Orange County NC Website
Browse       Search
DocuSign Envelope ID:C013173FE-65A7-41C5-985D-8D6B23DF80FB <br /> (f) Covered Entity Authorization for Additional Uses. Any use of Protected Health <br /> Information by Business Associate, its affiliate or Contractor, other than those purposes of this <br /> Agreement, shall require express written authorization by the Covered Entity, and a Business Associate <br /> Agreement or amendment as necessary. Activities which are prohibited include, but are not limited to, <br /> Marketing, as defined by 45 CFR § 164.503 or the sharing for Commercial Use or any purpose construed <br /> by Covered Entity as Marketing or Commercial Use, even if such sharing would be permitted by federal <br /> or state laws. <br /> (g) Business Associate may de-identify Protected Health Information only at the specific <br /> direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health <br /> Information except at the direction of Covered Entity and in compliance with the requirements of the <br /> HIPAA Security and Privacy Rule. <br /> IV. AVAILABILITY OF PHI <br /> (a) Access to Protected Health Information. Business Associate agrees, in the event the <br /> Business Associate maintains protected health information in a Designated Record Set, to make available, <br /> within ten (10) days of a request by Covered Entity in a time and manner designated by Covered Entity, <br /> Protected Health Information in a Designated Record Set, to Covered Entity or as directed by Covered <br /> Entity, to an individual in order to meet the requirements of 45 CFR § 164.524 of the HIPAA Security <br /> and Privacy Rule. <br /> (b) Amendments to Protected Health Information. In the event that the Business Associate <br /> maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make <br /> any amendment(s) to Protected Health Information in a designated record set that the Covered Entity <br /> directs or agrees to pursuant to the HIPAA Security and Privacy Rule at the request of Covered Entity of <br /> an individual,within ten(10) days of receipt of a request from Covered Entity and in the time and manner <br /> designated by Covered Entity. <br /> (c) Accounting of Disclosures. Business Associate agrees to maintain and make available <br /> the information required to provide an accounting of disclosures, as required by 45 CFR § 164.528 of the <br /> HIPAA Security and Privacy Rule. Business Associate will comply with Covered Entity's policy <br /> regarding accounting of disclosures. <br /> (d) Document Disclosures. In the event an Individual makes a request under this Section of <br /> the Agreement directly to Business Associate, Business Associate will notify Covered Entity of such <br /> request within three (3) business days and shall cooperate with, and act only at the direction of Covered <br /> Entity in responding to such request. <br /> V. OBLIGATIONS OF COVERED ENTITY <br /> (a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the <br /> notice of privacy practice that Covered Entity produces in accordance with 45 CFR § 164.520, as well as <br /> any changes to that notice. <br /> (b) Notice of Changes in Individual's Access or Protected Health Information. Covered <br /> Entity shall provide Business Associate with any changes in, or revocation of, permission by an <br /> Individual to use or disclose Protected Health Information, is such changes affect Business Associate's <br /> permitted or required uses. <br /> (c) Notice of Restriction in Individual's Access to Protected Health Information. Covered <br /> Entity shall notify Business Associate of any restrictions to the use or disclosure of Protected Health <br /> Information that Covered Entity has agreed in accordance with 45 CFR § 164.522 to the extent that such <br /> restriction may affect Business Associate's use of Protected Health Information. <br /> 5 <br /> October 2013 <br />