Laserfiche WebLink
52 <br /> <br />m. Business Associate shall implement administrative, physical, and technical safeguards that <br />reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI <br />that Business Associate creates, receives, maintains, or transmits on behalf of County. <br />n. Business Associate shall conform to generally accepted system security principles and the <br />requirements of the final HIPAA rule pertaining to the security of health information. <br />o. Business Associate shall ensure that any agent to whom it provides EPHI, including a <br />subcontractor, agrees to implement reasonable and appropriate safeguards to protect <br />such EPHI. <br />p. Business Associate shall report to County any Security Incident within three (3) business <br />days of becoming aware of such incident. Business Associate shall also facilitate breach <br />notification(s) to the appropriate governing body (i.e. HHS, OCR, etc.) as required by law. <br />As appropriate and after consulting with County, Business Associate shall also notify <br />affected individuals and the media of a qualifying breach. <br />q. Business Associate understands that it is directly liable under the HIPAA rules and subject <br />to civil and, in some cases, criminal penalties for making uses and disclosures of Protected <br />Health Information that are not authorized by this Attachment, the underlying contract as or <br />required by law. <br /> <br />III. PERMITTED USES AND DISCLOSURES BY CONTRACTOR AS BUSINESS <br />ASSOCIATE <br /> <br />Except as otherwise limited in this Schedule, Business Associate may use or disclose Protected <br />Health Information to perform functions, activities, or services for, or on behalf of, County as specified <br />in the Agreement; provided that such use or disclosure would not violate the Privacy Rule if done by <br />County. <br /> <br />IV. OBLIGATIONS OF COUNTY <br /> <br />a. County shall provide Business Associate with the notice of privacy practices that County <br />produces in accordance with Section 164.520, as well as any changes to such notice. <br />b. County shall provide Business Associate with any changes in, or revocation of, <br />permission by Individual to use or disclose Protected Health Information, if such <br />changes affect Business Associate's permitted or required uses and disclosures. <br />c. County shall notify Business Associate of any restriction to the use or disclosure of <br />Protected Health Information that County has agreed to in accordance with Section <br />164.522. <br /> <br />V. PERMISSABLE REQUESTS BY COUNTY <br /> <br />County shall not request Business Associate to use or disclose Protected Health Information in any <br />manner that would not be permissible under the Privacy Rule if so requested by County, unless the <br />Business Associate will use or disclose Protected Health Information for, and if the Agreement <br />provides for, data aggregation or management and administrative activities of Business Associate. <br /> <br />VI. DUTIES UPON TERMINATION OF AGREEMENT <br /> <br />a. Upon termination of the Agreement, for any reason, Business Associate shall return or destroy <br />all Protected Health Information received from County, or created, maintained, or received by <br />Business Associate on behalf of County, that Business Associate still maintains in any form. <br /> <br /> <br />   <br />   <br />