Orange County NC Website
Browse       Search
Docusign Envelope ID:A24A576E-CC4E-4A07-BA5B-5968721C4755 <br /> (k) Identity Theft. Business Associate shall implement Identity Theft Monitoring Policies and <br /> Procedures to protect any patient information that may be breached by the Business Associate to the extent <br /> applicable under the Federal Trade Commission's Red Flag Rules. <br /> (1) HITECH Compliance. Business Associate shall: <br /> A. Not receive, directly or indirectly, any impermissible remuneration in exchange <br /> for Protected Health Information or Electronic Protected Health Information, <br /> except as permitted by HITECH § 13405(d) or the HIPAA Regulations; <br /> B. Comply with the marketing and other restrictions applicable to Business <br /> Associates contained in HITECH § 13406 and the HIPAA Regulations; <br /> C. To the extent required under HITECH § 13404, fully comply with the applicable <br /> requirements of 45 CFR 164.502(e)(2) for each use and disclosure of Protected <br /> Health Information; <br /> D. To the extent required under HITECH § 13401, fully comply with 45 CFR <br /> 164.308, 164.310, 164.312, and 164.316; <br /> E. To the extent required under HITECH §§ 13401 and 13404, comply with the <br /> additional privacy and security requirements that apply to Covered Entities in the <br /> same manner and to the same extent as Covered Entity is required to do so; and <br /> F. To the extent required under the HIPAA Regulations,comply with the privacy and <br /> security requirements that apply to Business Associates. <br /> (m) State Privacy Laws. Business Associate shall understand and comply with state privacy <br /> laws to the extent that such privacy laws are not preempted by HIPAA or HITECH. <br /> III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE <br /> (a) Use of Protected Health Information on Behalf of Covered Entity. Except as otherwise <br /> limited in this Agreement,Business Associate may use or disclose Protected Health Information to perform <br /> functions, activities, or services for, or on behalf of, Covered Entity described in the Service Agreement, <br /> provided that such use or disclosure would not violate the HIPAA Security and Privacy Rule if it were made <br /> by Covered Entity,or would not violate the Covered Entities minimum necessary policies. <br /> (b) Other Uses of Protected Health Information. Except as otherwise limited in this <br /> Agreement, Business Associate may use Protected Health Information within its workforce for the proper <br /> management and administration of Business Associate, and to carry out the legal responsibilities of the <br /> Business Associate,but not to include Marketing or Commercial Use; and <br /> (c) Third Party Confidentiality. Except as otherwise limited in this Agreement, Business <br /> Associate may disclose Protected Health Information for the proper management and administration of <br /> Business Associate or to carry out the legal responsibilities of Business Associate,provided that if Business <br /> Associate discloses any Protected Health Information to a third party for such purpose, the Business <br /> Associate shall enter into a written agreement with such third party requiring the following: <br /> A. Disclosure only as Required by Law; or <br /> B. Reasonable assurances from the person to whom the information is disclosed that the <br /> information will remain confidential and will be used or further disclosed only as Required <br /> by Law or for the purpose for which it was disclosed to the person,and the person notifies <br /> 4 <br /> July 2024 <br />