Common use of Business Associate Obligations Clause in Contracts

Business Associate Obligations. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. Business Associate covenants and agrees to comply with that it shall: (1) Not use or further disclose PHI other than as permitted or required under this Agreement or as required by applicable federal confidentiality law or regulation. (2) Implement the administrative, physical and security lawstechnical safeguards set forth in 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, specifically the provisions integrity and availability of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose electronic PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except and to use appropriate safeguards to prevent the use or disclosure of PHI other than as otherwise provided by permitted under this Agreement. (3) Use appropriate safeguards to maintain the Agreement security of and this BAA. Business Associate agrees to review prevent unauthorized access, use and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more disclosure of Covered Entity’s obligations PHI. Such safeguards will include a written information security program. (4) Require any of its Subcontractors or other third parties with which Business Associate does business that are provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to the same restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To the Privacy Ruleextent Business Associate maintains PHI in a Designated Record Set, it shall comply with the requirements of the Privacy Rule which apply make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526; and (c) that may be required to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accounting, Business Associate will provide such an accounting in accordance with regulations and standards adopted by the performance Secretary of such obligation(sthe U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall in also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such cases:PHI maintained by Business Associate. 2.1.1 provide information (6) Make available to members the Secretary all internal practices, books and records relating to the use and disclosure of its workforce using PHI received from, or disclosing PHI regarding the confidentiality requirements in created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Rules Regulations. The Parties’ respective rights and obligations under this Agreement; 2.1.2 obtain reasonable assurances, in writing from Section C(6) shall survive the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality termination of the PHI has been breached; andUnderlying Agreement. 2.1.3 agree to (7) During the term of the Underlying Agreement, notify the Privacy Officer of Covered Entity of any instances Breach of which it Unsecured PHI. Notice will include the identification of each individual whose Unsecured PHI has been or is aware in which the PHI is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. (8) Disclose to its Subcontractors or other third parties, and request from Covered Entity, only the minimum PHI necessary, in Business Associate’s judgment, to perform or fulfill a purpose that is not otherwise provided for in this Agreement specific function required or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actthis Agreement. 2.2 Marketing; Sale of (9) Business Associate shall not receive remuneration directly or indirectly in exchange for PHI. Without limiting the generality of the foregoing, this provision shall not prohibit payment by Covered Entity for services provided by Business Associate may pursuant to the Underlying Agreement. (10) Business Associate shall not use or disclose PHI for fundraising or for marketing purposes. Marketing includes any communication which would encourage the recipient to purposes unless such use or purchase a product disclosure is pursuant to the Underlying Agreement or service. Business Associate may another written agreement that does not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementsviolate HIPAA.

Business Associate Obligations. Business Associate covenants and agrees to comply that it shall: (1) Not use or further disclose PHI other than as permitted or required under this Agreement or as required by applicable law or regulation. (2) Implement administrative, physical and technical safeguards consistent with applicable federal confidentiality HIPAA that reasonably and security lawsappropriately protect the confidentiality, specifically the provisions integrity and availability of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose electronic PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under this Agreement. (3) Use appropriate safeguards to maintain the security of, and prevent unauthorized access to, Covered Entity’s PHI. (4) Require any of its agents or subcontractors, or other third parties with which Business Associate does business that are provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to the same restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To the extent Business Associate maintains PHI in a Designated Record Set, upon request of the Covered Entity, make available to Covered Entity for any purpose except or to an individual patient such information as otherwise provided by the Agreement is necessary to fulfill Covered Entity’s or Business Associate’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526; and this BAA(c) that may be required to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Business Associate agrees shall also, as directed by Covered Entity, incorporate any amendments to review and understand any state privacy and security laws PHI into copies of such PHI maintained by Business Associate. (6) Make available to the extent Secretary of Health and Human Services (“HHS”) all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with federal privacy laws and regulations; provided, however, that Business Associate promptly will notify Covered Entity if it receives such a request. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of this Agreement. (7) During the term of this Agreement, provide written notification to Covered Entity’s Privacy Officer within a reasonable period of discovery any Breach of Unsecured PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws are not preempted by HIPAAor regulations (collectively “Loss of Unsecured PHI”). (8) Use and disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, andfurther specified in regulations or guidance issued by HHS, to the extent that Business Associate is to carry out one perform or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using fulfill a specific function required or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and permitted by this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. Business Associate agrees The obligations set out in this Subsection 3.1 apply with respect to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 AANI’s Use and or Disclosure of PHI. Except , other than Limited Data Set Information. (a) AANI agrees not to Use or Disclose PHI other than as otherwise permitted or required by this Agreement, BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA RulesRegulations. (b) AANI agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or applicable law, Business Associate shall not make any uses or disclosures Disclosure of PHI except other than as necessary to provide services provided for by this BAA/DUA. Without limiting the generality of the foregoing, AANI further agrees to: (i) implement Administrative, or on behalf of, Covered Entity as described in the Underlying AgreementPhysical, and shall not use or disclose Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains maintains, or transmits for or on behalf of the Covered Entity for Participant as required by 45 CFR 164.314(a); (ii) ensure that any purpose except as otherwise provided by the Agreement and this BAA. Business Associate Subcontractor, to whom it provides such PHI agrees to review implement reasonable and understand any state privacy appropriate safeguards to protect the PHI and security laws comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the extent Participant any Security Incident or Breach of Unsecured PHI that such laws are not preempted by HIPAA, as may is known to or reasonably should be amended from time known to time. Business Associate acknowledges that it AANI and shall comply specifically with the HIPAA Security Rule, andmitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that Business Associate is the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements Participant of the Privacy Rule which apply to Covered Entity in the performance ongoing existence and occurrence or attempts of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose Unsuccessful Security Incidents for which it was disclosed no additional notice to the person or entity; Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and (ii) the person or entity will notify Business Associate other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any instances of which it is aware in which confidentiality combination of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware above, so long as no such incident results in which the PHI is used unauthorized access, use or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale disclosure of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. a. Business Associate agrees to comply with to: i. not Use or Disclose PHI in violation of this BAA, the Agreement or applicable federal confidentiality law; ii. use appropriate safeguards and security lawsmeasures to prevent unauthorized Use or Disclosure of PHI; iii. provide a written report to Covered Entity, specifically the provisions within 5 days of the HIPAA Rules and the HITECH Act applicable to business associatesverification, including: 2.1 of any unauthorized Use and or Disclosure of PHI. Except as otherwise permitted by this AgreementBusiness Associate’s written report will, to the HIPAA Rulesextent known, reflect: a. the nature of the unauthorized Use or applicable law, Disclosure; b. the PHI used or disclosed; and c. the corrective action Business Associate shall not make any uses has or disclosures of PHI except as necessary will take to provide services to, prevent similar unauthorized Use or on behalf of, Covered Entity as described Disclosure in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by future; iv. report to Covered Entity; provided, howeverwithout undue delay, Business Associate may use but in no event later than five (5) days of verification, any Breach of Unsecured PHI and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent cooperate with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf investigation of the Covered Entity for any purpose except as otherwise provided by the Agreement Breach and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of fulfilling Covered Entity’s obligations under the HITECH Act and any other security breach notification laws. The Breach notification will, to the extent known, include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach; v. report to Covered Entity, within 5 days of becoming aware, any successful Security Incident; vi. report, upon Covered Entity’s request, attempted but unsuccessful Security Incidents of which Business Associate becomes aware; provided that Covered Entity’s request shall be made no more often than is reasonable based upon the relevant facts, circumstances and industry standards; vii. require its agent(s) and subcontractor(s) who receive Covered Entity’s PHI, whether it was received from, or created by Business Associate on behalf of Covered Entity, to agree in writing to substantially the same conditions and security measures agreed to by Business Associate under this BAA; viii. make internal practices, books, and records, including policies and procedures, relating to the Use and Disclosure of PHI received from Covered Entity, or created by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner as reasonably requested by or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule; ix. document Disclosures of PHI sufficiently to allow Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will provide Covered Entity, it shall in a mutually agreeable time and manner, documentation necessary for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI by Business Associate. Under no circumstances will Business Associate be required to accept or respond to accounting requests made by Individuals; Covered Entity is responsible for responding to all such accounting requests; x. provide Covered Entity access to PHI as required to meet the requirements under 45 C.F.R. § 164.524 and HITECH Act. Under no circumstances will Business Associate be required to accept or respond to requests for access to PHI made by Individuals; Covered Entity is responsible for receiving and processing all such requests from Individuals; xi. make amendment(s) to PHI at the request, direction and agreement of Covered Entity (provided in accordance with 45 C.F.R. § 164.526), in the time and manner agreed to by the parties; and xii. to the extent Business Associate specifically agrees in writing, carry out Covered Entity’s obligations under Subpart E of 45 C.F.R. § 164, and comply with the requirements of the Privacy Rule which Subpart E that would apply to Covered Entity in the performance of such obligation(s)those obligations. b. The parties acknowledge that: i. Business Associate’s ability to report on system activity including Security Incidents, is limited by, and to, the Services which Covered Entity has purchased; . ii. Business Associate shall has no obligation to report unsuccessful Security Incidents or to monitor Customer’s Services other than as included with and permitted by those Services that the Customer purchases or those procedures separately agreed to in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breachedwriting; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHIiii. Business Associate may has no obligation to report network security related incidents which occur on the AT&T managed network but do not use directly involve Customer’s PHI or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementsBA - Related Services.

Business Associate Obligations. A.1.1. Business Associate may receive from Covered Entity, or create, receive, maintain or transmit on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in HIPAA or ARRA, as applicable, and all references to PHI herein shall be construed to include EPHI. Business Associate agrees not to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the HIPAA Rules requirements of the Privacy Standards or HITECH Act Security Standards (as of the compliance deadline for such standards) if the PHI were used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for Entity in the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduressame manner. Business Associate may not shall use appropriate safeguards to prevent the use or disclose disclosure of PHI which other than as expressly permitted under this Agreement. A.1.2. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAAEntity. Business Associate agrees covenants that such safeguards shall include, without limitation, implementing written policies and procedures in compliance with HIPAA and ARRA, conducting a security risk assessment, and training Business Associate employees who will have access to review and understand any state privacy and security laws PHI with respect to the extent that such laws are not preempted policies and procedures required by HIPAA, HIPAA and ARRA. A.1.3. In the event of a Breach (as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent hereinafter defined) of any Unsecured PHI or EPHI that Business Associate is to carry out one accesses, maintains, retains, modifies, records, stores, destroys, or more otherwise holds or uses on behalf of Covered Entity’s obligations under the Privacy Rule, it shall comply Entity in connection with the requirements Business Arrangements, Business Associate shall provide notice of the Privacy Rule which apply such Breach to Covered Entity in within ten (10) calendar days. “Breach” shall mean the performance unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such obligation(s)information. Business Associate “Unsecured PHI or EPHI” shall in such cases: 2.1.1 provide information to members of its workforce using mean PHI or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose EPHI that is not otherwise provided for in this Agreement rendered unusable, unreadable, or for indecipherable to unauthorized individuals through the use of a purpose not expressly permitted technology or methodology specified by the HIPAA Rules or HITECH ActSecretary. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. 2.1 Business Associate agrees that it is directly liable for compliance with both the Privacy and Security Rule under the Health Insurance Portability and Accountability Act of 1996, as amended from time to time ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and its attendant regulations and guidance. 2.2 Business Associate acknowledges that it will maintain compliance documents required under applicable HIPAA rules. 2.3 Business Associate agrees that it shall only use and disclose PHI as allowed by and in order to perform the terms of this Agreement or the Underlying Agreement, or as is Required By Law. 2.4 Business Associate is not an agent of the Covered Entity. 2.5 Business Associate will ensure and obtain satisfactory assurances in the form of an executed business associate agreement that any agents, including subcontractors, that create, receive, maintain, or transmit PHI on behalf of the Business Associate on behalf of Covered Entity agrees to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information and do not export PHI beyond the borders of the United States of America, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable. Business Associate shall, upon knowledge of a material breach by a subcontractor of the subcontractor’s obligations under its contract with Business Associate, either notify such subcontractor of such breach and provide an opportunity for subcontractor to cure the breach within a 5 business day period; or, in the event subcontractor fails to cure such breach or cure is not possible, Business Associate shall terminate the contract with subcontractor. Upon request, Business Associate shall provide the applicable Party with a copy of the written agreement or contract entered into by Business Associate and its subcontractor to meet the obligations of Business Associate under this section. 2.6 Business Associate shall develop, implement, maintain, and use appropriate safeguards to prevent any use or disclosure of PHI other than as provided by this Agreement, and to implement administrative, physical, and technical safeguards as required by Subpart C Part 164 of title 45, Code of Federal Regulations, and HITECH in order to protect the confidentiality, integrity, and availability of PHI that Business Associate creates, receives, maintains, or transmits, to the same extent as if Business Associate were a Participant. See HITECH § 13401. 2.7 The additional requirements of Title XIII of HITECH that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference are hereby incorporated into this Agreement. 2.8 Business Associate agrees to adopt the technology and methodology standards provided in any guidance issued by the Secretary pursuant to HITECH §§ 13401-13402. 2.9 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement and to notify the applicable Party of any breach of unsecured PHI, as required under HITECH § 13402. 2.10 During the term of this Agreement, Business Associate shall pay direct costs and notify the applicable Party promptly, and without unreasonable delay, of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations, or any legal action against Business Associate arising from an alleged HIPAA violation. Business Associate shall take (i) prompt action to correct any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required byapplicable federal and state laws and regulations. 2.11 Business Associate shall report, in writing, to the applicable Party any use or disclosure of PHI that is not authorized by the Agreement. Such written notice shall be provided to the applicable Party without unreasonable delay and in no event more than five days after Business Associate becomes aware, or should have become aware by exercising reasonable diligence, of such use or disclosure. [45 C.F.R. § 164.410]. 2.12 Business Associate acknowledges that Business Associate is subject to applicable provisions of 45 C.F.R. Part 164, Subpart D. In addition to its required notification to the Individual, HHS, and media (as appropriate) under the law, Business Associate further acknowledges that Business Associate shall, following the discovery of a breach of Unsecured PHI, notify the applicable Party of such breach as such is required under 45 C.F.R. § 164.410(a)(1). For purposes of this Section 2.10, “breach” has the meaning provided at 45 C.F.R. §164.402. Breaches shall be treated as discovered by Business Associate as provided under 45 C.F.R. § 164.410(a)(2). Business Associate shall provide notification of a Breach of Unsecured PHI to the applicable Party without unreasonable delay and in no event more than sixty days after discovery of a breach (discovery of a breach is defined as the first day on which the breach is known or by exercising reasonable diligence would have been known). The notification shall include, to the extent possible, the date of the breach, the nature of the breach, and the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach. Business Associate shall also provide any other available information that is required for the applicable Party to include in the notification of the individual as provided at 45 C.F.R. §164.404(c) at the time provided for notifying the applicable Party of the breach as provided in this Section 2.12 or promptly thereafter as such information becomesavailable. 2.13 Pursuant to the Security Rule requirements, Business Associate agrees to implement a mechanism to encrypt electronic PHI, or if implementing encryption is not reasonable and appropriate, document the reason for that determination and implement an equivalent alternative measure that is reasonable and appropriate under the circumstances. 2.14 To the extent that Business Associate maintains any PHI in Designated Record Sets, Business Associate shall make PHI in Designated Record Sets that are maintained by Business Associate or its agents or subcontractors, if any, available to the applicable Party for inspection and copying within five days of a request by the applicable Party to enable the applicable Party to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.524 and 164.526. 2.15 To the extent that Business Associate maintains any PHI in Designated Record Sets, within thirty (30) calendar days of receipt of a request from the applicable Party for an amendment of PHI or a record about an Individual maintained in a Designated Record Set, Business Associate or its agents or subcontractors, if any, shall make such PHI available to the applicable Party for amendment and shall incorporate any such amendment to enable the applicable Party to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.524. If an Individual requests an amendment of PHI directly from Business Associate or its agents or subcontractors, if any, Business Associate must notify the applicable Party in writing within thirty (30) days of the request. Any denial of amendment of PHI maintained by Business Associate or its agents or subcontractors, if any, shall be the responsibility of the Participant. Upon the approval of Participant, Business Associate shall appropriately amend the PHI maintained by it, or any agents or subcontractors. 2.16 Business Associate agrees to document any disclosures of PHI, and any information related to such disclosures, as would be required for the applicable Party to respond to a request by an individual for an accounting of disclosures of the PHI in accordance with 45 C.F.R. §164.528 and, if required by and upon the effective date of, Section 13405(c) of HITECH and related regulatory guidance. Within thirty (30) days of notice by the applicable Party of a request for an accounting of disclosures of PHI, Business Associate and any agents or subcontractors shall make available to the applicable Party the information required to provide an accounting of disclosures to enable the applicable Party to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR 2.17 Business Associate shall make its internal practices and records relating to the use and disclosure of PHI available to the Secretary or Covered Entity for purposes of determining the applicable Party’s compliance with the Privacy Rule within 5 business days of a request. Business Associate shall notify the applicable Party regarding any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary, and upon request by Participant, shall provide Participant with a duplicate copy of such PHI. 2.18 Business Associate and its agents or subcontractors, if any, shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of Secretary's guidance on what constitutes minimum necessary. See HITECH § 13405. 2.19 Business Associate acknowledges that Business Associate has no ownership rights related to the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Covered Entity holds all right, title, and interest in PHI. 2.20 Except as otherwise permitted by limited in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI to provide Data Aggregation services to the applicable Party as necessary permitted by 45 CFR §164.504(e)(2)(i)(B). 2.21 Business Associate shall notify the applicable Party of any requests by individuals received by Business Associate that include a request for the proper management and administration of Business Associateaccess to, or to carry out its legal responsibilitiesamendment of, consistent with Covered Entity’s minimum necessary policies and proceduresPHI. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for shall promptly forward any purpose except as otherwise provided such individual requests received directly by the Agreement and this BAABusiness Associate to the applicable Party’s Chief Privacy Officer. Participant shall be responsible for responding, or objecting, to all such individual requests in accordance with Participant’s HIPAA privacy policies that address an individual’s right to request access to, amendment of, or an accounting of disclosures of PHI. Business Associate agrees shall cooperate and provide available information related to review the use and understand any state privacy and security laws disclosure of Protected Health Information to the extent that required (within 30 days) by Participant to comply with such laws are not preempted by HIPAA, as may be amended from time to time. Participant policies. 2.22 If Business Associate acknowledges knows of a pattern of activity or practice by the applicable Party that it shall comply specifically with constitutes a material breach or violation of the Participant’s obligations under this Agreement, Business Associate will take reasonable steps to notify Participant of the breach and seek Participant’s cure of the breach or resolution of the violation. If all such steps are unsuccessful within a period of thirty (30) days, Business Associate will either: (1) terminate the Agreement, if feasible; or (2) report the problem to the Secretary. 2.23 Business Associate agrees that any PHI transmitted electronically and/or stored on any type of mobile media, including lap top computers, tablet computers, smart phones, etc., must be encrypted, and that information stored whether intentional or not is subject to HIPAA Security Rule, andRules provisions for Business Associates. 2.24 Business Associate agrees, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy RuleSubpart E of 45 CFR Part 164, it shall will comply with the requirements of the Privacy Rule which Subpart E that apply to the Covered Entity in the performance of such obligation(s). obligations. 2.25 Except as otherwise limited in this Agreement, Business Associate shall in such cases: 2.1.1 provide information may disclose PHI for the proper management and administration of Business Associate or to members carry out the legal responsibilities of its workforce using the Business Associate, provided the disclosures are required by law, or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain Business Associate obtains reasonable assurances, in writing assurances from the person or entity organization to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; organization, and (ii) the person or entity will notify organization notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI ofthe information has been breached; and. 2.1.3 agree 2.26 Business Associate is not authorized to notify the Privacy Officer de-identify in accordance with 45 CFR 164.514(a)- (c), PHI received by Business Associate by or on behalf of Covered Entity; nor is Business Associate authorized to use de-identified information received from Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted authorized by this Agreement, except with the HIPAA Rules or HITECH Actprior written consent of the Covered Entity. 2.2 Marketing; Sale of PHI. 2.27 Business Associate may not use or disclose agrees to make uses and disclosures and requests for PHI for marketing purposes. Marketing includes any communication which would encourage consistent with the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf requirements of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, 45 CFR 164.502(b) and would include access, license or lease agreements164.514(d).

Business Associate Obligations. 2.1 Business Associate agrees will not use or further disclose PHI except for the purpose of making available eOrdersPlus to comply or on behalf of Covered Entity in accordance with Business Associate’s Terms of Use for eOrdersPlus or any other applicable federal confidentiality agreement between the parties (consistent with the requirements of HIPAA and security lawsthis Agreement), specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted or required by this Agreement, the HIPAA Rules, or applicable law, as Required By Law. Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services tomay request, or on behalf ofuse, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as is necessary for the proper management and administration of Business Associate, Associate or to carry out its the legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduresresponsibilities of Business Associate. Business Associate may not use or disclose PHI which it createsfor these purposes if either (i) the disclosure is Required By Law, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. (ii) Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom Business Associate discloses the PHI is disclosed that: (i) that the PHI will be held in confidence confidentially and used or further used and disclosed only as required by law Required By Law or for the purpose purposes for which it was disclosed to the person or entity; and (ii) that the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and. As permitted by Covered Entity, Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity. 2.1.3 2.2 Business Associate will use appropriate safeguards and comply, where applicable, with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement. 2.3 Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement or Security Incident of which it becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410. The parties acknowledge and agree that this paragraph constitutes notice by Business Associate to notify the Privacy Officer of Covered Entity of the ongoing occurrence of incidents that may constitute Security Incidents but that are trivial and do not result in the unauthorized access, use, or disclosure of PHI that is electronic PHI, including without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log- on attempts, and denials of service, for which no additional notice to Covered Entity shall be required. 2.4 Business Associate will ensure that any instances subcontractors that create, receive, maintain, or transmit PHI on behalf of which it is aware Business Associate agree to substantially similar restrictions and conditions that apply to Business Associate with respect to the PHI. 2.5 Business Associate will make available PHI in which accordance with 45 C.F.R. § 164.524. 2.6 Business Associate will make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526. 2.7 Business Associate will make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. 2.8 To the extent that Business Associate agrees to carry out Covered Entity’s obligation under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of the obligation. 2.9 Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining each party’s compliance with the Privacy Rule. 2.10 At termination of this Agreement or the applicable underlying services, if feasible, Business Associate will return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity in the performance of such services that Business Associate still maintains in any form and retain no copies of the PHI. If the return or destruction of the PHI is used or disclosed for a purpose that is not otherwise provided for in feasible, Business Associate will extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf destruction of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementsinformation infeasible.

Business Associate Obligations. 3.1 Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required under the Security Rule. 3.2 Business Associate will ensure that any agent, including a subcontractor, to whom it provides PHI enters into a written agreement with Business Associate and agrees to implement reasonable and appropriate safeguards to the same extent required by Business Associate under this Agreement. 3.3 Business Associate will report to Covered Entity any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in an Information System affecting such PHI (“Security Incident”) of which Business Associate becomes aware within ten (10) days of Business Associate’s Discovery of such Security Incident. Notwithstanding the foregoing, the Parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents which are trivial in nature, and the Parties agree that no additional notification to Covered Entity of such Unsuccessful Security Incidents is required. Provided, however, to the extent that Business Associate becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity in writing within ten (10) days of Business Associate’s Discovery of such event. 3.4 Business Associate will report to Covered Entity in writing any acquisition, access, use or disclosure of PHI in violation of HIPAA which constitutes a Breach of Unsecured PHI within ten (10) days of Discovery of the Breach. 3.5 Business Associate agrees to comply with applicable federal confidentiality make uses and security laws, specifically the provisions of the HIPAA Rules disclosures and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of requests for PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent those policies and procedures are communicated to Business Associate in accordance with Section 4.4 below, and ensure that Business Associate is uses or discloses the minimum necessary PHI when carrying out its obligations to provide the Services. 3.6 Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out one the legal responsibilities of Business Associate, provided the disclosures are required by law, or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and. 2.1.3 agree 3.7 Business Associate will mitigate, to notify the Privacy Officer of extent practicable, any harmful effect that is known to Business Associate or Covered Entity of any instances of which it is aware in which related to the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remunerationuse, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license disclosure, transmission, reception, creation, or lease agreementsmaintenance of PHI by Business Associate.

Business Associate Obligations. 1.1 Business Associate may receive from Covered Entity, or create, receive, maintain or transmit on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. Business Associate agrees not to comply with applicable federal confidentiality and security laws, specifically use or disclose (or permit the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except use or disclosure of) PHI other than as otherwise permitted ad as required by this Agreement, the HIPAA Rules, Agreement or applicable as required by law, . Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall will not use or further disclose PHI in a manner that would violate the requirements of HIPAA Rules or HITECH Act if used or disclosed done by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not shall use appropriate safeguards to prevent the use or disclose disclosure of PHI which it createsother than as expressly permitted under this Agreement. PHI and EPHI are limited to the information created, receivesreceived, maintains or transmits for maintained, and/or transmitted by Business Associate from or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAAEntity. Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall Business Associate must comply with the requirements of the Privacy Rule which that apply to Covered Entity in the performance of such obligation(s). 1.2 Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate covenants that such safeguards shall include, without limitation, implementing written policies and procedures in such cases: 2.1.1 provide information compliance with HIPAA and ARRA, conducting a security risk assessment, and training Business Associate employees who will have access to members of its workforce using or disclosing PHI regarding with respect to the confidentiality requirements in the HIPAA Rules policies and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as procedures required by law HIPAA and ARRA. 1.3 In the event of a Breach (as hereinafter defined) of any Unsecured PHI or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify EPHI that Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity in connection with the Business Arrangements, Business Associate shall provide notice of any instances such Breach to Covered Entity within two (2) business days of discovery. “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of PHI which it is aware in which compromises the security or privacy of such information. “Unsecured PHI is used or disclosed for a purpose EPHI” shall mean PHI or EPHI that is not otherwise provided for in this Agreement rendered unusable, unreadable, or for indecipherable to unauthorized individuals through the use of a purpose not expressly permitted technology or methodology specified by the HIPAA Rules or HITECH ActSecretary. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. 2.1 Business Associate agrees to comply that it shall only use and disclose PHI in accordance with applicable federal confidentiality and security laws, specifically the provisions terms of the HIPAA Rules and the HITECH Act applicable to business associates, including:this Agreement or as is Required By Law. 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, 2.2 Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI except for the purpose of performing Business Associate's obligations to Covered Entity, as such use or disclosure is limited by this Agreement. These obligations are as follows: [INSERT PERMITTED USES AND DISCLOSURES OR REFER TO AN ATTACHED DOCUMENT THAT DESCRIBES THE SERVICES TO BE PROVIDED TO COVERED ENTITY.] 2.3 Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule. So long as such use or disclosure does not violate the HIPAA Rules Privacy Rule or HITECH Act if used or disclosed by Covered Entity; provided, howeverthis Agreement, Business Associate may use and disclose PHI PHI: (a) as is necessary for the proper management and administration of Business Associate's organization, or (b) to carry out its the legal responsibilitiesresponsibilities of Business Associate, consistent as provided in 45 CFR § 164.504(e)(4). 2.4 Business Associate will ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to the same restrictions and conditions, including but not limited to those relating to termination of the contract for improper disclosure, that apply to Business Associate with respect to such information. Further, Business Associate shall implement and maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Business Associate shall terminate any agreement with an agent or subcontractor, if any, who fails to abide by such restrictions and obligations. Business Associate shall not provide any PHI to any third party or subcontract any Services without Covered Entity’s minimum necessary policies and procedures. express written permission. 2.5 Business Associate may not shall develop, implement, maintain, and use appropriate safeguards to prevent any use or disclose disclosure of the PHI which it or EPHI other than as provided by this Agreement, and to implement administrative, physical, and technical safeguards as required by sections 164.308, 164.310, 164.312 and 164.316 of title 45, Code of Federal Regulations and HITECH in order to protect the confidentiality, integrity, and availability of EPHI or PHI that Business Associate creates, receives, maintains maintains, or transmits for or on behalf transmits, to the same extent as if Business Associate were a Covered Entity. See HITECH § 13401. 2.6 The additional requirements of the Covered Entity for any purpose except as otherwise provided Title XIII of HITECH that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by the Agreement and this BAA. reference hereby incorporated into this Agreement. 2.7 Business Associate agrees to review adopt the technology and understand methodology standards provided in any state privacy and security laws guidance issued by the Secretary pursuant to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. HITECH §§ 13401-13402. 2.8 Business Associate acknowledges agrees to mitigate any harmful effect that it shall comply specifically with the HIPAA Security Rule, and, is known to the extent that Business Associate is to carry out one of a use or more disclosure of Covered Entity’s obligations under the Privacy Rule, it shall comply with PHI by Business Associate in violation of the requirements of the Privacy Rule which apply this Agreement and to notify covered entity of any breach of unsecured PHI, as required under HITECH § 13402. 2.9 Business Associate shall report, in writing, to Covered Entity in any use or disclosure of PHI that is not authorized by the performance Agreement. Such written notice shall be provided to Covered Entity within five (5) business days of becoming aware of such obligation(s). use or disclosure. 2.10 In the case of a breach of Unsecured PHI, Business Associate shall, following the discovery of a breach of such information, notify the Covered Entity of such breach. The notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during the breach. If the breach involves the Unsecured PHI of more than 500 residents of [State] or residents of a certain region, or is reasonably believed to have been accessed, acquired or disclosed during such incident, [Entity] will also notify the prominent media outlets. The media outlets must serve the geographic area affected. 2.11 Business Associate must obtain, prior to making any permitted disclosure as set forth in Section 2.2, reasonable assurances from such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the third party that such PHI will be held in confidence secure and further used confidential as provided pursuant to this Agreement and only disclosed only as required by law or for the purpose purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the person PHI which becomes known to such third party will be immediately reported to Business Associate. As part of obtaining this reasonable assurance, Business Associate agrees to enter into a Business Associate Agreement with each of its subcontractors pursuant to 45 CFR § 164.308(b)(1) and HITECH § 13401. 2.12 Business Associate shall make PHI in Designated Record Sets that are maintained by Business Associate or entityits agents or subcontractors, if any, available to Covered Entity for inspection and copying within ten (10) days of a request by Covered Entity to enable Covered Entity to fulfill its obligations under the Privacy rule, including, but not limited to, 45 CFR § 164.524. 2.13 Within ten (10) days of receipt of a request from Covered Entity for an amendment of PHI or a record about an Individual contained in a Designated Record Set, Business Associate or its agents or subcontractors, if any, shall make such PHI available to Covered Entity for amendment and shall incorporate any such amendment to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.524. If an Individual requests an amendment of PHI directly from Business Associate or its agents or subcontractors, if any, Business Associate must notify Covered Entity in writing within five (5) days of the request. Any denial of amendment of PHI maintained by Business Associate or its agents or subcontractors, if any, shall be the responsibility of Covered Entity. Upon the approval of Covered Entity, Business Associate shall appropriately amend the PHI maintained by it, or any agents or subcontractors. 2.14 Within ten (10) days of notice by Covered Entity of a request for an accounting of disclosures of PHI, Business Associate and any agents or subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.528. Except in the case of a direct request from an Individual for an accounting related to treatment payment or operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, if any, Business Associate shall within five business (5) days of a request notify Covered Entity about such request. Covered Entity shall either inform Business Associate to provide such information directly to the Individual, or it shall request the information to be immediately forwarded to Covered Entity for compilation and distribution to such Individual. In the case of a direct request for an accounting from an Individual related to treatment, payment or operations disclosures through electronic health records, Business Associate shall provide such accounting to the Individual in accordance with XXXXXX § 00000(x). Business Associate shall not disclose any PHI unless such disclosure is Required by Law or is in accordance with this Agreement. Business Associate shall document such disclosures. Notwithstanding Section 4.4, Business Associate and any agents or subcontractors shall continue to maintain the information required for purposes of complying with this Section 2.12 for a period of six (6) years after termination of the Agreement. 2.15 Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy Rule. Business Associate shall notify Covered Entity regarding any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary, and upon request by Covered Entity, shall provide Covered Entity with a duplicate copy of such PHI. 2.16 Business Associate and its agents or subcontractors, if any, shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Business Associate agrees to comply with the Secretary’s guidance on what constitutes minimum necessary. See HITECH § 13405. 2.17 Business Associate acknowledges that Business Associate has no ownership rights related to the PHI. 2.18 Business Associate and its subcontractors or agents, if any, shall retain any PHI throughout the term of the Agreement. 2.19 Unless greater coverage is required under any other agreement between Covered Entity and Business Associate for the provision of services related to this Agreement, Business Associate shall maintain or cause to be maintained the following insurance covering itself and each subcontractor or agent, if any, through whom Business Associate provides services; (i) a policy of commercial general liability and property damage insurance, and electronic data processing insurance, with limits of liability not less than two million dollars ($2,000,000) per occurrence and two million dollars ($2,000,000) annual aggregate and (ii) such other insurance or self insurance as shall be necessary to insure it against any claim or claims for damages arising under this Agreement or from violating Business Associate’s own obligations under HIPAA and XXXXXX (xxx XXXXXX § 00000), including but not limited to, claims or the imposition of administrative penalties and fines on Business Associate or its subcontractors or agents, if any, arising from the loss, theft, or unauthorized use or disclosure of PHI. Such insurance coverage shall apply to all site(s) of Business Associate and to all services provided by Business Associate or any subcontractors or agents under this Agreement. 2.20 During the term of this Agreement, Business Associate shall notify Covered Entity within twenty-four (24) hours of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI or EPHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations, or any legal action against Business Associate arising from an alleged HIPAA violation. Business Associate shall take (i) prompt action to correct any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations. 2.21 Within ten (10) business days of a written request by Covered Entity, Business Associate and its agents or subcontractors, if any, shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement and HITECH; provided, however, that (i) Business Associate and Covered Entity mutually agree in advance upon the scope, location and timing of such an inspection; and (ii) Covered Entity shall protect the person or entity will notify confidentiality of all confidential and proprietary information of Business Associate of any instances of to which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity has access during the course of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not such inspection. 2.22 Except as otherwise provided for limited in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHI. Agreement, Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(I)(B). 2.23 If Business Associate may not use knows of a pattern of activity or disclose PHI where it has directly practice by the Covered Entity that constitutes a material breach or indirectly received remuneration, financial or otherwise, from or on behalf violation of the recipient Covered Entity’s obligations under this Agreement, Business Associate will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful within a period of 30 days, Business Associate will either: 1) terminate the PHI in exchange for Agreement, if feasible; or 2) report the PHI. “Sale” is not limited problem to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementsthe Secretary.

Business Associate Obligations. 2.1. Business Associate agrees to comply with to: 2.1.1 not Use or Disclose PHI in violation of this BAA, the Underlying Agreement(s) or applicable federal confidentiality law; 2.1.2 use appropriate safeguards and security lawsmeasures to prevent unauthorized Use or Disclosure of PHI; 2.1.3 provide a written report to Covered Entity, specifically the provisions within five (5) days of the HIPAA Rules and the HITECH Act applicable to business associatesverification, including: 2.1 of any unauthorized Use and or Disclosure of PHI. Except as otherwise permitted by this AgreementBusiness Associate’s written report will, to the HIPAA Rulesextent known, reflect a. the nature of the unauthorized Use or applicable law, Disclosure; b. the PHI used or disclosed; and c. the corrective action Business Associate shall not make any uses has or disclosures of PHI except as necessary will take to provide services to, prevent similar unauthorized Use or on behalf of, Covered Entity as described Disclosure in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by future; 2.1.4 report to Covered Entity; provided, howeverwithout undue delay, Business Associate may use but in no event later than five (5) days of verification, any Breach of Unsecured PHI and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent cooperate with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf investigation of the Covered Entity for any purpose except as otherwise provided by the Agreement Breach and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of fulfilling Covered Entity’s obligations under the HITECH Act and any other security breach notification laws. The Breach notification will, to the extent known, include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach; 2.1.5 report to Covered Entity any successful Security Incident within five (5) days of learning of such successful Security Incident, if the notice period falls on a weekend or public holiday, then the notice is due on the following next business day; 2.1.6 report, upon Covered Entity’s request, attempted but unsuccessful Security Incidents of which Business Associate becomes aware; provided that Covered Entity’s request shall be made no more often than is reasonable based upon the relevant facts, circumstances and industry standards; this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice is required. “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denial of service attacks, so long as there is no unauthorized access, use or disclosure of electronic PHI. All reports of Breaches shall be made in compliance with 45 CFR §164.410. 2.1.7 require its agent(s) and subcontractor(s) who receive Covered Entity’s PHI, whether it was received from, or created by Business Associate on behalf of Covered Entity, to agree in writing to substantially the same conditions and security measures agreed to by Business Associate under this BAA; 2.1.8 make internal practices, books, and records, including policies and procedures, relating to the Use and Disclosure of PHI received from Covered Entity, or created by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner as reasonably requested by or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule; 2.1.9 document Disclosures of PHI sufficiently to allow Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will provide Covered Entity, it shall in a mutually agreeable time and manner, documentation necessary for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI by Business Associate. Under no circumstances will Business Associate be required to accept or respond to accounting requests made by Individuals. Covered Entity is responsible for responding to all such accounting requests; 2.1.10 provide Covered Entity access to PHI as required to meet the requirements under 45 C.F.R. § 164.524 and HITECH Act. Under no circumstances will Business Associate be required to accept or respond to requests for access to PHI made by Individuals; Covered Entity is responsible for receiving and processing all such requests from Individuals; 2.1.11 make amendment(s) to PHI at the request, direction and agreement of Covered Entity (provided in accordance with 45 C.F.R. § 164.526), in the time and manner agreed to by the parties; 2.1.12 to the extent Business Associate specifically agrees in writing, carry out Covered Entity’s obligations under Subpart E of 45 C.F.R. § 164, and comply with the requirements of the Privacy Rule which Subpart E that would apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breachedthose obligations; and 2.1.3 agree 2.1.13 promptly forward any requests Business Associate receives from Individuals to notify the Privacy Officer of Covered Entity of any instances of for appropriate response. 2.2. The parties acknowledge that: 2.2.1 Business Associate’s ability to report on system activity including Security Incidents, is limited by, and to, the Services which it is aware in which the PHI is used Covered Entity has purchased; 2.2.2 Business Associate has no obligation to report unsuccessful Security Incidents or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly to monitor Customer’s Services other than as included with and permitted by those Services that the HIPAA Rules Customer purchases or HITECH Act. 2.2 Marketingthose procedures separately agreed to in writing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.and

Business Associate Obligations. 2.1 Business Associate agrees that it will only access, use, or disclose PHI in accordance with the terms of this Agreement or as is Required By Law. Business Associate acknowledges that it may only access, use, or disclose PHI obtained or created pursuant to comply a Services Agreement with Covered Entity if the access, use, or disclosure is in compliance with each applicable federal confidentiality and security laws, specifically the provisions requirement of the HIPAA Rules Privacy Rule found in 45 C.F.R. § 164.504(e) and applicable state requirements, whichever are most protective of the HITECH Act applicable to business associatesPHI. 2.2 Business Associate will not access, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rulesuse, or applicable law, Business Associate shall not make any uses or disclosures of disclose PHI except as necessary for the purpose of performing Business Associate's obligations to provide services to, or on behalf of, Covered Entity as described in the Underlying Services Agreement, consistent with the requirements of HIPAA and this Agreement, and shall for other uses and disclosures permitted under this Agreement. 2.3 Business Associate will not use access, use, or disclose PHI in any manner that would constitutes a violation of the Privacy Rule. So long as such access, use, or disclosure does not violate the HIPAA Rules Privacy Rule or HITECH Act if used or disclosed by Covered Entity; provided, howeverthis Agreement, Business Associate may use and access, use, or disclose PHI PHI: (a) as is necessary for the proper management and administration of Business Associate's organization, or (b) to carry out its the legal responsibilitiesresponsibilities of Business Associate, consistent with Covered Entity’s minimum necessary policies and proceduresas provided in 45 C.F.R. § 164.504(e)(4). Business Associate may not use or only disclose PHI which it createsfor these purposes, receivesin accordance with the provisions of 45 C.F.R. § 164.504(e)(4)(ii), maintains if either (i) the disclosure is Required By Law, or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. (ii) Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, assurances in writing from the person or entity to whom Business Associate discloses the PHI is disclosed that: (i) that the PHI will be held in confidence confidentially and used or further used and disclosed only as required by law Required By Law or for the purpose purposes for which it was disclosed to the person or entity; and (ii) that the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached. If expressly permitted by Covered Entity, Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as provided in 45 C.F.R. § 164.504(e)(2)(i)(B). 2.4 Business Associate will only access, use, or disclose the minimum amount of PHI necessary for Business Associate to perform the services for which it has been retained by Covered Entity. Business Associate agrees to comply with the Secretary’s guidance on what constitutes minimum necessary. 2.5 Business Associate will develop, implement, maintain, and use appropriate safeguards to prevent any access, use, or disclosure of the PHI other than as provided by this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI. Business Associate acknowledges that the Security Rule provisions regarding administrative safeguards, physical safeguards, technical safeguards, and policies and procedures and documentation requirements found in 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 apply to Business Associate in the same manner as to Covered Entity. 2.6 Business Associate will secure all PHI using a technology or methodology specified by the Secretary pursuant to 42 U.S.C. § 17932(h) that renders such information unusable, unreadable, or indecipherable to unauthorized individuals. 2.7 Prior to making any permitted disclosures, Business Associate will ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to be bound by the same privacy and security restrictions and conditions that apply to Business Associate under this Agreement, including but not limited to those conditions relating to termination of the contract for improper disclosure. Further, Business Associate shall implement and maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Business Associate shall terminate any agreement concerning PHI with an agent or subcontractor, if any, who fails to abide by such restrictions and obligations. 2.8 Business Associate will report, in writing, to Covered Entity any of the following: (i) access, use, or disclosure of PHI that is not authorized by this Agreement; and 2.1.3 agree to notify the Privacy Officer (ii) Security Incidents of which it becomes aware that it, its employees, or its agents or subcontractors experience involving or potentially involving Covered Entity EPHI; and (iii) Breach of Covered Entity Unsecured PHI; and (iv) other Unauthorized Use or Disclosure of any instances of which it is aware individually identifiable information. The written notice shall be provided to Covered Entity in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actaccordance with Sec. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. a. Business Associate agrees to comply with to: i. not Use or Disclose PHI in violation of this BAA, the Agreement or applicable federal confidentiality law; ii. use appropriate safeguards and security lawsmeasures to prevent unauthorized Use or Disclosure of PHI; iii. provide a written report to Covered Entity, specifically the provisions within 5 days of the HIPAA Rules and the HITECH Act applicable to business associatesverification, including: 2.1 of any unauthorized Use and or Disclosure of PHI. Except as otherwise permitted by this AgreementBusiness Associate’s written report will, to the HIPAA Rulesextent known, reflect: a. the nature of the unauthorized Use or applicable law, Disclosure; b. the PHI used or disclosed; and c. the corrective action Business Associate shall not make any uses has or disclosures of PHI except as necessary will take to provide services to, prevent similar unauthorized Use or on behalf of, Disclosure in the future; iv. report to Covered Entity as described by telephone call plus email or registered or certified mail, without undue delay, but in the Underlying Agreementno event later than five (5) days of verification, any Breach of Unsecured PHI and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent cooperate with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf investigation of the Covered Entity for any purpose except as otherwise provided by the Agreement Breach and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of fulfilling Covered Entity’s obligations under the HITECH Act and any other security breach notification laws. The Breach notification will, to the extent known, include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach; v. report to Covered Entity by telephone call plus email or registered or certified mail, within 5 days of becoming aware, any successful Security Incident; vi. report, upon Covered Entity’s request, attempted but unsuccessful Security Incidents of which Business Associate becomes aware; provided that Covered Entity’s request shall be made no more often than is reasonable based upon the relevant facts, circumstances and industry standards; vii. require its agent(s) and subcontractor(s) who receive Covered Entity’s PHI, whether it was received from, or created by Business Associate on behalf of Covered Entity, to agree in writing to substantially the same conditions and security measures agreed to by Business Associate under this BAA; viii. make internal practices, books, and records, including policies and procedures, relating to the Use and Disclosure of PHI received from Covered Entity, or created by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner as reasonably requested by or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule; ix. document Disclosures of PHI sufficiently to allow Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will provide Covered Entity, it shall in a mutually agreeable time and manner, documentation necessary for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI by Business Associate. Under no circumstances will Business Associate be required to accept or respond to accounting requests made by Individuals; Covered Entity is responsible for responding to all such accounting requests; x. provide Covered Entity access to PHI as required to meet the requirements under 45 C.F.R. § 164.524 and HITECH Act. Under no circumstances will Business Associate be required to accept or respond to requests for access to PHI made by Individuals; Covered Entity is responsible for receiving and processing all such requests from Individuals; xi. make amendment(s) to PHI at the request, direction and agreement of Covered Entity (provided in accordance with 45 C.F.R. § 164.526), in the time and manner agreed to by the parties; and xii. to the extent Business Associate specifically agrees in writing, carry out Covered Entity’s obligations under Subpart E of 45 C.F.R. § 164, and comply with the requirements of the Privacy Rule which Subpart E that would apply to Covered Entity in the performance of such obligation(s)those obligations. xiii. agree to make its most recent security audit available upon on request and subject to confidentiality. xiv. where applicable, agrees to retain and securely store data and documents in accordance with HIPAA, the HITECH Act, and their implementing regulations. xv. Business Associate shall be responsible for, and shall reimburse Covered Entity for costs and expenses associated with steps reasonably implemented by Covered Entity to mitigate any Breach or other non‐ permitted Use or Disclosure of PHI or medical, health or personal information protected by other federal or state law, including, without limitation, the following: data analysis to determine appropriate mitigation steps in the event of a Breach, including assistance from Business Associate in the investigation of the Breach and, as needed, access to Business Associate’s systems and records for purposes of Breach data analysis; preparation and mailing of notification(s) about the Breach to impacted Individuals, the media and regulators; costs associated with proper handling of inquiries from Individuals and other entities about the Breach (such casesas the establishment of toll‐free numbers, maintenance of call centers for intake, preparation of scripts, questions/answers, and other communicative information about the Breach); credit monitoring and account monitoring services for impacted Individuals for a reasonable period (which shall be no less than 12 months); other mitigation action steps required of Covered Entity by federal or state regulators; and other reasonable mitigation steps required by Covered Entity. b. The parties acknowledge that: 2.1.1 provide information i. Business Associate’s ability to members of its workforce using or disclosing PHI regarding report on system activity including Security Incidents, is limited by, and to, the confidentiality requirements in the HIPAA Rules and this AgreementServices which Covered Entity has purchased; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify . Business Associate of any instances of which it is aware has no obligation to report unsuccessful Security Incidents or to monitor Purchaser’s Services other than as included with and permitted by those Services that the Purchaser purchases or those procedures separately agreed to in which confidentiality of the PHI has been breachedwriting; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale of PHIiii. Business Associate may has no obligation to report network security related incidents which occur on the Seller managed network but do not use directly involve Purchaser’s PHI or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementsBA - Related Services.

Business Associate Obligations. A. Business Associate's use and/ or disclosure of PHI is limited to only those purposes that are necessary to perform its obligations under the Agreement or as Required by Law; B. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI (EPHI), to prevent uses or disclosures of PHI other than as provided for by this Agreement; C. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this Agreement of which it becomes aware within thirty (30) days, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410; D. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware; E. Business Associate will ensure that its agents, including any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same requirements that apply to the Business Associate with respect to such information; F. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable Covered Entity's request to business associates, including: 2.1 Use and Disclosure of accommodate an individual's request to access PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, This applies to Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI extent that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. creates a Designated Record Set under 45 CFR Part 164.524; X. Business Associate agrees to review and understand any state privacy and security laws comply with Covered Entity's request to make amendments to PHI. This applies to Business Associate to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. it creates a Designated Record Set in accordance with 45 CFR Part 164.526; H. Business Associate acknowledges that it shall comply specifically with maintain and make available the HIPAA Security Rule, andinformation required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528; I. Any notice to the Covered Entity will include, to the extent that possible, the identification of the individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed in a Breach. Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply will provide to Covered Entity in the performance information required by 45 CFR Part 164.410 (c) within thirty (30) days of such obligation(s). discovery of Breach; and J. Business Associate shall in such cases: 2.1.1 provide information make its internal practices, books and records available to members the Secretary, Department of its workforce using or disclosing PHI regarding the confidentiality requirements in Health and Human Services for purposes of determining compliance with the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH ActRules. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions In performance of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable lawthose Services, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not shall: 3.1 Not use or disclose PHI that would violate other than as permitted or required by the HIPAA Rules Agreement, including all Exhibits or HITECH Act if used or disclosed by Covered Entity; providedAttachments thereto, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate's business, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary as required by applicable law; 3.2 Have in place documented policies and procedures. procedures for compliance with HIPAA, HITECH, and HIPAA regulations, as well as this Exhibit A; 3.3 On an on-going basis provide training for its employees pertaining to this Exhibit A and the obligations thereunder, including educating such employees that they may be subject to discipline for violating the terms of this Exhibit A and/or HIPAA, HITECH and the HIPAA regulations; 3.4 Employ appropriate and sufficient administrative, physical and technical safeguards with respect to electronic PHI in compliance with applicable federal and state laws and regulations; 3.5 Designate which of Business Associate may not use or disclose Associate's employees shall have access to PHI which it createshowever maintained; 3.6 If required under 45 C.F.R. § 164.528, receives, maintains or transmits for or on behalf maintain an accounting of all disclosures of PHI made and allowed under this Exhibit A in order to assist the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees in its obligations to review and understand any state privacy and security laws provide an accounting of disclosures; 3.7 Provide requested information to the extent that such laws are not preempted by HIPAASecretary as required during any compliance review, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rulerisk analysis, andor investigation; 3.8 As provided in this Exhibit A, report to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance any breach of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using confidentiality, a security incident, or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and a disclosure not allowed under this Agreement; 2.1.2 obtain reasonable assurances3.9 To the extent practicable, in writing from the person or entity to whom the PHI within thirty (30) days of a known compliance violation, mitigate any harmful effect that is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required known by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware to be in which confidentiality violation of the PHI has been breached; requirements of HIPAA, HITECH, HIPAA regulations, and this Exhibit A; 3.10 Be liable for non-compliance of HIPAA, HITECH, and HIPAA regulations and, consequently, be subject to audits, compliance reviews, enforcement actions by HHS, and fines; 2.1.3 agree to notify 3.11 In the Privacy Officer event of receipt of a subpoena, court order, or other demand for production of PHI, including, but not limited to, a demand from HHS, immediately inform Covered Entity of any instances of which it is aware in which and shall only provide the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by minimum necessary to satisfy the HIPAA Rules or HITECH Actdemand. 2.2 Marketing; Sale of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is not limited to circumstances where a transfer of ownership occurs, and would include access, license or lease agreements.

Business Associate Obligations. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions In performance of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable lawthose Services, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not shall: 3.1 Not use or disclose PHI that would violate other than as permitted or required by the HIPAA Rules Agreement, including all Exhibits or HITECH Act if used or disclosed by Covered Entity; providedAttachments thereto, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate's business, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary as required by applicable law; 3.2 Have in place documented policies and procedures. procedures for compliance with HIPAA, HITECH, and HIPAA regulations, as well as this Exhibit A; 3.3 On an on-going basis provide training for its employees pertaining to this Exhibit A and the obligations thereunder, including educating such employees that they may be subject to discipline for violating the terms of this Exhibit A and/or HIPAA, HITECH and the HIPAA regulations; 3.4 Employ appropriate and sufficient administrative, physical and technical safeguards with respect to electronic PHI in compliance with applicable federal and state laws and regulations; 3.5 Designate which of Business Associate may not use or disclose Associate's employees shall have access to PHI which it createshowever maintained; 3.6 If required under 45 C.F.R. § 164.528, receives, maintains or transmits for or on behalf maintain an accounting of all disclosures of PHI made and allowed under this Exhibit A in order to assist the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees in its obligations to review and understand any state privacy and security laws provide an accounting of disclosures; 3.7 Provide requested information to the extent that such laws are not preempted by HIPAASecretary as required during any compliance review, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rulerisk analysis, andor investigation; 3.8 As provided in this Exhibit A, report to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance any breach of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using confidentiality, a security incident, or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and a disclosure not allowed under this Agreement; 2.1.2 obtain reasonable assurances3.9 To the extent practicable, in writing from the person or entity to whom the PHI within thirty (30) days of a known compliance violation, mitigate any harmful effect that is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required known by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware to be in which confidentiality violation of the PHI has been breached; requirements of HIPAA, HITECH, HIPAA regulations, and this Exhibit A; 3.10 Be liable for non-compliance of HIPAA, HITECH, and HIPAA regulations and, consequently, be subject to audits, compliance reviews, enforcement actions by HHS, and fines; 2.1.3 agree to notify 3.11 In the Privacy Officer event of Covered Entity receipt of any instances of which it is aware in which the PHI is used a subpoena, court order, or disclosed other demand for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act. 2.2 Marketing; Sale production of PHI. Business Associate may not use or disclose PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwiseincluding, from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale” is but not limited to, a demand from HHS, immediately inform OHA and shall only provide the minimum necessary to circumstances where a transfer of ownership occurs, and would include access, license or lease agreementssatisfy the demand.

Business Associate Obligations. 1.1 Business Associate may receive from Provider, or create or receive on behalf of Provider, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the HIPAA Regulations, as applicable, and all references to PHI herein shall be construed to include EPHI. Notwithstanding the foregoing, any reference to PHI is limited when used herein to the PHI created or received by Business Associate from or on behalf of Provider. Business Associate shall use appropriate safeguards, and comply, where applicable, with the Security Standards with respect to EPHI, to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate agrees not to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI in a manner that would violate the requirements of the HIPAA Rules or HITECH Act Regulations if the PHI were used or disclosed by Covered Entity; providedProvider in the same manner, however, Business Associate may use and disclose PHI except as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduresotherwise set forth herein. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, andshall, to the extent that Business Associate is to carry out one or more of Covered EntityProvider’s obligations under the Privacy RuleHIPAA Regulations, it shall comply with the requirements of the Privacy Rule which HIPAA Regulations that apply to Covered Entity Provider in the performance of such obligation(sobligations. 1.2 Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of Provider. Business Associate agrees to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification, or destruction of EPHI or interference with system operations (“Successful Security Incidents”) and for Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of EPHI or interference with system operations (“Unsuccessful Security Incidents”). Business Associate shall in such cases: 2.1.1 provide information will promptly report to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of Provider any instances Successful Security Incident of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree becomes aware. To avoid unnecessary burden on either party, Business Associate shall report to notify the Privacy Officer of Covered Entity of Provider any instances Unsuccessful Security Incident of which it is becomes aware in which only upon request of Provider. The frequency, content, and format of the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted report of Unsuccessful Security Incidents shall be mutually agreed upon by the HIPAA Rules or HITECH Actparties. 2.2 Marketing; Sale of PHI. 1.3 In the event that Business Associate may not use or disclose discovers, as determined in accordance with 45 C.F.R. § 164.410, that a Breach of Unsecured PHI for marketing purposes. Marketing includes any communication which would encourage the recipient to use or purchase a product or service. of Provider has occurred, Business Associate may not use or disclose PHI where it has directly or indirectly received remuneration, financial or otherwise, from or on behalf shall notify Provider of the recipient identification of each individual who has been or is reasonably believed to have been affected by the Breach, along with any other information that Provider as a Covered Entity will be required to include in its notification of the PHI in exchange for individual under the PHI. “Sale” is not limited to circumstances where a transfer of ownership occursHITECH Act or its implementing regulations, and would include access, license or lease agreementsif known.