Browse
Search
2025-039-E-Health Dept-Forvis-Prepare analysis of 2023-24 Cost Report
OrangeCountyNC
>
Board of County Commissioners
>
Contracts and Agreements
>
General Contracts and Agreements
>
2020's
>
2025
>
2025-039-E-Health Dept-Forvis-Prepare analysis of 2023-24 Cost Report
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
2/5/2025 3:45:44 PM
Creation date
2/5/2025 3:45:37 PM
Metadata
Fields
Template:
Contract
Date
1/23/2025
Contract Starting Date
1/23/2025
Contract Ending Date
1/28/2025
Contract Document Type
Contract
Amount
$18,000.00
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
15
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
Orange County Health Department <br />January 23, 2025 <br />Page 7 <br /> <br /> <br />HIPAA Business Associate Agreement <br />This Business Associate Agreement (BAA) is entered into by and <br />between Forvis Mazars, LLP (hereinafter referred to as Business <br />Associate) and Orange County Health Department (hereinafter <br />referred to as Covered Entity). <br />RECITALS <br />Business Associate provides services to Covered Entity under this <br />contract (the Contract), and Covered Entity wishes to disclose <br />certain information to Business Associate pursuant to the terms of <br />such Contract, some of which may constitute Protected Health <br />Information (PHI). <br />The purpose of this BAA is to comply with all applicable federal and <br />state laws governing the privacy of PHI. As used herein, the Privacy <br />Rule and the Security Rule are each deemed to include the <br />amendments thereto, collectively referred to as HIPAA/HITECH <br />Final Omnibus Rule, that are included in the: <br /> Modifications to the Health Insurance Portability and <br />Accountability Act of 1996 (HIPAA) Privacy, Security, <br />Enforcement, and Breach Notification Rules Under the <br />Health Information Technology for Economic and Clinical <br />Health Act (the HITECH Act) and the Genetic Information <br />Nondiscrimination Act <br /> Other Modifications to the HIPAA Rules <br /> Final Rule (the Omnibus Rule), 78 Fed. Reg. 5565 <br />Notwithstanding the terms of this or any other agreement between <br />Covered Entity and Business Associate, Business Associate shall <br />comply with all of its statutory and regulatory obligations stated <br />under the HIPAA/HITECH Final Omnibus Rule. The terms stated <br />herein shall have the same definitions as provided in HIPAA. <br />In consideration of the mutual promises below and the exchange of <br />information pursuant to this BAA, the parties agree as follows: <br />1. Permitted Uses and Disclosures. Except as described in the <br />enumerated subparagraphs below, Business Associate shall <br />not use or disclose PHI received from Covered Entity or created <br />on behalf of Covered Entity. Exceptions: <br />1.1. As reasonably necessary to provide the services in the <br />Contract; <br />1.2. As otherwise permitted or required by this BAA; <br />1.3. As required by law; and <br />1.4. For the proper management and administration of <br />Business Associates business and to disclose PHI in <br />connection with such management and administration, <br />and to carry out the legal responsibilities of the Business <br />Associate, provided Business Associate obtains <br />reasonable assurances from the recipient that the PHI <br />shall be held confidentially and used or further disclosed <br />only as required by law or for the purpose for which it was <br />disclosed to the recipient, and Business Associate <br />requires the recipient to notify it of any instances of which <br />it is aware in which the confidentiality of the PHI has been <br />breached. <br />2. Safeguards. Business Associate shall not use or disclose PHI <br />other than as permitted or required by the BAA or as required <br />by law. <br />2.1. Business Associate shall establish and maintain <br />appropriate safeguards and shall comply with the Security <br />Rule with respect to electronic PHI (ePHI) to prevent the <br />use or disclosure of such ePHI other than as provided for <br />by the Contract including this BAA. <br />2.2. To the extent the Business Associate is to carry out one or <br />more of Covered Entitys obligation(s) under Subpart E of <br />45 CFR Part 164, comply with the requirements of <br />Subpart E that apply to the Covered Entity in the <br />performance of such obligation(s). <br />3. Subcontracts. In accordance with the requirements of the <br />Privacy Rule and the Security Rule, Business Associate shall <br />ensure any subcontractors that create, receive, maintain, or <br />transmit PHI on behalf of Business Associate agree to the same <br />restrictions, conditions, and requirements that apply to the <br />Business Associate with respect to such information. <br />4. Obligations of Covered Entity. Covered Entity shall obtain <br />any consent or authorization that may be required by HIPAA, <br />or applicable state law, prior to furnishing Business Associate <br />with PHI, including ePHI. Covered Entity shall notify Business <br />Associate of: <br />4.1. Any limitation(s) in the Covered Entitys notice of privacy <br />practices under 45 CFR 164.520, to the extent that such <br />limitation may affect Business Associates use or <br />disclosure of PHI; <br />4.2. Any changes in, or revocation of, the permission by an <br />individual to use or disclose his or her PHI, to the extent <br />that such changes may affect Business Associates use <br />or disclosure of PHI; and <br />4.3. Any restriction on the use or disclosure of PHI that Covered <br />Entity has agreed to or is required to abide by under 45 <br />CFR 164.522, to the extent that such restriction may <br />affect Business Associates use or disclosure of PHI. <br />Covered Entity shall not request Business Associate to use or <br />disclose PHI in any manner that would not be permissible under <br />Subpart E of 45 CFR Part 164 if done by Covered Entity. <br />Covered Entity shall provide to Business Associate only the <br />minimum PHI necessary to perform the services set forth in a <br />Contract. <br />5. Reporting, Notification, and Mitigation. <br />5.1. Reporting. Business Associate shall notify Covered Entity <br />of any use or disclosure of PHI not provided for by the <br />BAA of which it becomes aware, including breaches of <br />unsecured PHI as required at 45 CFR 164.410, and any <br />security incident of which it becomes aware, provided that <br />with respect to Unsuccessful Security Incidents (as <br />defined below), Business Associate shall report to <br />Covered Entity any such Unsuccessful Security Incidents <br />that are material to the protection of Covered Entitys PHI. <br />For purposes of this Business Associate Agreement, the <br />Docusign Envelope ID: 183D8F77-022B-48BA-9D7A-59C5C1C4FC1A
The URL can be used to link to this page
Your browser does not support the video tag.