Orange County NC Website
• ensure that its employees' actions or omissions do not cause Business Associate to <br />breach the terms of this Agreement. <br />(b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may <br />use and disclose Protected Health Information as follows: <br />(i) if necessary, for the proper management and administration of Business <br />Associate or to carry out the legal responsibilities of Business Associate, provided that <br />as to any such disclosure, the following requirements are met: <br />(A) the disclosure is required by law; or <br />(B) Business Associate obtains reasonable assurances from the <br />person to whom the information is disclosed that it will be held confidentially and <br />used or further disclosed only as required by law or for the purpose for which it <br />was disclosed to the person, and the person notifies Business Associate of any <br />instances of which it is aware in which the confidentiality of the information has <br />been breached; <br />(ii) for data aggregation services, if to be provided by Business Associate for <br />the health care operations of Covered Entity pursuant to any agreements between the <br />Parties evidencing their business relationship. For purposes of this Agreement, data <br />aggregation services means the combining of Protected Health Information by Business <br />Associate with the, protected health information received by Business Associate in its <br />capacity as a business associate of another covered entity, to permit data analyses that <br />relate to the health care operations of the respective covered entities. <br />(c) Business Associate will implement appropriate safeguards to prevent use or disclosure <br />• of Protected Health Information other than as permitted in this Agreement. Business Associate will <br />implement administrative, physical, and technical safeguards that reasonably and appropriately protect <br />the confidentiality, integrity, and availability of any Electronic Protected Health Information that it <br />creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA <br />Security and Privacy Rule. <br />(d) The Secretary of Health and Human Services shall have the right to audit Business <br />Associate's records and practices related to use and disclosure of Protected Health Information to <br />ensure Covered Entity's compliance with the terms of the HIPAA Security and Privacy Rule. <br />(e) Business Associate shall report to Covered Entity (see Exhibit B) any use or disclosure <br />of Protected Health Information which is not in compliance with the terms of this Agreement, as well as <br />any Security Incident, of which it becomes aware. For purposes of this Agreement, "Security Incident" <br />means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of <br />information or interference with system operations in an information system. In addition, Business <br />Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business <br />Associate of a use or disclosure of Protected Health Information by Business Associate in violation of <br />the requirements of this Agreement. <br />II1. AVAILABILITY OF PHI <br />Business Associate agrees to make available Protected Health Information to the extent and in the <br />manner required by Section 164.524 of the HIPAA Security and Privacy Rule. Business Associate <br />agrees to make Protected Health Information available for amendment and incorporate any <br />• amendments to Protected Health Information in accordance with the requirements of Section 164.526 <br />of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected <br />