Orange County NC Website
Browse       Search
134 <br /> 6. Make available PHI in a designated set record set to Covered Entity upon request <br /> within three (3)working days as necessary to satisfy Covered Entity's obligations <br /> under 45 CFR 164.524. If Business Associate receives a request for access directly <br /> from the individual, then Business Associate will forward the individual's request to <br /> Covered Entity within three (3) working days to be fulfilled by Covered Entity. <br /> 7. If Business Associate receives a request pursuant to 45 CFR 164.526 to make any <br /> amendment(s) to PHI in a designated record set directly from the individual, then <br /> Business Associate will forward the individual's request to Covered Entity within <br /> three (3) working days to be fulfilled by Covered Entity. <br /> 8. Maintain and make available upon request within three (3)working days the <br /> information required to provide an accounting of disclosures to Covered Entity as <br /> necessary to satisfy Covered Entity's obligations under 45 CFR 164.528. If Business <br /> Associate receives a request to provide an accounting of disclosures directly from the <br /> individual, then Business Associate will forward the individual's request to Covered <br /> Entity within three (3) working days to be fulfilled by Covered Entity. <br /> 9. Make its internal practices, books, and records relating to the use of PHI received <br /> from Covered Entity, or created or received by Business Associate on behalf of <br /> Covered Entity, available to the Secretary of DHHS and Covered Entity for purposes <br /> of determining compliance with HIPAA. <br /> 10. To the extent practicable, mitigate any harmful effects that are known to Business <br /> Associate of a use or disclosure of PHI or a breach of Unsecured PHI in violation of <br /> this Addendum. <br /> 11. Use and disclose an individual's PHI only if such use or disclosure is in compliance <br /> with the applicable requirements of 45 CFR 164.504(e) and the terms of this <br /> Addendum. <br /> 12. Refrain from exchanging any PHI with any entity of which Business Associate knows <br /> of a pattern of activity or practice that constitutes a breach as defined by North <br /> Carolina State Law, HIPAA, or this Addendum. <br /> 13. To the extent Business Associate is to carry out one or more of Covered Entity's <br /> obligation(s)under Subpart E of 45 CFR Part 164, comply with the requirements of <br /> Subpart E that apply to Covered Entity in the performance of such obligation(s). <br /> B. Breach Notification: <br /> In the event that Business Associate discovers any use or disclosure of PHI not provided <br /> for by the Agreement, including breaches of Unsecured PHI as required at 45 CFR <br /> 164.410, and any security incident of which it becomes aware, Business Associate agrees <br /> to take the following measures within three (3) working days after Business Associate <br /> first becomes aware of the incident: <br /> 1. To notify Covered Entity of any incident involving the acquisition, access,use or <br /> disclosure of Unsecured PHI in a manner not permitted under 45 CFR Part E. Such <br /> notice by Business Associate shall be provided without unreasonable delay, except <br /> where a law enforcement official determines that a notification would impede a <br /> criminal investigation or cause damage to national security. For purposes of clarity <br /> for this provision, Business Associate must notify Covered Entity of any such <br /> 2 <br />