Orange County NC Website
• identify the individual. "Protected Health Information" includes without limitation "Electronic Protected <br />Health Information" as defined below. <br />The term "Electronic Protected Health Information" means Protected Health Information which is <br />transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in <br />Electronic Media. <br />Business Associate acknowledges and agrees that all Protected Health Information that is created or <br />received by Covered Entity and disclosed or made available in any form, including paper record, oral <br />communication, audio recording, and electronic display by Covered Entity or its operating units to <br />Business Associate or is created or received by Business Associate on Covered Entity's behalf shall be <br />subject to this Agreement. <br />CONFIDENTIALITY AND SECURITY REQUIREMENTS <br />(a) Business Associate agrees: <br />(i) to use or disclose any Protected Health Information solely: (1) for meeting <br />its obligations as set forth in any agreements between the Parties evidencing their <br />business relationship, or (2) as required by applicable law, rule or regulation, or by <br />accrediting or credentialing organization to whom Covered Entity is required to disclose <br />such information or as otherwise permitted under this Agreement, the Arrangement <br />Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule), <br />or the HIPAA Security and Privacy Rule, and (3) as would be permitted by the HIPAA <br />Security and Privacy Rule if such use or disclosure were made by Covered Entity; <br />• (ii) to account for certain disclosures of Protected Health Information as <br />required by Section 164.528 of the HIPAA Security and Privacy Rule. A copy of <br />Covered Entity's policy regarding accounting of disclosures is available at <br />http~//www med.unc.edu/security/hipaa/documents/d13.pdf ; <br />(iii) to provide appropriate HIPAA training to its personnel within thirty days of <br />the date of this agreement as follows: (1) general HIPAA training for all of Business <br />Associate's personnel, and (2) Business Associate will compare the UNC HCS policies <br />and procedures outlined in the training materials to the general HIPAA training provided <br />by the Business Associate to its personnel, and, if there are material differences, will <br />train all of its personnel who service the UNC HCS account on those different <br />policies/procedures. (Business Associate may obtain a copy of the UNC HCS training <br />materials at http://www.unchealthcare.org/site/hipaa Internet); <br />(iv) at termination of this Agreement, the Arrangement Agreement (or any <br />similar documentation of the business relationship of the Parties), or upon request of <br />Covered Entity, whichever occurs first, if feasible, Business Associate will return or <br />destroy all Protected Health Information received from or created or received by <br />Business Associate on behalf of Covered Entity that Business Associate still maintains in <br />any form and retain no copies of such information, or if such return or destruction is not <br />feasible, Business Associate will extend the protections of this Agreement to the <br />information and limit further uses and disclosures to those purposes that make the return <br />or destruction of the information not feasible; and <br />(v) to ensure that its agents, including a subcontractor, to whom it provides <br />Protected Health Information received from or created by Business Associate on behalf <br />of Covered Entity, agrees to the same restrictions and conditions that apply to Business <br />• Associate with respect to such information, and agrees to implement reasonable and <br />appropriate safeguards to protect any of such information which is Electronic Protected <br />Health Information. In addition, Business Associate agrees to take reasonable steps to <br />