Common use of Disclosure of PHI Clause in Contracts

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three (3) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipients, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this BA Agreement, Business Associate Distributor may disclose PHI PHI. to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate Distributor may disclose PHI for the proper management and administration of the Business AssociateDistributor, provided that (i) such disclosures are required by law, or (ii) Business AssociateDistributor: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate Distributor of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate Distributor shall ensure that all disclosures of PHI by Business Associate Distributor and the third party comply with the principle of “"minimum necessary use and disclosure,” " i.e., only the minimum PHI PH1 that is necessary to accomplish the intended purpose may be disclosed; : provided further, Business Associate Distributor shall comply with Section 13405(bl 3405(b) of the HITECH Act, and any regulations regulation s or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate Distributor discloses PHI received from Covered EntityAtossa, or created or received by Business Associate Distributor on behalf of Covered EntityAtossa, to agents, including a subcontractor sub distributor (collectively, “"Recipients”"), Business Associate Distributor shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate Distributor under this Agreement. Business Associate Distributor shall report to Covered Entity Atossa any use or disclosure of PHI PH1 not permitted by this Agreement, of which it becomes aware, such report to be made within three two (32) business days of the Business Associate Distributor becoming aware of such use or disclosure. In addition to Business Associate’s Distributor's obligations under Section 9, Business Associate Distributor agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Atossa in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate Distributor and is the result of a use or disclosure of PHI by Business Associate Distributor or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to ------------------- perform its obligations under the Professional Business Arrangement Management Agreement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) Business Associate shall in such disclosures are required by law, or (ii) Business Associatecase: (a) obtains obtain reasonable assurances from any third party person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third partyperson or entity; (b) requires the third party to agree to immediately notify Business Associate Health Care Provider of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement Addendum or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards or the Security Standards; and (c) obtain reasonable assurances that all disclosures of PHI by Business Associate and the third party comply with are subject to the principle of “"minimum necessary use and disclosure,” " i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further. In addition, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued may disclose PHI as required by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Setslaw. If Business Associate discloses PHI received from Covered EntityHealth Care Provider, or created or received by Business Associate on behalf of Covered EntityHealth Care Provider, to agents, including a subcontractor (collectively, “"Recipients”"), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate under this AgreementAddendum. Business Associate shall report to Covered Entity Health Care Provider any use or disclosure of PHI not permitted by this AgreementAddendum, of which it becomes aware, such report to be made within three five (35) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Health Care Provider in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this AgreementAddendum.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate ASSOCIATE may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement with Authority and as permitted or required by applicable federal or state law. Further, Business Associate ASSOCIATE may disclose PHI for the proper management and administration of the Business AssociateASSOCIATE, provided that that: (i) such disclosures are required by law, ; or (ii) Business AssociateASSOCIATE: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate ASSOCIATE of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards; and (c) ensures that all disclosures of PHI by Business Associate ASSOCIATE and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate ASSOCIATE discloses PHI received from Covered EntityAuthority, or created or received by Business Associate ASSOCIATE on behalf of Covered EntityAuthority, to agents, including a subcontractor (collectively, “Recipients”), Business Associate ASSOCIATE shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate ASSOCIATE under this Agreement. Business Associate To the extent permitted by law, ASSOCIATE shall be fully liable to Authority for any acts, failures or omissions of Recipients in furnishing the services as if they were ASSOCIATE’s own acts, failures or omissions. ASSOCIATE shall report to Covered Entity Authority any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three five (35) business days of the Business Associate ASSOCIATE becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate ASSOCIATE agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Authority in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate ASSOCIATE and is the result of a use or disclosure of PHI by Business Associate ASSOCIATE or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) Business Associate shall in such disclosures are required by law, or (ii) Business Associatecase: (a) obtains obtain reasonable assurances from any third party person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third partyperson or entity; (b) requires the third party to agree to immediately notify Business Associate Facility of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall Privacy Standards; and (c) ensure that all disclosures of PHI by Business Associate and the third party comply with are subject to the principle of “minimum necessary use and disclosure,” i.e., . “i.e. only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses PHI received from Covered EntityFacility, or created or received by Business Associate on behalf of Covered EntityFacility, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business business Associate under this Agreement. To the extent permitted by law, Business Associate shall be fully liable to Facility for any acts, failures or omissions of Recipients in furnishing the services as if they were the Business Associate’s own acts, failures or omissions. Business Associate shall report to Covered Entity Facility any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three five (35) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Facility in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this the Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate ASSOCIATE may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement with SGMC and as permitted or required by applicable federal or state law. Further, Business Associate ASSOCIATE may disclose PHI for the proper management and administration of the Business AssociateASSOCIATE, provided that that: (i) such disclosures are required by law, ; or (ii) Business AssociateASSOCIATE: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate ASSOCIATE of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards; and (c) ensures that all disclosures of PHI by Business Associate ASSOCIATE and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate ASSOCIATE discloses PHI received from Covered EntitySGMC, or created or received by Business Associate ASSOCIATE on behalf of Covered EntitySGMC, to agents, including a subcontractor (collectively, “Recipients”), Business Associate ASSOCIATE shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate ASSOCIATE under this Agreement. Business Associate To the extent permitted by law, ASSOCIATE shall be fully liable to SGMC for any acts, failures or omissions of Recipients in furnishing the services as if they were ASSOCIATE’s own acts, failures or omissions. ASSOCIATE shall report to Covered Entity SGMC any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three five (35) business days of the Business Associate ASSOCIATE becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate ASSOCIATE agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity SGMC in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate ASSOCIATE and is the result of a use or disclosure of PHI by Business Associate ASSOCIATE or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third third-party persons or entities as necessary to perform its obligations under the Business Arrangement Arrangements and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided either that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential confidentially and further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards; and (c) ensures that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, . Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses may disclose PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require ) and may allow Recipients to create or receive PHI on its behalf only if Recipients agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement. Business Associate shall report to Covered Entity any use or disclosure of PHI , including, but not permitted by this Agreementlimited to, of which it becomes aware, such report to be made within three the requirement that the Recipients will: (3i) business days comply with all requirements of the Business Associate becoming aware of such use or disclosure. In addition Privacy and Security Standards that apply to the Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipients, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.,

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement Arrangements and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided either that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential confidentially and further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards; and (c) ensures that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, . Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses may disclose PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require ) and may allow Recipients to create or receive PHI on its behalf only if Recipients agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement, including, but not limited to, the requirement that the Recipients will: (i) comply with all requirements of the Privacy and Security Standards that apply to the Business Associate, (ii) appropriately safeguard all PHI that is either created or received, and (iii) comply with the Breach notification and mitigation requirements under this Agreement. To the extent permitted by law, Business Associate shall be fully liable to Covered Entity for any acts, failures or omissions of Recipients in furnishing the services as if they were the Business Associate’s own acts, failures or omissions. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three five (35) business calendar days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this BA Agreement, Business Associate Contractor may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate Contractor may disclose PHI for the proper management and administration of the Business AssociateContractor, provided that (i) such disclosures are required by law, or (ii) Business AssociateContractor: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate Contractor of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate Contractor shall ensure that all disclosures of PHI by Business Associate Contractor and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate Contractor shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate Contractor discloses PHI received from Covered EntityNRLBH, or created or received by Business Associate Contractor on behalf of Covered EntityNRLBH, to agents, including a subcontractor sub-Contractor (collectively, “Recipients”), Business Associate Contractor shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate Contractor under this Agreement. Business Associate Contractor shall report to Covered Entity NRLBH any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three two (32) business days of the Business Associate Contractor becoming aware of such use or disclosure. In addition to Business AssociateContractor’s obligations under Section 9, Business Associate Contractor agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity NRLBH in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate Contractor and is the result of a use or disclosure of PHI by Business Associate Contractor or Recipients in violation of this Agreement. CONFIDENTIAL TREATMENT REQUESTED BY ATOSSA GENETICS INC.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses PHI received from Covered EntityFacility, or created or received by Business Associate on behalf of Covered EntityFacility, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement. Business Associate shall report to Covered Entity Facility any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three (3) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Facility in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement Arrangements and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided either that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential confidentially and further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards; and (c) ensures that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, . Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses may disclose PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require ) and may allow Recipients to create or receive PHI on its behalf only if Recipients agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement, including, but not limited to, the requirement that the Recipients will: (i) comply with all requirements of the Privacy and Security Standards that apply to the Business Associate, (ii) appropriately safeguard all PHI that is either created or received, and (iii) comply with the Breach notification and mitigation requirements under this Agreement. To the extent permitted by law, Business Associate shall be fully liable to Covered Entity for any acts, failures or omissions of Recipients in furnishing the services as if they were the Business Associate’s own acts, failures or omissions. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three two (32) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.

Disclosure of PHI. Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Professional Business Arrangement Management Agreement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) Business Associate shall in such disclosures are required by law, or (ii) Business Associatecase: (a) obtains obtain reasonable assurances from any third party person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third partyperson or entity; (b) requires the third party to agree to immediately notify Business Associate Health Care Provider of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement Addendum or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, Business Associate shall ensure Privacy Standards or the Security Standards; and (c) obtain reasonable assurances that all disclosures of PHI by Business Associate and the third party comply with are subject to the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further. In addition, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued may disclose PHI as required by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Setslaw. If Business Associate discloses PHI received from Covered EntityHealth Care Provider, or created or received by Business Associate on behalf of Covered EntityHealth Care Provider, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate under this AgreementAddendum. Business Associate shall report to Covered Entity Health Care Provider any use or disclosure of PHI not permitted by this AgreementAddendum, of which it becomes aware, such report to be made within three five (35) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity Health Care Provider in writing or as directed by or as a result of a request by Covered Entity to disclose to Recipientswriting, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this AgreementAddendum.