Orange County NC Website
DocuSign Envelope ID: 16086DFC-1613-4024-BF92-DD86916E213E <br /> 6. Subcontractors. Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and <br /> 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the <br /> Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with <br /> respect to such information. <br /> 7. Designated Record Set; Disclosure. If applicable, Business Associate agrees to make available PHI in a <br /> Designated Record Set to the"covered entity" as necessary to satisfy Covered Entity's obligations under 45 C.F.R. 164.524. <br /> (a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal <br /> PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted <br /> under applicable law. <br /> (b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. <br /> 502(b)(1)that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data <br /> set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as <br /> interpreted under related guidance issued by the Secretary from time to time. <br /> 8. Amendments. If applicable, Business Associate agrees to make any amendments to PHI in a Designated <br /> Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as <br /> necessary to satisfy Covered Entity's obligations under 45 C.F.R. 164.526. <br /> 9. Accounting. Business Associate agrees to maintain and make available the information required to provide <br /> an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. <br /> 164.528. <br /> 10. Records. Business Associate agrees to make available all records, books, policies and procedures relating <br /> to the use and/or disclosure of PHI or as required by the Security Rule relating to its administrative, physical and technical <br /> safeguards to the Secretary of HHS for purposes of determining the Covered Entity's or Business Associate's compliance with <br /> the HIPAA Regulations, subject to attorney-client and other applicable legal privileges. <br /> 11. To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under <br /> Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the <br /> Covered Entity in the performance of such obligation(s). <br /> 12. Business Associate agrees to account for the following disclosures: <br /> (a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI <br /> and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for <br /> Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of <br /> Unsecured PHI. <br /> (b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, <br /> information collected in accordance with this Section 12, to permit Covered Entity to respond to a request by an individual or <br /> the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI. <br /> (c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health <br /> Record ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to <br /> time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate <br /> made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested <br /> directly from the Business Associate. In the case of an EHR that the Business Associate acquired on behalf of the Covered <br /> Entity as of January 1, 2009, this paragraph shall apply to disclosures with respect to PHI made by the Business Associate <br /> from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the <br /> Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the <br /> Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR. <br /> 2 <br />