Orange County NC Website
Browse       Search
4 <br />July 2024 <br /> <br />(k) Identity Theft. Business Associate shall implement Identity Theft Monitoring Policies and <br />Procedures to protect any patient information that may be breached by the Business Associate to the extent <br />applicable under the Federal Trade Commission’s Red Flag Rules. <br /> <br />(l) HITECH Compliance. Business Associate shall: <br /> <br />A. Not receive, directly or indirectly, any impermissible remuneration in exchange <br />for Protected Health Information or Electronic Protected Health Information, <br />except as permitted by HITECH § 13405(d) or the HIPAA Regulations; <br /> <br />B. Comply with the marketing and other restrictions applicable to Business <br />Associates contained in HITECH § 13406 and the HIPAA Regulations; <br /> <br />C. To the extent required under HITECH § 13404, fully comply with the applicable <br />requirements of 45 CFR 164.502(e)(2) for each use and disclosure of Protected <br />Health Information; <br /> <br />D. To the extent required under HITECH § 13401, fully comply with 45 CFR <br />164.308, 164.310, 164.312, and 164.316; <br /> <br />E. To the extent required under HITECH §§ 13401 and 13404, comply with the <br />additional privacy and security requirements that apply to Covered Entities in the <br />same manner and to the same extent as Covered Entity is required to do so; and <br /> <br />F. To the extent required under the HIPAA Regulations, comply with the privacy and <br />security requirements that apply to Business Associates. <br /> <br />(m) State Privacy Laws. Business Associate shall understand and comply with state privacy <br />laws to the extent that such privacy laws are not preempted by HIPAA or HITECH. <br /> <br />III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE <br /> <br />(a) Use of Protected Health Information on Behalf of Covered Entity. Except as otherwise <br />limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform <br />functions, activities, or services for, or on behalf of, Covered Entity described in the Service Agreement, <br />provided that such use or disclosure would not violate the HIPAA Security and Privacy Rule if it were made <br />by Covered Entity, or would not violate the Covered Entities minimum necessary policies. <br /> <br />(b) Other Uses of Protected Health Information. Except as otherwise limited in this <br />Agreement, Business Associate may use Protected Health Information within its workforce for the proper <br />management and administration of Business Associate, and to carry out the legal responsibilities of the <br />Business Associate, but not to include Marketing or Commercial Use; and <br /> <br />(c) Third Party Confidentiality. Except as otherwise limited in this Agreement, Business <br />Associate may disclose Protected Health Information for the proper management and administration of <br />Business Associate or to carry out the legal responsibilities of Business Associate, provided that if Business <br />Associate discloses any Protected Health Information to a third party for such purpose, the Business <br />Associate shall enter into a written agreement with such third party requiring the following: <br /> <br />A. Disclosure only as Required by Law; or <br /> <br />B. Reasonable assurances from the person to whom the information is disclosed that the <br />information will remain confidential and will be used or further disclosed only as Required <br />Docusign Envelope ID: 1CF66486-1DB7-491A-9655-4FEEFEFF6BEE <br />In Process <br />Docusign Envelope ID: 990FE6D3-EA62-4090-A5F1-B27674BBDED5