or reasonably <br />suspected Security Incident or reasonably suspected noncompliance with this Agreement, HIPAA or <br />HITECH. Each Party shall bear its own costs associated with the audit. <br /> <br />(k) Identity Theft. Business Associate shall implement Identity Theft Monitoring Policies <br />and Procedures to protect any patient information that may be breached by the Business Associate to the <br />extent applicable under the Federal Trade Commission’s Red Flag Rules. <br /> <br />(l) HITECH Compliance. Business Associate shall: <br /> <br />A. Not receive, directly or indirectly, any impermissible remuneration in exchange <br />for Protected Health Information or Electronic Protected Health Information, <br />except as permitted by HITECH § 13405(d) or the HIPPA Regulations; <br />DocuSign Envelope ID: F650AAD5-0481-4C8A-8008-17C22F317593