Common use of Business Associate Obligations Clause in Contracts

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations. (b) XXXX agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

Business Associate Obligations. The obligations set out in this Subsection Section 3.1 apply with respect to AANIXXXX’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX 3.1 ASAM agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA Agreement or as Required By Law Xxx and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulationsall applicable laws. (b) XXXX 3.2 ASAM agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUAAgreement. Without limiting the generality of the foregoing, XXXX further agrees to: (ia) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a)164.308; 164.310; and 164.312; (iib) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iiic) report promptly, but in no case later than five (5) business days after Discoverydiscovery (as defined by 45 CFR 164.410(a)), to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI ASAM and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section b(iiiSubsection 3.2(c) constitutes notice by AANI ASAM to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewallfirewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use Use or disclosure Disclosure of PHI.

Business Associate Obligations. The obligations set out Business Associate shall, in this Subsection 3.1 providing items or services pursuant to the Principal Agreement, appropriately safeguard all PHI that Business Associate accesses, maintains, retains, modifies, records, stores, or otherwise holds, uses, or discloses (collectively “uses or discloses”). In particular, Business Associate shall: 2.1 Use or disclose PHI only if and to the extent required to perform functions or activities for or on behalf of Covered Entity under the Principal Agreement, permitted pursuant to Section 3 below, or Required By Law. In all cases, Business Associate’s use and disclosure shall comply with applicable provisions of the PSRs, including without limitation HITECH’s minimum necessary requirements, mandate to agree to certain requested restrictions on disclosure, and imposition of restrictions on marketing and fundraising activities in addition to those described in HIPAA. 2.2 Ensure that any subcontractor or other third party (other than a Government Official) to whom it provides PHI agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to AANIsuch information, including without limitation implementation of reasonable and appropriate safeguards to protect it. Business Associate shall retain such writing for no fewer than six (6) years, or such longer time as may be required by applicable state law, after the conclusion of Business Associate’s Use or Disclosure of PHI, other than Limited Data Set Informationrelationship with such third party. (a) XXXX agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law 2.3 Implement and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations. (b) XXXX agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for by this BAA/DUAAddendum. Without limiting the generality of the foregoingSuch safeguards shall include, XXXX further agrees to: (i) implement Administrativewithout limitation, Physicaladministrative, physical, and Technical Safeguards technical safeguards that reasonably and appropriately protect the Confidentialityconfidentiality, Integrityintegrity, and Availability availability of the Electronic PHI and electronic PHI (“ePHI”) that it Business Associate creates, receives, maintains, or transmits on behalf of Participant the Covered Entity as required by the PSRs. Business Associate expressly agrees to comply with 45 CFR 164.314(a§§ 164.308, 164.310, 164.312, and 164.316 in connection with the creation, receipt, maintenance, or transmission of electronic PHI (“ePHI”) for or on behalf of Covered Entity. 2.4 Business Associate acknowledges that Covered Entity is or may be a “creditor” with “covered accounts” under the “Red Flag Rules” issued by the Federal Trade Commission (“FTC”); (ii) ensure , under the Fair and Accurate Credit Transactions Act of 2003 at 16 CFR part 681. Business Associate represents and warrants that it has implemented policies and procedures consistent with FTC recommendations to detect Red Flags as defined by FTC, and shall promptly report any Subcontractorsuch identified Red Flags to Covered Entity and, as appropriate, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; andlaw enforcement officials. (iii) 2.5 Promptly report promptly, but in no case later than five (5) business days after Discovery, to the Participant Covered Entity any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI not provided for by this Addendum, and any security incident (as defined at 45 CFR § 164.304) of which Business Associate becomes aware; provided, however, that any security incidents that are not breaches of unsecured PHI (as defined at 45 CFR § 164.402) and that do not, to the best of Business Associate’s knowledge, information, and belief, result in any use or disclosure of ePHI in violation of this Addendum, may be reported in aggregate on at least a quarterly basis. In the event of a breach of unsecured PHI, Business Associate shall notify Covered Entity promptly without unreasonable delay, and in any event within sixty (60) days, of its discovery of such breach, the identification of each Individual whose unsecured PHI was or is reasonably believed to have been accessed, acquired, or disclosed during such breach. Business Associate shall fully cooperate with Covered Entity’s review, investigation, and response to any such alleged security incident or breach.

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX AANI agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations. (b) XXXX AANI agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX AANI further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. (c) AANI agrees to report promptly, but in no case later than five (5) business days after Discovery, to Participant any Use or Disclosure of PHI which is not authorized by this BAA/DUA of which AANI becomes aware. (d) AANI agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of AANI, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this BAA/DUA to AANI. For the purposes of this BAA/DUA, all PHI provided at AANI’s direction to a Subcontractor of AANI will be deemed to have been provided to AANI. (e) If PHI provided to AANI, or to which AANI otherwise has access, constitutes a Designated Record Set, AANI agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to Protected Health Information. In the event an Individual contacts AANI or its Subcontractor directly about gaining access to his or her PHI, AANI will not provide such access but rather will forward such request to Participant within three (3) business days of such contact, unless otherwise required by law. (f) If PHI provided to AANI, or to which AANI otherwise has access, constitutes a Designated Record Set, AANI agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts AANI or its Subcontractor directly about making amendments to his or her PHI, AANI will not make such amendments, but rather will promptly forward such request to Participant, unless otherwise required by law. (g) AANI agrees to make internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (h) AANI agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, AANI agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Subsection 3.1(h) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Subsection 3.1(h) will not apply with respect to Disclosures made to carry out Participant’s Health Care Operations or the Disclosure of Limited Data Set Information, in accordance with the exceptions to 45 CFR 164.528 as set forth in the HIPAA Regulations, provided that this exception shall not apply to Disclosures of PHI through an electronic health record. (i) AANI shall mitigate, to the extent practicable, any adverse effects from any improper

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information.Business Associate agrees to: (a) XXXX agrees not use and/or further disclose PHI except as necessary to Use or Disclose PHI other than provide the Services, as permitted or required by this BAA/DUA , and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations.by Law; (b) XXXX agrees to use appropriate safeguardsthe extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, and Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality requirements of the foregoingPrivacy Rule that apply to Covered Entity in the performance of those obligations; (c) without unreasonable delay, XXXX further agrees toreport to Covered Entity: (i) implement Administrativeany use or disclosure of PHI not provided for by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C), Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a);and/or (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breachwhich Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C); provided however, that the Parties The parties acknowledge and agree that this Section b(iii) constitutes notice by AANI Business Associate to Participant Covered Entity of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Participant Covered Entity shall be required. “Unsuccessful Security Incidents” meansshall include, without limitationbut not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denial denials of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI. (d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410; (e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;

Business Associate Obligations. The obligations set out To the Agreement, add the following provisions in this Subsection 3.1 apply with respect to AANIthe section describing the Business Associate’s Use or Disclosure of PHIobligations: 2.1 Business Associate shall develop, other than Limited Data Set Information. (a) XXXX agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law implement, maintain, and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations. (b) XXXX agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, safeguards to prevent Use any use or Disclosure disclosure of the PHI or EPHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX further agrees to: (i) implement Administrative, PhysicalAgreement, and Technical Safeguards that reasonably to implement administrative, physical, and appropriately technical safeguards as required by sections 164.308, 164.310, 164.312 and 164.316 of title 45, Code of Federal Regulations and HITECH to protect the Confidentialityconfidentiality, Integrityintegrity, and Availability availability of the Electronic EPHI or PHI that it Business Associate creates, receives, maintains, or transmits on behalf transmits, in the same manner that such sections apply to the Covered Entity. See HITECH § 13401. 2.2 The additional requirements of Participant as required by 45 CFR 164.314(a); (ii) ensure Title XIII of HITECH that any Subcontractor, relate to whom it provides such PHI agrees to implement reasonable privacy and appropriate safeguards to protect the PHI security and comply with Subpart C of 45 CFR Part 164 that are made applicable with respect to Electronic covered entities shall also be applicable to Business Associate and shall be and by this reference hereby incorporated into this Agreement. See HITECH § 13401. 2.3 Business Associate agrees to adopt the technology and methodology standards required in any guidance issued by the Secretary pursuant to HITECH §§ 13401-13402. 2.4 Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement and to notify Covered Entity of any breach of Unsecured PHI; and, as required under HITECH § 13402. 2.5 In the case of a breach of Unsecured PHI, Business Associate shall, promptly following the discovery of a breach of such information, notify Covered Entity of such breach. The notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during the breach. 2.6 Business Associate agrees to enter into an agreement with each of its subcontractors pursuant to 45 CFR § 164.308(b)(1) and HITECH § 13401 that is appropriate and sufficient to require each such subcontractor to protect PHI to the same extent required of Business Associate hereunder. 2.7 Within ten (iii10) report promptlydays of notice by Covered Entity of a request for an accounting of disclosures of PHI, Business Associate and any agents or subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Rule, including but not limited to 45 CFR §164.528. Except in no the case later than of a direct request from an Individual for an accounting related to treatment, payment, or operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, if any, Business Associate shall within five (5) business days after Discovery, of a request notify Covered Entity about such request. Covered Entity shall either request that Business Associate provide such information directly to the Participant any Security Incident Individual, or Breach it shall request that the information be immediately forwarded to Covered Entity for compilation and distribution to such Individual. In the case of Unsecured PHI that is known a direct request for an accounting from an Individual related to treatment, payment, or reasonably should be known to AANI and operations disclosures through electronic health records, Business Associate shall mitigate, provide such accounting to the extent practicableIndividual in accordance with and effective on the applicable date set xxxxx xx XXXXXX § 00000(x). Business Associate shall not disclose any PHI unless such disclosure is Required by Law or is in accordance with this Agreement. Business Associate shall document such disclosures. Notwithstanding anything in the Agreement to the contrary, Business Associate and any harmful effects agents or subcontractors shall continue to maintain the information required for purposes of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that complying with this Section b(iii2.7 for a period of six (6) constitutes notice by AANI to Participant years after termination of the ongoing existence Agreement. 2.8 Business Associate and occurrence its agents or attempts subcontractors, if any, shall only request, use and disclose the minimum amount of Unsuccessful Security Incidents for which no additional notice PHI necessary to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination accomplish the purpose of the above, so long as no such incident results in unauthorized accessrequest, use or disclosure disclosure. Business Associate agrees to comply with the Secretary’s guidance on what constitutes “minimum necessary.” See HITECH § 13405. 2.9 If Business Associate knows of PHIa pattern of activity or practice by Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under this Agreement, Business Associate will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful within a period of 30 days, Business Associate will either: 1) terminate the Agreement, if feasible; or 2) report the problem to the Secretary. . See HITECH § 13404(b).

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX AANI agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations. (b) XXXX AANI agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX AANI further agrees to: (i) i. implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) . ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) . report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANIAPA’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX APA agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws; provided that Participant will inform APA of any specific state laws that it believes are applicable to PHI submitted by Participant and would require APA to take compliance steps beyond those required under the HIPAA Regulationsregulations. (b) XXXX APA agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX APA further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a)164.308, 164.310, and 164.312; (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI APA and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or BreachBreach of Unsecured PHI; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI APA to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use Use or disclosure Disclosure of PHI.

Business Associate Obligations. The obligations set out in this Subsection 3.1 apply with respect to AANIAPA’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) XXXX APA agrees not to Use or Disclose PHI other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws; provided that Participant will inform APA of any specific state laws that it believes are applicable to PHI submitted by Participant and would require APA to take compliance steps beyond those required under the HIPAA Regulationsregulations. (b) XXXX APA agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the generality of the foregoing, XXXX APA further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a)164.308, 164.310, and 164.312; (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI that is known to or reasonably should be known to AANI APA and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or BreachBreach of Unsecured PHI; provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by AANI APA to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.