Orange County NC Website
Browse       Search
<br />4 <br /> <br />Business Associate agrees to take reasonable steps, including providing adequate training to its <br />employees, to ensure compliance with this BAA and to ensure that the actions or omissions of <br />its employees or agents do not cause Business Associate to breach the terms of this BAA. <br />4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to <br />Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it <br />becomes aware, and Business Associate agrees to report to Covered Entity any Security <br />Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business <br />Associate agrees to report any such event within five business days of becoming aware of the <br />event. <br />5. Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in <br />writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the <br />requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after <br />discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred <br />by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on <br />Covered Entity as a result of a Breach committed by Business Associate. <br />6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to <br />mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any <br />use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the <br />requirements of this BAA. <br />7. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its <br />agents or subcontractors that have access to, or to which Business Associate provides, PHI <br />agree in writing to the restrictions and conditions concerning uses and disclosures of PHI <br />contained in this BAA and agree to implement reasonable and appropriate safeguards to protect <br />any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business <br />Associate or, through the Business Associate, Covered Entity. Business Associate shall notify <br />Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to <br />the Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of <br />this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the <br />subcontract by placement of such notice on the Business Associate’s primary website. Business <br />Associate shall ensure that all subcontracts and agreements provide the same level of privacy <br />and security as this BAA. <br />8. Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream <br />Business Associate, with a copy of its most recent independent HIPAA compliance report (AT -C <br />315), HITRUST certification, or other mutually agreed upon independent standards -based <br />third-party audit report. Covered entity agrees not to re-disclose the Business Associate’s audit <br />report. <br />9. Access to PHI by Individuals. <br />A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI <br />maintained by Business Associate in a Designated Record Set in the time and manner <br />Docusign Envelope ID: 570451FC-66D7-4F0D-A133-FD52C5F42668Docusign Envelope ID: 2F0A6F2B-A88D-43A2-97AA-4CF0CF9C3EE6