Common use of Compliance with the HIPAA Privacy Rule Clause in Contracts

Compliance with the HIPAA Privacy Rule. If You are a NHE (but not to the extent that You are acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity or any other type of entity exempted from compliance with this Section in an applicable SOP), then You shall comply with the provisions of the HIPAA Privacy Rule listed below with respect to all Individually Identifiable information as if such information is Protected Health Information and You are a Covered Entity. 7.1.1 From 45 CFR § 164.502, General Rules: • Subsection (a)(1) – Dealing with permitted Uses and Disclosures, but only to the extent You are authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XP. • Subsection (a)(2)(i) – Requiring Disclosures to Individuals • Subsection (a)(5) – Dealing with prohibited Uses and Disclosures • Subsection (b) – Dealing with the minimum necessary standard • Subsection (c) – Dealing with agreed-upon restrictions • Subsection (d) – Dealing with de-identification and re-identification of information • Subsection (e) – Dealing with Business Associate contracts • Subsection (f) – Dealing with deceased persons’ information • Subsection (g) – Dealing with personal representatives • Subsection (h) – Dealing with confidential communications • Subsection (i) – Dealing with Uses and Disclosures consistent with notice • Subsection (j) – Dealing with Disclosures by whistleblowers

Compliance with the HIPAA Privacy Rule. If You are a NHE (but not to the extent that You are acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity or any other type of entity exempted from compliance with this Section in an applicable SOP), then You shall comply with the provisions of the HIPAA Privacy Rule listed below with respect to all Individually Identifiable information as if such information is Protected Health Information and You are a Covered Entity. 7.1.1 From 45 CFR § 164.502, General Rules: • Subsection (a)(1) – Dealing with permitted Uses and Disclosures, but only to the extent You are authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XP. • Subsection (a)(2)(i) – Requiring Disclosures to Individuals • Subsection (a)(5) – Dealing with prohibited Uses and Disclosures • Subsection (b) – Dealing with the minimum necessary standard • Subsection (c) – Dealing with agreed-upon restrictions • Subsection (d) – Dealing with de-identification and re-identification of information • Subsection (e) – Dealing with Business Associate contracts • Subsection (f) – Dealing with deceased persons’ information • Subsection (g) – Dealing with personal representatives • Subsection (h) – Dealing with confidential communications • Subsection (i) – Dealing with Uses and Disclosures consistent with notice • Subsection (j) – Dealing with Disclosures by whistleblowers

Compliance with the HIPAA Privacy Rule. If You are Participant or Subparticipant is a NHE (but not to the extent that You are it is acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity or any other type of entity exempted from compliance with this Section in an applicable SOPEntity), then You it shall comply with the provisions of the HIPAA Privacy Rule listed below with respect to all Individually Identifiable information that Participant or Subparticipant reasonably believes is TI as if such information is Protected Health Information and You are Participant is a Covered Entity. Such compliance shall be consistent with Section 9 and enforced as part of its obligations pursuant to this Amendment. 7.1.1 From 45 CFR § 164.502, General Rules: •  Subsection (a)(1) – Dealing with permitted Uses and Disclosures, but only to the extent You are Participant or Subparticipant is authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XPExchange Purpose. •  Subsection (a)(2)(i) – Requiring Disclosures to Individuals •  Subsection (a)(3) – Business Associates  Subsection (a)(5) – Dealing with prohibited Uses and Disclosures •  Subsection (b) – Dealing with the minimum necessary Minimum Necessary standard •  Subsection (c) – Dealing with agreed-upon restrictions •  Subsection (d) – Dealing with de-identification deidentification and re-identification of information •  Subsection (e) – Dealing with Business Associate contracts •  Subsection (f) – Dealing with deceased persons’ information •  Subsection (g) – Dealing with personal representatives •  Subsection (h) – Dealing with confidential communications •  Subsection (i) – Dealing with Uses and Disclosures consistent with notice •  Subsection (j) – Dealing with Disclosures by whistleblowers

Compliance with the HIPAA Privacy Rule. If You are Participant is a NHE (but not to the extent that You are it is acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity or any other type of entity exempted from compliance with this Section in an applicable SOPEntity), then You it shall comply with the provisions of the HIPAA Privacy Rule listed below with respect to all Individually Identifiable information that Participant reasonably believes is TI as if such information is Protected Health Information and You are Participant is a Covered Entity. Such compliance shall be consistent with Section 4 of these TEFCA Terms. 7.1.1 11.1.1 From 45 CFR § 164.502, General Rules: • Subsection (a)(1) – Dealing with permitted Uses and Disclosures, but only to the extent You are Participant is authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XPExchange Purpose. • Subsection (a)(2)(i) – Requiring Disclosures to Individuals • Subsection (a)(3) – Business Associates • Subsection (a)(5) – Dealing with prohibited Uses and Disclosures • Subsection (b) – Dealing with the minimum necessary standard • Subsection (c) – Dealing with agreed-upon restrictions • Subsection (d) – Dealing with de-identification deidentification and re-identification of information • Subsection (e) – Dealing with Business Associate contracts • Subsection (f) – Dealing with deceased persons’ information • Subsection (g) – Dealing with personal representatives • Subsection (h) – Dealing with confidential communications • Subsection (i) – Dealing with Uses and Disclosures consistent with notice • Subsection (j) – Dealing with Disclosures by whistleblowers