Common use of Obligations and Activities of Business Associate Clause in Contracts

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, or as required by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. Business Associate agrees to: a. : Not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. ; Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA; c. Report the Agreement; Within twenty days, report to Covered Entity YOU any Use use or Disclosure disclosure of Protected Health Information PHI not provided for by this BAA the Agreement of which it becomes awareaware of, including breaches of Unsecured Protected Health Information unsecured PHI as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. ; In accordance with 45 CFR 164.502(e)(1)(ii164.5029(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. ; Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. ; Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. ; Maintain and make available the information required to provide an accounting Accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. ; To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. and Make its internal practices, books, and records records, available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. 1. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. 2. Use appropriate safeguards, and comply with Subpart C of 45 CFR CFR, Part 164 with respect to protected electronic Protected Health Information, health information and to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;Agreement. c. 3. Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at by 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. Business Associate agrees to promptly notify Covered Entity following the discovery of a Breach of unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach. d. 4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;. e. Make 5. Business Associate agrees to mitigate, to the extent possible, any harmful resulting from use or disclosure of PHI by Business Associate or its agents or subcontractors, in violation of the requirements of this Agreement. 6. Maintain and make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;. If an Individual makes a request for access to the protected health information directly to Business Associate, business associate shall notify covered entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. f. 7. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;. If an Individual makes a request for amendment to the protected health information directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. g. 8. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;. If an Individual makes a request for accounting of disclosures directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. h. 9. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s’s obligations(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. 10. Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. The Business Associate agrees to: a. Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BAA or as required by lawRequired By Law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Report to the Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR C.F.R. § 164.410, and any Security Incident of which it becomes awareaware in accordance with subsection 7, below; d. In accordance with 45 CFR C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. §164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR C.F.R. §164.526, or take other measures as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. § 164.526; g. Maintain and promptly make available available, as directed by the Covered Entity, the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered the Cover Entity’s obligations under 45 CFR C.F.R. § 164.528; h. Immediately (i.e., within 72 hours) forward any request that the Business Associate receives directly from an Individual who (1) seeks access to Protected Health Information held by the Business Associate pursuant to this BAA, (2) requests amendment of Protected Health Information held by the Business Associate pursuant to this BAA, or (3) requests an accounting of Disclosures, so that the Covered Entity can coordinate the response; i. To the extent the Business Associate is to carry out one or more of the Covered Entity's ’s obligation(s) under Subpart E of 45 CFR C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. j. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. 1. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. 2. Use appropriate safeguards, and comply with Subpart C of 45 CFR CFR, Part 164 with respect to protected electronic Protected Health Information, health information and to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;Agreement. c. 3. Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at by 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. Business Associate agrees to promptly notify covered entity following the discovery of a Breach of unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach. d. 4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;. e. Make 5. Business Associate agrees to mitigate, to the extent possible, any harmful resulting from use or disclosure of PHI by Business Associate or its agents or subcontractors, in violation of the requirements of this Agreement. 6. Maintain and make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;. If an Individual makes a request for access to the protected health information directly to Business Associate, business associate shall notify covered entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. f. 7. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;. If an Individual makes a request for amendment to the protected health information directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. g. 8. Maintain and make available the information required to provide to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;. If an Individual makes a request for accounting of disclosures directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. h. 9. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s’s obligations(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. 10. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 3.1 Business Associate agrees to: a. (a) Not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware. For this purpose, a Breach is reportable to the Covered Entity without regard to whether, in Business Associate’s determination, any harm will result from the Breach; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (e) Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, the Individual or the individualIndividual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), designee as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. If the Business Associate receives directly from the Individual a request to amend the Protected Health Information that is within the Business Associates’ control, the Business Associate shall make such amendments within 30 days of the written request to the extent such request is not inconsistent with the existing designated record sets (e.g., change of an Individual’s identifiers such as Date of Birth will be considered inconsistent.) Any inconsistent request will be forwarded to Covered Entity for Covered Entity’s determination of whether to amend the Individual’s record; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. If Business Associate receives a request for an accounting of disclosures directly from the Individual, Business Associate shall promptly forward that request to the Covered Entity and make available the requested records to Covered Entity within 30 days from the receipt; h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. 3.2 The Parties acknowledge that probes and reconnaissance scans are commonplace in the industry and, as such, the Parties acknowledge and agree that, to the extent such probes and reconnaissance scans constitute Security Incidents, this section constitutes notice by Business Associate to the Covered Entity of the ongoing existence and occurrence of such Security Incidents for which no additional notice to the Covered Entity shall be required. Probes and reconnaissance scans include, without limitation, pings and other broadcast attacks on Business Associate’s 's firewall, port scans, and unsuccessful log-on attempts, as long as such probes and reconnaissance scans do not result in unauthorized access, use or Covered Entity’s compliance with HIPAA and HIPAA Regulationsdisclosure of Protected Health Information.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) Notwithstanding the requirements of 45 CFR 164.410, Business Associate shall notify Covered Entity of potential breaches within fifteen (15) calendar days of discovery and include Covered Entity’s designee in their breach determination process; (e) Business Associate shall report security incidents on a quarterly basis, unless the severity of the security incident elevates the risk to a potential breach, in which case paragraph (d) takes precedence; (f) Unless otherwise directed by Covered Entity, Business Associate shall be responsible for breach notifications to individuals, the HHS Office of Civil Rights (OCR), and the media, if applicable, on behalf of Covered Entity and shall include Covered Entity’s designee as part of the breach response team; (g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (h) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (i) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (j) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Entity, or an individual if directed by Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (k) Notify Covered Entity within five (5) business days of receipt of any request covered under paragraphs (h), (i) or (j) above; (l) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (m) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not to use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Underlying Agreement or as required by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Report (b) Make available protected health information in a designated record set to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (c) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (d) Maintain and make available the information required to provide an accounting of Disclosures to the disclosures Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To (e) Make its internal practices, books, and records relating to the use and disclosure of protected health information available to Covered Entity, DHCS, DMHC, or to the Secretary of the U.S. Department of Health and Human Services in a time and manner designated by the requestor for the purposes of determining compliance with the HIPAA Rules. (f) Assist in Litigation or Administrative Proceedings requirement that the Business Associate shall make itself and its employees, and use all due diligence to make any agents assisting Business Associate in the performance of its obligations under this Contract, available to Covered Entity, State, or Federal Agencies at no cost to Covered Entity or Agencies to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, State, or Federal Agencies, its directors, officers or employees based upon claimed violation of HIPAA Rule or other laws relating to security and privacy, except where Business Associate or its agents, employee or agent is a named adverse party. (g) Comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s), to the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164; (h) Use appropriate safeguards and security to comply under Subpart C of 45 CFR Part 164 with respect to electronic protected health information, comply with to prevent use or disclosure of protected health information other than as provided for by the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s)Underlying Agreement; and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. Business Associate agrees toas follows: a. Not (a) not to use or further disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. Use appropriate safeguards(b) to establish, maintain, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, use appropriate safeguards to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAApermitted herein; c. Report (c) to report to Covered Entity any Use use, access or Disclosure disclosure of Protected Health Information the PHI not provided for by this BAA Agreement, or any misuse of the PHI, including but not limited to systems compromises of which it becomes awareaware and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result thereof. Business Associate shall be responsible for any and all costs (including breaches the costs of Unsecured Protected Health Information as required at 45 CFR 164.410Covered Entity) associated with mitigating or remedying any violation of this Agreement; (d) to enforce and maintain appropriate policies, procedures, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, access control mechanisms to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintainto whom it provides PHI received from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. The access and privileges granted to any such agent shall be the minimum necessary to perform the assigned functions; e. Make available Protected Health Information (e) to provide access, at the request of Covered Entity, and in the time and manner reasonable designated by Covered Entity, to PHI in a Designated Record Set (as defined in the Privacy Rule), to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR §164.524; f. Make (f) to make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526§164.526 at the request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner reasonably requested by Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain and (g) to make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule. (h) to document such disclosures of PHI, and HIPAA Regulationsinformation related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Said documentation shall include, but not be limited to, the date of the disclosure, the name and, if known, the address of the recipient of the PHI, a brief description of the PHI disclosed, and the purpose of the disclosure. Said documentation shall be made available to Covered Entity upon request. (i) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(h) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. (j) to promptly notify Covered Entity of all actual or suspected instances of deliberate unauthorized attempts (both successful and unsuccessful) to access PHI. Such notice shall be made to Covered Entity by telephone as soon as Business Associate becomes aware of the unauthorized attempt, and this telephone notification shall be followed within two (2) calendar days of the discovery of the unauthorized attempt by a written report to Covered Entity from Business Associate. Business Associate shall, at the same time, report to Covered Entity any remedial action taken, or proposed to be taken, with respect to such unauthorized attempt. Covered Entity shall have the discretion to determine whether or not any such remedial action is sufficient, and all such remedial action shall be at Business Associate’s expense. (k) to maintain and enforce policies, procedures and processes to protect physical access to hardware, software and/or media containing PHI (e.g., hardcopy, tapes, removable media, etc. ) against unauthorized physical access during use, storage, transportation, disposition and /or destruction. (l) to ensure that access controls in place to protect PHI and processing resources from unauthorized access are controlled by two-factor identification and authentication: a user ID and a Token, Password or Biometrics. (m) to implement, use and monitor its compliance with appropriate technological, administrative and physical safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement. Business Associate shall provide Covered Entity with evidence of such safeguards upon Covered Entities request. Covered Entity has the right to determine, in its sole discretion, whether such safeguards are appropriate, and to require any additional safeguards it deems necessary. (n) In the event that Business Associate is served with legal process (e.g. a subpoena) or request from a governmental agency (e.g. the Secretary) that potentially could require the disclosure of PHI, Business Associate shall provide prompt (i.e., within twenty-four (24) hours) written notice of such legal process (including a copy of the legal process served) to the designated person at the Covered Entity. In addition, Business Associate shall not disclose the PHI without the consent of Covered Entity unless pursuant to a valid and specific court order or to comply with a requirement for review of documents by a governmental regulatory agency under its statutory or regulatory authority to regulate the activities of either party. (o) to submit to periodic audits by Covered Entity verifying Business Associate’s compliance with appropriate technological, administrative and physical safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement, as well as compliance with the terms and conditions pursuant to this Agreement and compliance with state and federal laws and regulations. Audit review may be undertaken directly by the Covered Entity or by third parties engaged by the Covered Entity. Business Associate shall cooperate fully with Covered Entity or any such third party in connection with such audits.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or disclose Protected Health Information other than as permitted or required by Section 3.0 of this BAA, the Agreement, or as required Required by law;Law. b. Use (b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAA;Agreement. c. Report (c) Business Associate agrees to Covered Entity mitigate, to the extent practicable, any Use harmful effect that is known to Business Associate of a use or Disclosure disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Plan any use or disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware. (e) Business Associate agrees to ensure that any agent, including breaches of Unsecured a subcontractor, to whom it provides Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintainreceived from, or transmit Protected Health Information created or received by Business Associate on behalf of of, the Business Associate agree Plan agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Business Associate agrees to provide access, at the request of Plan or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations, to Protected Health Information in a Designated Record Set Set, to Covered Entity the Plan as directed, or directly to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. Make (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed that the Plan directs or agreed agrees to by the Covered Entity pursuant to 45 CFR 164.526164.526 at the request of Plan or an Individual, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;and in a prompt and reasonable manner consistent with the HIPAA regulations. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the (h) Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records available records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Plan available, or at the request of the Plan or the Secretary, to the Plan or to the Secretary in a time and manner, which shall be designated by the Plan or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s Plan's compliance with the Privacy Rule. (i) Business Associate agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Plan to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide to the Plan or an Individual in a prompt and reasonable manner consistent with the HIPAA regulations as designated by the Plan, information collected in accordance with Section 2.0 (i) of this Agreement, to permit Plan to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to satisfy all applicable provisions of HIPAA standards for electronic transactions and HIPAA Regulationscode sets, also known as the Electronic Data Interchange (EDI) Standards, at 45 CFR Part 162. Business Associate further agrees to ensure that any agent, including a subcontractor that conducts standard transactions on its behalf will comply with the EDI Standards. (l) Business Associate agrees to determine the Minimum Necessary type and amount of PHI required to perform its services and will comply with 45 CFR 164.502(b) and 514(d).

Obligations and Activities of Business Associate. a) Business Associate acknowledges and agrees that it is obligated by law (or upon the effective date of any portion thereof shall be obligated) to meet the applicable provisions of HIPAA and such provisions are incorporated herein and made a part of this Business Associate Agreement. Covered Entity and Business Associate agree that any regulations and/or guidance issued by DHHS with respect to HIPAA that relate to the obligations of business associates shall be deemed incorporated into and made a part of this Business Associate Agreement. b) In accordance with 45 CFR §164.502(a)(3), Business Associate agrees to: a. Not not to use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Business Associate Agreement or as required Required by law;Law. b. Use c) Business Associate agrees to develop, implement, maintain and use appropriate safeguardsadministrative, technical, and comply with Subpart C physical safeguards that reasonably prevent the use or disclosure of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information PHI other than as provided for by this BAA; c. Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes awareBusiness Associate Agreement, including breaches of Unsecured Protected Health Information as required at in accordance with 45 CFR 164.410§§164.306, 310 and 312. Business Associate agrees to develop, implement, maintain and use administrative, physical, and any Security Incident technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of which it becomes aware; d. Electronic PHI, in accordance with 45 CFR §§164.306, 308, 310, and 312. In accordance with 45 CFR 164.502(e)(1)(ii§164.316, Business Associate shall also develop and implement policies and procedures and meet the documentation requirements as and at such time as may be required by HIPAA. d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate, of a use or disclosure of PHI by Business Associate in violation of the requirements of this Business Associate Agreement. e) In accordance with 45 CFR §§164.308, 314 and 164.308(b)(2)502, if applicable, Business Associate will ensure that any Subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree Associate’s behalf, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Business Associate Agreement to Business Associate with respect to such information;, including minimum necessary limitations. Business Associate will ensure that any workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit PHI on Business Associate’s behalf, agrees to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of the PHI. e. Make available Protected Health Information f) At the request of Covered Entity, Business Associate will provide Covered Entity, or as directed by Covered Entity, an Individual, access to PHI maintained in a Designated Record Set in a time and manner that is sufficient to meet the requirements of 45 CFR § 164.524, and, where required by HIPAA, shall make such information available in an electronic format where directed by the Covered Entity. g) At the written request of Covered Entity, (or if so directed by Covered Entity, at the written request of an Individual), Business Associate agrees to make any amendment to PHI in a Designated Record Set, in a time and manner that is sufficient to meet the requirements of 45 CFR § 164.526. h) In accordance with 45 CFR §164.504(e)(2), Business Associate agrees to make its internal practices, books, and records, including policies and procedures, and any PHI, relating to the use and disclosure of PHI, available to Covered Entity or to an individual whose Protected Health Information is maintained the Secretary for purposes of determining compliance with applicable law. To the extent permitted by Business Associatelaw, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information said disclosures shall be held in a Designated Record Set as directed or agreed to strictest confidence by the Covered Entity. Business Associate will provide such access in a time and manner that is sufficient to meet any applicable requirements of applicable law. i) Business Associate agrees to document and maintain a record of disclosures of PHI and information related to such disclosures, including the date, recipient and purpose of such disclosures, in a manner that is sufficient for Covered Entity pursuant or Business Associate to respond to a request by Covered Entity or an Individual for an Accounting of disclosures of PHI and in accordance with 45 CFR 164.526§ 164.528. Business Associate further shall provide any additional information where required by HIPAA and any implementing regulations. Unless otherwise provided under HIPAA, Business Associate will maintain the Accounting with respect to each disclosure for at least six years following the date of the disclosure. j) Business Associate agrees to provide to Covered Entity upon written request, or, as directed by Covered Entity, to an Individual, an Accounting of disclosures in a time and manner that is sufficient to meet the requirements of HIPAA, in accordance with 45 CFR §164.528. In addition, where Business Associate is contacted directly by an Individual based upon information provided to the Individual by Covered Entity and where so required by HIPAA and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual. k) In accordance with 45 CFR §164.502(b), Business Associate agrees to make reasonable efforts to limit use, disclosure, and/or requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or take other measures as request. Where required by HIPAA, Business Associate shall determine (in its reasonable judgment) what constitutes the minimum necessary to satisfy accomplish the intended purpose of a disclosure. l) In accordance with 45 CFR §502(a)(5), Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual, except with the express written pre- approval of Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. m) To the extent the Business Associate is to carry out one or more obligation(s) of the Covered Entity's obligation(s) ’s under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). n) In accordance with 45 CFR §164.314(a)(1)(i)(C), Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. o) In accordance with 45 CFR §164.410 and the provisions of this Business Associate Agreement, Business Associate will report to Covered Entity, following Discovery and without unreasonable delay, but in no event later than five business days following Discovery, any Breach of Unsecured Protected Health Information. Business Associate shall cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws, including, but not limited to, providing Covered Entity with such information in addition to Business Associate’s report as Covered Entity may reasonably request, e.g., for purposes of Covered Entity making an assessment as to whether/what Breach Notification is required. Business Associate’s report under this subsection shall, to the extent available at the time the initial report is required, or as promptly thereafter as such information becomes available but no later than 30 days from discovery, include: 1. The identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; 2. A description of the nature of the unauthorized acquisition, access, use, or disclosure, including the date of the Breach and the date of discovery of the Breach; 3. A description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, Social Security number, date of birth, etc.); 4. The identity of the individual(s) who made and who received the unauthorized acquisition, access, use or disclosure; 5. A description of what Business Associate is doing to investigate the Breach, to mitigate losses, and to protect against any further breaches; and i. Make its internal practices, books, and records available to the Secretary 6. Contact information for purposes of determining Business Associate’s representatives knowledgeable about the Breach. p) Business Associate shall maintain for a period of six years all information required to be reported under paragraph "o". This records retention requirement does not in any manner change the obligation to timely disclose all required information relating to a non-permitted acquisition, access, use or Covered Entity’s compliance with HIPAA disclosure of Protected Health Information to the County Privacy Officer and HIPAA Regulationsthe County Project Officer or designee five business days following Discovery.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or disclose Protected Health Information other than as permitted or required by this BAABA Agreement or as Required By Law. For purposes of this BA Agreement, the Agreement, or as required by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect same provisions that apply to electronic Protected Health Information, Information shall apply to NPFI. (b) Business Associate agrees to use appropriate safeguards to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAA;BA Agreement and the HIPAA Rules, and to comply with Subpart C of 45 C.F.R. part 164 with respect to electronic Protected Health Information. c. Report (c) Business Associate agrees to report, in writing, to Covered Entity Entity's Privacy Official, within three (3) calendar days, any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA BA Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at by 45 CFR C.F.R. §164.410, and any Security Incident of which it becomes aware;. For reports of incidents constituting a Breach, the report shall include, to the extent available, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during a Breach of Unsecured Protected Health Information. For incidents that do not constitute a Breach, the report shall identify the date of the Security Incident or impermissible use or disclosure (collectively "Occurrence"), the scope of the Occurrence, Business Associate's response to the Occurrence and the identification of the party responsible for causing the Occurrence, if known. d. (d) In accordance with 45 CFR C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information;. e. Make (e) Business Associate agrees to make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), Individual as necessary to satisfy Covered Entity’s 's obligations under 45 CFR C.F.R. §164.524;. f. Make (f) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR C.F.R. §164.526, or take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 CFR C.F.R. §164.526;. g. Maintain (g) Business Associate agrees to maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 CFR C.F.R. §164.528;. Business Associate agrees to provide to Covered Entity, within fifteen (15) days and in a secure manner, information collected in accordance with this Section 2(g) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528 and applicable state law. h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR C.F.R. Part 164164 or other provisions of the HIPAA Rules, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make (i) Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. Unless otherwise prohibited law or by the Secretary, Business Associate shall notify Covered Entity immediately upon receipt by Business Associate of any such request, and shall provide Covered Entity with copies of all materials provided to the Secretary. (j) Business Associate agrees to, subject to subsection 4(c) below, return to the Covered Entity or Covered Entity's designee or, with Covered Entity's written permission destroy, within fifteen (15) days of the termination of this BA Agreement, the Protected Health Information in its possession and retain no copies. (k) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, of a use or disclosure of Protected Health Information in violation of this BA Agreement. (l) Notwithstanding anything in this BA Agreement or the Service Agreement to the contrary, Business Associate agrees to indemnify and hold harmless Covered Entity and Covered Entity's employees, affiliates, directors, officers, subcontractors, agents, sponsors and members of its workforce (each of the foregoing hereinafter referred to as an "indemnified party") from, and, at Covered Entity's option, defend against any and all losses, liabilities, third-party claims, fines, penalties, costs, and expenses, including reasonable attorneys' fees, consultants' fees, court costs breach notification costs and credit monitoring fees (collectively, "Losses") to the extent that such Losses arise from, or may be in any way attributable to, any act or omission by Business Associate or Business Associate's employees, contractors, agents or representatives that constitutes or that is otherwise asserted by any regulatory agency or third party to be (i) a breach of this BA Agreement, (ii) negligence, gross negligence, bad faith, or intentional or willful misconduct, (iii) a violation of the HIPAA Rules, HIPAA and/or the HITECH Act; and/or (iv) any Security Incident or Breach involving Protected Health Information in Business Associate's possession, custody or control, or for which Business Associate is otherwise responsible. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason. (m) Except as otherwise allowed in this BA Agreement and the HIPAA Rules, Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Individual has provided a valid authorization compliant with HIPAA and state law. (n) Covered Entity, in its sole and absolute discretion, may elect to delegate to Business Associate any requirement to notify affected Individuals of a Breach of Unsecured Protected Health Information if such Breach results from, or is related to, an act or omission of Business Associate or the subcontractors, agents or representatives of Business Associate. If Covered Entity elects to make such delegation, Business Associate shall perform such notifications and any other reasonable remediation services (i) at Business Associate’s or sole cost and expense, and (ii) in compliance with all applicable laws including HIPAA and the HITECH Act. Business Associate shall also provide Covered Entity with the opportunity to review and approve of the form and content of any Breach notification that Business Associate provides to Individuals. (o) To the extent that Business Associate submits Standard Transactions on behalf of Covered Entity’s , or assists Covered Entity with submission of Standard Transactions, Business Associate will comply with HIPAA's Transaction and code set Standards for such Transactions. (p) Unless Covered Entity agrees, in writing, that this requirement is infeasible with respect to particular data, Business Associate shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals and is developed in accordance with Department of Health and Human Services' applicable guidance and other applicable laws and regulations. (q) Business Associate agrees to respond to and accommodate a request for confidential communications by an Individual, including requests to communicate or correspond with an Individual by alternative means or at alternative locations, or a request for, changes in, or a revocation of, permission by an Individual to restrict Business Associate's use or disclosure of Protected Health Information, in a timely manner in accordance with the requirements under 45 C.F.R. §164.522, and to make changes to Business Associate's processes to the extent that such request, if approved, may affect Business Associate's use or disclosure of Protected Health Information. (r) Business Associate agrees to communicate orally and in writing with authorized employees, workforce members, agents, and business associates of Covered Entity, and shall transmit Protected Health Information to these authorized employees, workforce members, agents and business associates at the request of Covered Entity, to the extent permitted by and in accordance with the HIPAA Rules. (s) Within ten (10) business days of Covered Entity's written request, Business Associate and its agents and subcontractors shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of Protected Health Information pursuant to this BA Agreement for the purpose of determining whether Business Associate has complied with the BA Agreement; provided, however that Covered Entity shall protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection. The fact that Covered Entity requests or fails to request such evidence, or inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, books, records, agreements, policies and procedures does not relieve Business Associate of responsibility to comply with this BA Agreement, nor does Covered Entity's (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practice, constitute acceptance of such practice or waiver of Covered Entity's enforcement rights under this BA Agreement. (t) Business Associate agrees to track and monitor compliance with HIPAA the provisions of this BA Agreement, and HIPAA Regulationsprovide evidence of such monitoring to Covered Entity upon request. (u) Business Associate must host and store Protected Health Information maintained on behalf of Covered Entity on servers and other hardware or in physical storage areas located only within the United States, and all services by Business Associate described in this BA Agreement will be provided on, in and from the United States only.

Obligations and Activities of Business Associate. 2.1 Business Associate acknowledges that it is directly subject to the Security Rule and to certain portions of the Privacy Rule and, upon request, will provide Covered Entity with evidence of compliance. For purposes of HIPAA, Business Associate is not an agent of Covered Entity. Business Associate agrees to: a. : Not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, to furnish services under the Agreement, Agreement or as required Required by law; b. Law. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA; c. Agreement. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. Report in writing to Covered Entity within 5 business days any Use use or Disclosure disclosure of Protected Health Information the PHI not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured PHI as required at 45 CFR 164.410, and any Security Incident (as defined in 45 CFR 164.304) of which it becomes aware; d. . In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors and agents that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate on behalf of Covered Entity agree to the same restrictions, conditions, conditions and requirements that apply to Business Associate with respect to such information; e. Make . Within five (5) business days request of Covered Entity, make available Protected Health Information PHI in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, as well as make any amendments to PHI in a Designated Record Set (and incorporate any amendments, if required) as directed or agreed to by the Covered Entity in order to meet the requirements under 45 CFR 164.526. Within five (5) business days request of Covered Entity, make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity promptly of such request. Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; h. . Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. Upon request, make its internal practices, books and records available to the Secretary and to the Covered Entity for purposes of determining compliance with the HIPAA Rules. Comply with the minimum necessary requirements under the HIPAA Rules. To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required Required by lawLaw; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity covered entity any Use or Disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes awareaware within five (5) business days of receiving knowledge of such Use, Disclosure, Breach, or Security Incident; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. (e) Make available Protected Health Information in a Designated Record Set designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), covered entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524. Business associate shall cooperate with covered entity to fulfill all requests by Individuals for access to the Individual’s Protected Health Information that are approved by covered entity. If business associate receives a request from an Individual for access to Protected Health Information, business associate shall forward such request to covered entity within ten (10) business days. Covered entity shall be solely responsible for determining the scope of Protected Health Information and Designated Record Set with respect to each request by an Individual for access to Protected Health Information; f. (f) Make any amendment(s) to Protected Health Information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526. Within ten (10) business days following any such amendment or other measure, business associate shall provide written notice to covered entity confirming that business associate has made such amendments or other measures and containing any such information as may be necessary for covered entity to provide adequate notice to the Individual in accordance with 45 CFR 164.526. Should business associate receive requests to amend Protected Health Information from an Individual, Business associate shall cooperate with covered entity to fulfill all requests by Individuals for such amendments to the Individual’s Protected Health Information that are approved by covered entity. If business associate receives a request from an Individual to amend Protected Health Information, business associate shall forward such request to covered entity within ten (10) business days. Covered entity shall be solely responsible for determining whether to amend any Protected Health Information with respect to each request by an Individual for access to Protected Health Information; g. (g) Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as covered entities necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528. Business associate shall cooperate with covered entity to fulfill all requests by Individuals for access to an accounting of Disclosures that are approved by covered entity. If business associate receives a request from an Individual for an accounting of Disclosures, business associate shall immediately forward such request to covered entity. Covered entity shall be solely responsible for determining whether to release any account of Disclosures; h. (h) To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the covered entity and / or the Secretary of the United States Department of Health and Human Services for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 3.1 Business Associate agrees to: a. Not will not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. Use 3.2 Business Associate will use appropriate safeguards, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAAgreement; c. Report 3.3 Business Associate will report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR C.F.R. 164.410, and any Security Incident security incident of which it becomes aware, without unreasonable delay and in no case later than thirty (30) days following the discovery of a Breach of such information. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired or disclosed during the Breach; d. 3.4 In accordance with 45 CFR C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate will ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make 3.5 The Business Associate shall exhaust, at its sole expense, all reasonable efforts to mitigate any harmful effect known to the Business Associate arising from the use or disclosure of PHI by Business Associate in violation of the terms of this Agreement; 3.6 To the extent Business Associate holds Protected Health Information in a Designated Record Set, Business Associate will make available to Covered Entity Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations to provide individuals access to their Protected Health Information under 45 CFR C.F.R. 164.524; f. Make 3.7 To the extent Business Associate holds Protected Health Information in a Designated Record Set, Business Associate will make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to an individual’s right to amend his/her records under 45 CFR C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR C.F.R. 164.526; g. Maintain 3.8 Business Associate expressly recognizes that Covered Entity has certain reporting and Disclosure obligations to the Secretary of the U.S. Department of Health and Human Services and the Individual in case of a Security Breach of unsecured Protected Health Information (as defined in 45 C.F.R. §164.402); 3.9 Business Associate will maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entitycovered entity’s obligations to provide an accounting of disclosures under 45 CFR C.F.R. 164.528; h. 3.10 To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule, Subpart E of 45 CFR C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make 3.11 Business Associate will make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate’s Responsibilities. Business Associate agrees to: a. (i) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (ii) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. Report (iii) Timely report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware. Said reports shall be in writing and occur no later than 48 hours after Business Associate becomes aware of the disclosure or security incident; d. (iv) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make (v) Timely make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make (vi) Timely make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain (vii) Timely maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (viii) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (ix) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Underlying Agreement or as required by law;Required By Law. b. Use Business Associate agrees to use appropriate safeguards, including without limitation administrative, physical, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationtechnical safeguards, to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Amendment and to reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it may receive, maintain, or transmit on behalf of the Covered Entity. c. Report Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Amendment. d. Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Amendment or any security incident of which it becomes aware, including breaches of Unsecured aware involving Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;the Covered Entity. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, e. Business Associate agrees to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Amendment to Business Associate with respect to such information;. e. Make available f. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. Make g. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526164.526 at the request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner designated by Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;. h. To the extent the Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s 's compliance with HIPAA the Privacy & Security Rules. i. Business Associate agrees to document such disclosures of Protected Health Information and HIPAA Regulationsinformation related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. j. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section (2)(i) of this Amendment, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. k. Business Associate hereby acknowledges and agrees that Covered Entity has notified Business Associate that it is required to comply with the confidentiality, disclosure and re-disclosure requirements of 10 NYCRR Part 63 to the extent such requirements may be applicable.

Obligations and Activities of Business Associate. 3.1 Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Agreement. 3.2 Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use 3.3 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAA;Agreement. Specifically, Business Associate will implement the administrative, physical, and technical safeguards set forth in Sections 164.308, 164.310, and 164.312 (as may be amended from time to time) of the HIPAA Privacy and Security Rules that reasonably and appropriately protect the confidentiality, integrity, and availability of any Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, and, in accordance with Section 164.316 of the HIPAA Privacy and Security Rules, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements outlined in Sections 164.308, 164.310, and 164.312; and c. Report 3.4 Business Associate agrees to report to Covered Entity any Use the use or Disclosure disclosure of Protected Health Information not provided for by this BAA of which it becomes awareAgreement, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410. Further, and Business Associate agrees to report to Covered Entity within five (5) days of discovery of any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation Discovers as required by 45 CFR 164.530(j)164.314 For purposes of this Agreement, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to “Security Incident” means the successful unauthorized access, use, disclosure, modification, or destruction of Protected Health Information or interference with system operations in an information system, of which Business Associate has knowledge or should, with the exercise of reasonable diligence, have knowledge, excluding (i) “pings” on an information system firewall; (ii) port scans; (iii) attempts to log on to an information system or enter a database with an invalid password or user name; (iv) denial-of-service attacks that do not result in a Designated Record Set as directed server being taken offline; or agreed to by the Covered Entity pursuant to 45 CFR 164.526(v) malware (e.g., a worms or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting a virus) that does not result in unauthorized access, use, disclosure, modification or destruction of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA RegulationsProtected Health Information.

Obligations and Activities of Business Associate. The Business Associate agrees to: a. Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BAA or as required by lawRequired By Law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Report to the Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR C.F.R. § 164.410, and any Security Incident of which it becomes awareaware in accordance with subsection 7, below; d. In accordance with 45 CFR C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. §164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR C.F.R. §164.526, or take other measures as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. § 164.526; g. Maintain and promptly make available available, as directed by the Covered Entity, the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered the Cover Entity’s obligations under 45 CFR C.F.R. § 164.528; h. Within 5 business days forward any request that the Business Associate receives directly from an Individual who (1) seeks access to Protected Health Information held by the Business Associate pursuant to this BAA, (2) requests amendment of Protected Health Information held by the Business Associate pursuant to this BAA, or (3) requests an accounting of Disclosures, so that the Covered Entity can coordinate the response; i. To the extent the Business Associate is to carry out one or more of the Covered Entity's ’s obligation(s) under Subpart E of 45 CFR C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. j. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Submit system and program information to the Privacy Official, upon request, to document and verify compliance with federal and state privacy rules and regulations; (d) Report to the Privacy Official of the Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes awareaware within 72 hours of discovery; d. (e) Notwithstanding the requirements of 45 CFR 164.410, Business Associate shall notify the Privacy Official of the Covered Entity of potential breaches within 72 hours of discovery and keep the Privacy Official of the Covered Entity informed in their breach determination process; (f) Unless otherwise directed by Covered Entity, Business Associate shall be responsible for breach notifications to individuals, the US DHHS Office of Civil Rights (OCR), the media, and Consumer Affairs, if applicable, on behalf of Covered Entity and shall include Covered Entity’s designee as part of the breach response team; (g) For breaches resulting from the action or inaction of Business Associate, or its subcontractors, surrounding the use, receipt, storage, and/or transmission of PHI and PII under this Agreement, be responsible for any and all costs, damages, liabilities, expenses, fines, and/or penalties; (h) In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(1) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements requirements, to include reporting and notification requirements, that apply to the Business Associate with respect to such information; e. (i) All reporting or notifications requirements pursuant to letters (d), (e), (f), (g) and (h) above, should be submitted using the “Incident Reporting for Business Associates” form, addressed to the Privacy Official of the Covered Entity, by email to xxxxxxxxxxxxx@xxxxxx.xxx. Additional contact information for the Privacy Official is: South Carolina Department of Health and Human Services Privacy Xxxxxx Xxxx Xxxxxx Xxx 0000 Xxxxxxxx, XX 00000-0000 Phone: (000) 000-0000 Fax: (000) 000-0000 (j) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (k) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (l) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Entity, or an individual if directed by Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (m) Notify Covered Entity within five (5) business days of receipt of any request covered under paragraphs (j), (k) or (l) above; (n) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (o) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees Agrees to: a. (a) Not use or further disclose Protected Health Information other than as permitted or required by Sections 3.0, 5.0 and 6.0 of this BAA, the Agreement, or as required by law;applicable federal or laws of the state. b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, Information to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. (c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches Breaches of Unsecured unsecured Protected Health Information as required at by 45 CFR 164.410, 164.410 and any Security security Incident of which it becomes become aware;. d. In accordance with 45 CFR 164.502(e)(1)(ii(e) and 164.308(b)(2), if applicable, ensure Ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Provide access, at the request of Covered Entity or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations, to Protected Health Information in a Designated Record Set designated record set, to the Covered Entity or directly to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. (g) Make any amendment(sAmendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by designated record set that the Covered Entity or an Individual directs or agrees to pursuant to 45 CFR 164.526, in a prompt and reasonable manner consistent with the HIPAA regulations, or take other measures as necessary to satisfy Covered Entity’s obligations Entity obligation under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s(h) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity's compliance with the Privacy Rule. (i) Document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) At Covered Entity’s or Individual’s request, Business Associate agrees to provide to Individual or Covered Entity an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. The Business Associate shall assist the Covered Entity in complying with the HIPAA regulations relating to the required Disclosure, Amendment or Accounting. (k) Business Associate certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and HIPAA Regulationscode sets, also known as the Electronic Data Interchange (EDI) Standards, at 45 CFR Part 162; and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, sec. 13401. Business Associate further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, agrees to comply with the EDI Standards and the Annual Guidance. (l) Business Associate agrees to determine the Minimum Necessary type and amount of PHI required to perform its services and will comply with 45 CFR 164.502(b) and 164.514(d).

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement within five (5) days of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes awareaware (Refer to Notices Section); d. (d) Business Associate agrees to immediately mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI where Business Associate is in violation of the requirements of this Agreement. (e) Pursuant to this Agreement, Business Associate agrees to indemnify, defend, and hold harmless Covered Entity from and against any and all claims, actions, damages, losses, liabilities, fines, penalties, costs, and expenses (including without limitation costs of breach notifications, costs of credit monitoring reasonable attorneys’ fees) arising out of the failure of Business Associate or Business Associate's agents or employees to comply with any breach of this Agreement, including without limitation failure to comply with applicable HIPAA Rules or applicable state and federal laws and regulations. Business Associate agrees to maintain, at its own cost and expense, insurance coverage as necessary and reasonable to insure itself and its employees and agents in connection with the performance of its duties and responsibilities under this Business Associate Agreement. The obligations of this Provision shall survive the termination of this Agreement. (f) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements requirements, in writing, that apply to the Business Associate with respect to such information; e. Make available Protected Health Information, including, but not limited to the extent that subcontractors create, receive, maintain, or transmit Electronic Protected Health Information on behalf of Business Associate; (g) Make available protected health information in a Designated Record Set designated record set to the “Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), Entity” as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;. The Business associate within five (5) days will provide this information to the Covered Entity and send the individual’s request to the Covered Entity to fulfill. f. (h) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526;. The Business Associate within five (5) days will provide this information to the Covered Entity and send the individual’s request to the Covered Entity to fulfill. g. (i) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;. The Business Associate will forward the individual’s request to the covered entity and provide the information to the Covered Entity in five (5) days. h. (j) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (k) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, the Agreement including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;, following discovery and without unreasonable delay, but in no event later than fifteen (15) days after it becomes aware of such Breach or Security Incident. In addition to providing the Covered Entity with the information required pursuant to 45 CFR 164.410 (C), the Business Associate shall also provide the Covered Entity with any other information that it reasonably requests. Business Associate shall not (i) notify or otherwise contact any participant or beneficiary with respect to a Breach of Unsecured Protected Health Information or Security Incident, or (ii) report any such Breach or Security Incident to any media outlet, the Secretary or any other government agency, without first notifying Covered Entity and attempting to coordinate a response. The parties shall cooperate in good faith with respect to their notification obligations under the HIPAA rules and other applicable law. d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (e) Make available Protected Health Information in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business AssociateEntity, the Individual, or the individualIndividual’s designee, as appropriate and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity Entity, the Individual, or the Individual’s designee, as appropriate and necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required Required by lawLaw; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic elec tronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity covered entity any Use or Disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes awareaware within five (5) business days of receiving knowledge of such Use, Disclosure, Breach, or Security Incident; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. (e) Make available Protected Health Information in a Designated Record Set designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), covered entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524. Business associate shall cooperate with covered entity to fulfill all requests by Individuals for access to the Individual’s Protected Health Information that are approved by covered entity. If business associate receives a request from an Individual for access to Protected Health Information, business associate shall forward such request to covered entity within ten (10) business days. Covered entity shall be solely responsible for determining the scope of Protected Health Information and Designated Record Set with respect to each request by an Individual for access to Protected Health Information; f. (f) Make any amendment(s) to Protected Health Information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526. Within ten (10) business days following any such amendment or other measure, business associate shall provide written notice to covered entity confirming that business associate has made such amendments or other measures and containing any such information as may be necessary for covered entity to provide adequate notice to the Individual in accordance with 45 CFR 164.526. Should business associate receive requests to amend Protected Health Information from an Individual, Business associate shall cooperate with covered entity to fulfill all requests by Individuals for such amendments to the Individual’s Protected Health Information that are approved by covered entity. If business associate receives a request from an Individual to amend Protected Health Information, business associate shall forward such request to covered entity within ten (10) business days. Covered entity shall be solely responsible for determining whether to amend any Protected Health Information with respect to each request by an Individual for access to Protected Health Information; g. (g) Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as covered entities necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528. Business associate shall cooperate with covered entity to fulfill all requests by Individuals for access to an accounting of Disclosures that are approved by covered entity. If business associate receives a request from an Individual for an accounting of Disclosures, business associate shall immediately forward such request to covered entity. Covered entity shall be solely responsible for determining whether to release any account of Disclosures; h. (h) To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the covered entity and / or the Secretary of the United States Department of Health and Human Services for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Underlying Agreement or as required by law;. b. Use (b) Business Associate agrees to use appropriate safeguards, including without limitation, administrative, physical and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationtechnical safeguards, to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement and to reasonably and appropriately protect the confidentiality, integrity and availability of any electronic protected health information that it may receive, maintain or transmit on behalf of the Covered Entity. c. Report (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement or any security incident of which it becomes aware, including breaches of Unsecured involving Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;the Covered Entity. d. In accordance with 45 CFR 164.502(e)(1)(ii(e) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. Make (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526164.526 at the request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner designated by Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the (h) Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s 's compliance with HIPAA the Privacy and HIPAA RegulationsSecurity Rules. (i) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section (2)(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate hereby acknowledges and agrees that Covered Entity has notified Business Associate that it is required to comply with the confidentiality, disclosure and re- disclosure requirements of 10 NYCRR Part 63 to the extent such requirements may be applicable. (l) If in providing services to its patients, Business Associate regularly (not rarely or sporadically) extends, renews or continues credit to patients or regularly allows its patients to defer payment for services including setting up payment plans in connection with one or more covered accounts (as that term is defined at 16 C.F.R. 681.2(b)(3)), the Business Associate shall comply with the Federal Trade Commission’s “Red Flag” Rules by developing and implementing a written identity theft prevention program designed to identify, detect, mitigate and respond to suspicious activities (Red Flags) that could indicate that identity theft has occurred in the Business Associate practice or business.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, or as required by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by forby this BAA; c. Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(l)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s 's designee, and document and retain the documentation required by 45 CFR 164.530(j)164.530, as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s 's or Covered Entity’s 's compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Exhibit or as required by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAExhibit; c. Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA Exhibit of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. Make available Protected Health Information protected health information in a Designated Record Set designated record set to Covered Entity or to an the individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), designee as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity individual as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate business associate is to carry out one or more of Covered Entity's covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate agrees to: a. Not to not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;Required By Law. b. Use Business Associate agrees to develop and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAA;the Agreement. c. Report Business Associate agrees to limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of the Privacy Rule. Covered Entity may reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. e. Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured unsecured Protected Health Information as required at 45 CFR § 164.410, and any Security Incident security incident of which it becomes aware;. d. In f. Business Associate agrees to, in accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;. e. Make available g. Business Associate agrees to provide access, at the request of Covered Entity, and in a reasonable time and manner, to Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR § 164.524;. This provision will not apply to a request by a Covered Entity or Individual for “Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” 45 CFR § 164.524(a)(1)(ii). This provision may not apply in other situations exempted by appropriate rule. See 45 CFR § 164.524. f. Make h. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526§ 164.526 at the request of Covered Entity or an Individual, and in a reasonable time and manner. This provision will not apply to a request by a Covered Entity or Individual to amend information which “would not be available for inspection” pursuant to applicable rule, including but not limited to “Information compiled in reasonable anticipation of, or take other measures for use in, a civil, criminal, or administrative action or proceeding.” See 45 CFR §§ 164.526(a)(2)(iii), 164.524(a)(1)(ii). i. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the Covered Entity available to the Secretary for purposes of determining the Covered Entity's compliance with Subpart E of 45 CFR Part 164. j. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as necessary would be required for Covered Entity to satisfy respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. However, it is anticipated that most disclosures of Protected Health Information to or by Business Associate will be related to Covered Entity’s obligations under need “To carry out treatment, payment and health care operations as provided in § 164.506”, and thus will be exempt from any accounting of disclosures. See 45 CFR 164.526;§ 164.528 (a)(1)(i). g. Maintain and make available the information required to provide an accounting of Disclosures k. Business Associate agrees to, to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make its internal practicesl. Business Associate hereby agrees to fully comply with the “Business Associate” requirements under HIPAA, booksthroughout the term of this Agreement. Further, Business Associate agrees that every agent, employee, subsidiary, and records available affiliate of Business Associate to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity will be required to fully comply with HIPAA, and will be bound by written agreement to the Secretary same restrictions and terms and conditions as set forth in this Agreement. m. Nothing in any of the foregoing provisions may be construed to require Business Associate to disclose information or documents in any format whatsoever which may be protected by: a) attorney-client privilege as defined by either Iowa law or the laws of the state where the Covered Entity is located; or b) work-product doctrine as defined by either Federal Rule of Civil Procedure 26(b)(3) or Iowa Rule of Civil Procedure 1.503(3), or successor versions of these rules. This limitation applies to requests for purposes disclosures of determining Business Associate’s or information and documents by Covered Entity’s compliance with HIPAA and HIPAA Regulations, an Individual, the Secretary, or any other third party.

Obligations and Activities of Business Associate. (a) The Business Associate agrees to: a. Not shall not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use (b) The Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 the DoD HIPAA Rules with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA;Agreement. c. Report (c) The Business Associate shall report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA Breach of which it becomes aware, including breaches of Unsecured Protected Health Information and shall proceed with breach response steps as required at 45 CFR 164.410by Part V of this BAA. With respect to electronic PHI, and the Business Associate shall also respond to any Security Incident security incident of which it becomes aware;aware in accordance with any Information Assurance provisions of this Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. d. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), if respectively, and corresponding DoD HIPAA Issuances, as applicable, the Business Associate shall ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;PHI. e. Make (e) The Business Associate shall make available Protected Health Information PHI in a Designated Record Set Set, to the Covered Entity or or, as directed by the Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j)Individual, as necessary to satisfy the Covered Entity’s Entity obligations under 45 CFR 164.524;164.524 and corresponding DoD HIPAA Issuances. f. Make (f) The Business Associate shall make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;, and corresponding DoD HIPAA Issuances. g. Maintain (g) The Business Associate shall maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528;164.528 and corresponding DoD HIPAA Issuances. h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of Subpart E the HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and i. Make (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Addendum. b. Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, this Addendum or as required by law;. b. Use c. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAA;Addendum. Specifically, Business Associate will: c. Report 1. implement the administrative, physical, and technical safeguards set forth in Sections 164.308, 164.310, and 164.312 of the HIPAA Privacy and Security Rules that reasonably and appropriately protect the confidentiality, integrity, and availability of any Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, and, in accordance with Section 164.316 of the HIPAA Privacy and Security Rules, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements outlined in Sections 164.308, 164.310, and 164.312; and 2. report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA Addendum of which it Business Associate becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and . Business Associate shall report to Covered Entity any Security Incident of which it becomes aware;. Notice is deemed to have been given for unsuccessful Security Incidents, such as (i) “pings” on an information system firewall; (ii) port scans; (iii) attempts to log on to an information system or enter a database with an invalid password or user name; (iv) denial-of-service attacks that do not result in a server being taken offline; or (v) malware (e.g., a worms or a virus) that does not result in unauthorized access, use, disclosure, modification or destruction of Protected Health Information. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Addendum to Business Associate with respect to such information;. e. Make Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information to which Covered Entity has agreed in accordance with Section 164.522 of the HIPAA Privacy and Security Rules and of which Business Associate has been notified by Covered Entity. In addition, and notwithstanding the provisions of Section 164.522 (a)(1)(ii), Business Associate agrees to comply with an individual’s request to restrict disclosure of Protected Health Information to a health plan for purposes of carrying out payment or health care operations if the Protected Health Information pertains solely to a health care item or service for which Covered Entity has been paid by in full by the individual or the individual’s representative. f. At the request of the Covered Entity and in a reasonable time and manner, not to extend ten (10) business days, Business Associate agrees to make available Protected Health Information in a Designated Record Set to required for Covered Entity or to respond to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary request for access to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to his or her Protected Health Information in accordance with Section 164.524 of the HIPAA Privacy and Security Rules. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information available electronically to the applicable individual or to a Designated Record Set as directed person or agreed to entity specifically designated by such individual, upon such individual’s request. g. At the request of Covered Entity pursuant and in a reasonable time and manner, Business Associate agrees to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information Protected Health Information required to provide an accounting of Disclosures to the for amendment by Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply in accordance with the requirements of Subpart E that apply Section 164.526 of the HIPAA Privacy and Security Rules. h. Business Associate agrees to document any disclosures of and make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the Covered Entity in the performance of such obligation(s); andHIPAA Privacy and Security Rules. i. Make Business Associate agrees that it will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, available to the Secretary for purposes the purpose of determining Business Associate’s or Covered Entity’s compliance with the HIPAA Privacy and Security Rules, in a time and manner designated by the Secretary, subject to attorney-client and other applicable privileges. j. Business Associate agrees that, while present at any Covered Entity facility and/or when accessing Covered Entity’s computer network(s), it and all of its employees, agents, representatives and subcontractors will at all times comply with any network access and other security practices, procedures and/or policies established by Covered Entity including, without limitation, those established pursuant to the HIPAA Privacy and Security Rules. k. Business Associate agrees that it will not directly or indirectly receive remuneration in exchange for any Protected Health Information of an individual without the written authorization of the individual or the individual’s representative, except where the purpose of the exchange is: 1. for public health activities as described in Section 164.512(b) of the Privacy and Security Rules; 2. for research as described in Sections 164.501 and 164.512(i) of the Privacy and Security Rules, and the price charged reflects the costs of preparation and transmittal of the data for such purpose; 3. for treatment of the individual, subject to any further regulation promulgated by the Secretary to prevent inappropriate access, use, or disclosure of Protected Health Information; 4. for the sale, transfer, merger, or consolidation of all or part of Business Associate and due diligence related to that activity; 5. for an activity that Business Associate undertakes on behalf of and at the specific request of Covered Entity; 6. to provide an individual with a copy of the individual’s Protected Health Information pursuant to Section 164.524 of the Privacy and Security Rules; or 7. other exchanges that the Secretary determines in regulations to be similarly necessary and appropriate as those described in this Section III.k. l. Business Associate agrees that it will not directly or indirectly receive remuneration for any written communication that encourages an individual to purchase or use a product or service without first obtaining the written authorization of the individual or the individual’s representative, unless: 1. such payment is for a communication regarding a drug or biologic currently prescribed for the individual and is reasonable in amount (as defined by the Secretary); or 2. the communication is made on behalf of Covered Entity and is consistent with the terms of this Addendum. m. Business Associate agrees that if it uses or discloses patients’ Protected Health Information for marketing purposes, it will obtain such patients’ authorization before making any such use or disclosure. n. Business Associate agrees to implement a reasonable system for discovery of breaches and method of risk analysis of breaches to meet the requirements of HIPAA, The HITECH Act, and the HIPAA Regulations, and shall be solely responsible for the methodology, policies, and procedures implemented by Business Associate.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not (a) not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. Use (b) use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAAAgreement; c. Report (c) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement; (d) immediately report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, with such reports including breaches at least the following information: (1) the identity of Unsecured each individual whose information was accessed, acquired or disclosed during the improper use or disclosure; (2) a brief description of what happened; (3) the date of discovery of the improper use or disclosure; (4) the nature of the Protected Health Information as required at 45 CFR 164.410that was involved (e.g., social security numbers, date of birth, etc.); (5) any steps individuals should take to protect themselves from potential harm resulting from the improper use or disclosure; and (6) a brief description of what the Business Associate is doing to investigate the improper use or disclosure, to mitigate harm to individuals, and to protect against any Security Incident of which it becomes awarefurther incidents; d. In (e) in accordance with 45 CFR C.F.R. § 164.502(e)(1)(ii) and 164.308(b)(245 C.F.R. § 308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make (f) make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed necessary to by the allow Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s its obligations under 45 CFR 164.526C.F.R. §164.524 to provide Individuals with access to their Protected Health Information; g. Maintain and (g) make available to Covered Entity Protected Health Information in a Designated Record Set for amendment and incorporate any amendments made by Covered Entity in accordance with 45 C.F.R. §164.526 ; (h) make available to Covered Entity the information required to allow Covered Entity to provide an accounting of Disclosures disclosures in accordance with 45 C.F.R. §164.528; (i) make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity as necessary available to satisfy the Secretary for purposes of the Secretary determining Covered Entity’s obligations under 45 CFR 164.528compliance with the Privacy Regulations; h. To (j) to the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) ’s obligations under Subpart E of 45 CFR Part 164the HIPAA Privacy Regulations, comply with the requirements of Subpart E the Privacy Regulations that apply to the Covered Entity in the performance of such obligation(s)obligations; (k) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, and otherwise comply with the HIPAA Security Regulations with respect to such electronic Protected Health Information, to prevent uses or disclosures of Protected Health Information other than as provided for by this Agreement; and i. Make its internal practices(l) report to Covered Entity any material attempted or successful unauthorized access, booksuse, and records available to the Secretary for purposes disclosure, modification, or destruction of determining Business Associate’s information or Covered Entity’s compliance interference with HIPAA and HIPAA Regulationssystem operations in an information system.

Obligations and Activities of Business Associate. (a) The Business Associate agrees to: a. Not shall not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use (b) The Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 the DoD HIPAA Rules with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA;the Agreement. c. Report (c) The Business Associate shall report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA Breach of which it becomes aware, including breaches of Unsecured Protected Health Information and shall proceed with breach response steps as required at 45 CFR 164.410by Part V of this BAA. With respect to electronic PHI, and the Business Associate shall also respond to any Security Incident security incident of which it becomes aware;aware in accordance with any Information Assurance provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. d. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), if respectively), as applicable, the Business Associate shall ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;PHI. [When the pending successor issuances are published, then the preceding sentence should begin as follows: “In accordance with XxXX 6025.18, Enclosure 3, paragraph , XxXX 8580.02, Enclosure 3, paragraph , and 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), as applicable, the Business Associate shall …”] e. Make (e) The Business Associate shall make available Protected Health Information PHI in a Designated Record Set Set, to the Covered Entity or or, as directed by the Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j)Individual, as necessary to satisfy the Covered Entity’s Entity obligations under 45 CFR 164.524;. f. Make (f) The Business Associate shall make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain (g) The Business Associate shall maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528;. h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of Subpart E HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and i. Make (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 1.1 Business Associate agrees to: a. Not not to use or disclose Protected Health Information other than PHI (“PHI”) except as permitted or required by this BAA, the Agreement, Agreement or as required Required by law; b. Use Law. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA;Agreement. c. Report 1.2 Business Associate and its agents or Subcontractors, if any, shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure in accordance with HIPAA, the HIPAA Regulations and HITECH. 1.3 Business Associate agrees to use appropriate safeguards and comply with the applicable requirements of the HIPAA Regulations, including 45 CFR Subpart C with respect to ePHI and Subpart E of 45 CFR with respect to PHI. This shall include, without limitation, using appropriate Security Measures and developing, implementing, maintaining and using appropriate and reasonable Administrative, Physical, and Technical Safeguards for the privacy and security of PHI to insure the Integrity, Confidentiality and Availability of, and to prevent non-permitted uses and disclosures of PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate further acknowledges and agrees that pursuant to HITECH it will implement and document its Security Measures and will comply with 45 C.F.R. sections 164.306 (Security Standards), 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), 164.314 (Organizational Safeguards), and 164.316 (Policy and Procedures and documentation requirements), and all other applicable requirements of HIPAA, the HIPAA Regulations, HITECH and other applicable privacy and security laws. Business Associate agrees to adopt the technology and methodology standards provided in guidance issued by the HHS Secretary pursuant to HITECH. 1.4 Business Associate agrees to take prompt action to correct any deficiencies and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an access, use, disclosure, modification or destruction of PHI by Business Associate, its agents or Subcontractors, if any, in violation of the requirements of this Agreement. 1.5 Business Associate agrees to promptly notify Covered Entity within forty-eight (48) hours of any Use access, use, disclosure, modification or Disclosure destruction of Protected Health Information PHI not provided for by this BAA Agreement or that is in violation of which it becomes aware, including breaches the requirements of Unsecured Protected Health Information as required at 45 CFR 164.410this Agreement, and to provide Covered Entity or its designee such information as may be reasonably requested by Covered Entity to investigate the violation. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. If Business Associate has been requested orally or in writing by law enforcement officials that notification of affected Individuals of a Breach may impede a criminal investigation, Business Associate shall so inform Covered Entity. 1.6 Business Associate further agrees to provide a report in writing to Covered Entity within ten (10) days of, and to cooperate with Covered Entity in investigating and resolving, any of the following as they relate to PHI under this Agreement: (i) Any unauthorized access, use, disclosure, modification or destruction of PHI of which Business Associate becomes aware; d. (ii) Any Security Incident of which Business Associate becomes aware; (iii) The receipt of a request from an Individual (or their authorized personal representative) for access to, amendment to, an accounting of disclosures of, a copy or electronic copy of, or a restriction on the use or disclosure of PHI; or (iv) Any Breach or potential Breach of Unsecured PHI of which Business Associate becomes aware. In accordance with 45 CFR 164.502(e)(1)(iisuch event, Business Associate will document its investigation and provide such additional information as may reasonably be requested to enable Covered Entity to determine the extent to which the PHI has been compromised. Notice to affected Individuals will be made by or at the direction of Covered Entity at Business Associate’s expense. The written report from Business Associate required by this Section shall set forth the following: (i) and 164.308(b)(2)A brief description of what happened, including the date of any unauthorized access, use, disclosure, modification or destruction, and, if applicableknown, ensure the date of Discovery, the number of individuals affected, the time period involved, and the nature and extent of any harm resulting from the violation; (ii) A description of the type(s) of PHI and Identifiers involved (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, and other types of information were involved); (iii) Information regarding whether and to what extent the PHI was Unsecured PHI, Encrypted, or was rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section 13402(h)(2) of HITECH on the HHS Web site; (iv) A description of the manner in which the PHI could be identified or, if known, how and whether the PHI could be re-identified; (v) To the extent possible, the name of each Individual whose PHI has been, or is reasonably believed to have been accessed, used, disclosed, modified or destroyed; (vi) To the extent possible, the name of the unauthorized person and entity who used the PHI or to whom the disclosure was made; (vii) To the extent possible, whether the unauthorized person or entity is another covered entity, business associate, employee of Business Associate, Subcontractor or entity affiliated with Business Associate; (viii) Whether any opportunity existed for an unauthorized person to acquire, view, transfer or otherwise compromise the PHI; (ix) Whether the PHI was actually acquired, viewed, transferred or otherwise compromised by an unauthorized person; (x) Any steps Individuals should take to protect themselves from potential harm resulting from the unauthorized access, use, disclosure, modification or destruction of PHI; and (xi) A description of what the Business Associate is doing to investigate, mitigate harm to Individuals, and protect against any further unauthorized access, use, disclosure, modification or destruction of PHI. 1.7 Business Associate agrees that any Subcontractors Subcontractor that createcreates, receivereceives, maintainmaintains, or transmit Protected Health Information transmits PHI on behalf of the Business Associate agree or Covered Entity will enter into in an enforceable written HIPAA-compliant business associate agreement requiring that the Subcontractor: (a) agrees to comply with the HIPAA Privacy Regulations, HIPAA Security Regulations, HITECH law, and other applicable laws and regulations related to privacy and security of PHI, including ePHI; (b) agrees to the same restrictions, conditionsreporting and contracting obligations, and requirements conditions that apply in this Agreement to Business Associate with respect to PHI including, by way of example and without limitation, that the Subcontractor develop, implement, maintain and use appropriate and reasonable Security Measures and Administrative, Physical, and Technical Safeguards for the privacy and security of PHI to insure the Integrity, Confidentiality and Availability of, and prevent non-permitted access, use, disclosure, modification or destruction of PHI, including ePHI; that the Subcontractor enter into business associate agreements with its subcontractors that create, receive, maintain or transmit PHI on behalf of Subcontractor, Business Associate or Covered Entity; and that the Subcontractor adopt a HIPAA compliance program and policies and procedures. If Business Associate becomes aware of a pattern of activity or practice of a Subcontractor that constitutes a material breach of their written business associate agreement, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and if such information;steps are unsuccessful, terminate the contract. e. Make available Protected Health Information 1.8 Business Associate agrees to provide access to and copies of PHI maintained in a Designated Record Set to Covered Entity or or, when requested in writing by Covered Entity, to an individual whose Protected Health Information is maintained Individual in order for Covered entity to meet the requirements of 45 C.F.R. §164.524. Business Associate shall provide access to and copies of PHI in a reasonable time, not to exceed fifteen (15) days (unless the parties reasonably agree otherwise in writing) and in a reasonable manner. If requested by Covered Entity or an Individual, Business AssociateAssociate shall provide access to ePHI to Covered Entity or, when requested in writing by Covered Entity, to an Individual in the electronic form and format requested by Covered Entity or by the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j)Individual, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information applicable, if it is readily producible and, if not, in a Designated Record Set readable electronic form and format as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526or Individual, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;applicable. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the 1.9 Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate, on behalf of Covered Entity available to the Secretary Secretary, in the time and manner designated by the Secretary, for purposes of the Secretary determining compliance with the HIPAA Regulations. Upon receipt of a request from the Secretary, Business Associate’s or Associate shall notify Covered Entity in writing unless such notification would be contrary to law. 1.10 Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity determines is required to enable Covered Entity to comply with 45 C.F.R. §164.526. Except for good cause shown in writing to Covered Entity, Business Associate shall act upon Covered Entity’s compliance request for an amendment within thirty (30) days of receipt Covered Entity’s request. 1.11 Business Associate agrees to identify, track and document disclosures of PHI and other information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA 45 C.F.R. §164.528. Business Associate agrees to provide the information collected to Covered Entity or to an Individual when requested by Covered Entity, in writing and HIPAA Regulationsnot later than thirty (30) days after receiving a request under this subsection, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Upon written request, Business Associate shall furnish to Covered Entity a copy of its policies or procedures that it has, and will maintain, that describe how it carries out its obligations under this subsection. 1.12 Business Associate agrees that if it has a legal obligation to disclose any PHI, it will notify Covered Entity as soon as reasonably practicable after it learns of such obligation, sufficiently in advance of the proposed release date such that the rights of Covered Entity and the Individual to whom the PHI relates would not be prejudiced. If Covered Entity or the Individual objects to the release of such PHI, Business Associate will allow Covered Entity and/or the Individual to exercise any legal rights or remedies Covered Entity and/or the Individual might have to object to the release of the PHI, and Business Associate agrees to provide such assistance as Covered Entity or the Individual may reasonably request in connection therewith.

Obligations and Activities of Business Associate. The Business Associate agrees towill: a. Not (a) use or disclose Protected Health the Information other than only as permitted or required by this BAA, the Agreement, Agreement or as required Required by lawLaw; b. Use (b) use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use any other use or Disclosure of Protected Health Information other than as provided for by this BAAdisclosure; c. Report (c) report to Covered Entity the Provider any Use use or Disclosure disclosure of Protected Health the Information not provided for by this BAA Agreement of which it becomes aware, including breaches aware and minimize the harmful effect of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident such use or disclosure in violation of which it becomes awarethis Agreement; d. In accordance with 45 CFR 164.502(e)(1)(ii(d) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, agent or transmit Protected Health subcontractor who may receive such Information on behalf of the Business Associate agree agrees to the same restrictions, conditions, restrictions and requirements that apply to Business Associate with respect to such informationconditions on use and disclosure of information imposed by this Agreement as set forth in attached Vendor agreement; e. Make available Protected Health (e) provide access to Information in a Designated Record Set to Covered Entity Provider or as directed to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation Individual as required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s(f) to Protected Health amend Information in a Designated Record Set as directed or agreed to designated by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s Provider so that Provider may meet its amendment obligations under 45 CFR CRF 164.526; g. Maintain (g) develop, implement, maintain and make available the information required use appropriate administrative, technical and physical safeguards to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with XXXXX, 00 XXX 164.530(c) to preserve the requirements integrity and confidentiality of Subpart E that apply and to the Covered Entity in the performance prevent non-permitted or violating use or disclosure of such obligation(s); andInformation transmitted electronically and will document and keep safeguards current. i. Make its (h) make internal practices, books, books and records relating to use and disclosure of Information available to Provider or the Secretary of DHHS for purposes compliance purposes; (i) document disclosures of determining Information in accordance with Provider’s accounting requirements in 45 CFR 164.528 and provide such information as directed by Provider. (j) at termination, or upon receipt of written demand, Business Associate will immediately return or destroy all information received from Provider or creditor or received by Business Associate on behalf of Provider and all copies and magnetic or electronic backups of information, or if it is infeasible to return or destroy Information, protections are extended to such information for so long as Business Associate maintains such Information. This provision applies to Information in the possession of agents or subcontractors of Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. Use appropriate safeguards, and Required By Law. Business Associate shall also comply with Subpart C any further limitations on uses and disclosures agreed by Covered Entity in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to Business Associate in accordance with Section 4.1(c) of 45 CFR Part 164 with respect this Agreement. Covered Entity shall not request Business Associate to electronic use or disclose Protected Health Information, Information in any manner which would not be permissible under the Privacy Rules. (b) Business Associate agrees to use appropriate safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. Report (c) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware. (d) Business Associate agrees to ensure that any agent, including breaches of Unsecured a subcontractor, to whom it provides Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintainreceived from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (e) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Individual in order to meet the requirements under 45 C.F.R. 164.524. If Business Associate provides copies or summaries of Protected Health Information is maintained by to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4). (f) Business Associate, or the individual’s designee, Associate agrees to make available Protected Health Information for amendment and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make incorporate any amendment(s) amendments to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526C.F.R. 164.526 at the request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner designated by Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the (g) Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records records, including policies and procedures and Protected Health Information relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule. (h) Business Associate agrees to document such disclosures of Protected Health Information and HIPAA Regulationsinformation related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. (i) Business Associate agrees to provide to Covered Entity, in the time and manner reasonably designated by Covered Entity, the information collected in accordance with Section 2(h) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. (j) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder. (k) If Business Associate conducts any Standard Transactions (as defined in 45 C.F.R. Part 162) on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Part 162.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure of Protected Health Information PHI other than as provided for by this BAAthe Agreement; c. Report to Covered Entity any Use use or Disclosure of Protected Health Information PHI not provided for by this BAA the Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make available Protected Health Information PHI in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524. If an Individual requests access to his or her PHI, the Business Associate will forward the Individual’s request to the Covered Entity to fulfill; f. Make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. If an Individual requests an amendment, the Business Associate will forward the Individual’s request to the Covered Entity to fulfill; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. If an Individual requests an accounting of Disclosures, the Business Associate will forward Individual’s request to the Covered Entity to fulfill; h. To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 2.1. Business Associate agrees to: a. Not not to use or further disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use 2.2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;the Agreement. c. Report 2.3. Business Associate agrees to Covered Entity report to Regis University any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at in 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. d. In 2.3.1. Such disclosures must be made to Regis University within 5 days of discovery by the Business Associate to: Xxxxxx Xxxxxx, HSA Division Director Regis University 0000 Xxxxx Xxxx. Xxxxxx, XX 00000 000 000 0000 With a copy to: Xxxxx Xxxxxx, Associate Vice President Regis University 0000 Xxxxx Xxxx. Xxxxxx, XX 00000 xxxxxxx@xxxxx.xxx 2.4. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Regis University agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the . 2.5. Business Associate agree agrees to provide access, at the same restrictions, conditionsrequest of Regis University, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained the time and manner designated by Business AssociateRegis University, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set Set, to Regis University or, as directed by Regis University, to an Individual in order to meet the requirements under 45 CFR 164.524. 2.6. Business Associate agrees to make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity Regis University pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s Regis University obligations under 45 CFR 164.526; g. Maintain 2.7. Business Associate agrees to document such disclosures of Protected Health Information and make available the information related to such disclosures as would be required for Regis University to provide respond to a request by an Individual for an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under disclosures of Protected Health Information in accordance with 45 CFR 164.528;. h. To the extent the 2.8. Business Associate is agrees to carry out one or more make its internal practices, books, and records available to Regis University for purposes of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply determining compliance with the requirements of Subpart E that apply HIPAA Rules. 2.9. Business Associate agrees to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services or the Secretary’s duly authorized representative for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 1.1 Business Associate agrees to: a. Not not to use or disclose Protected Health Information other than PHI (“PHI”) except as permitted or required by this BAA, the Agreement, Agreement or as required Required by law; b. Use Law. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA;Agreement. c. Report 1.2 Business Associate and its agents or Subcontractors, if any, shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure in accordance with HIPAA, the HIPAA Regulations and HITECH. 1.3 Business Associate agrees to use appropriate safeguards and comply with the applicable requirements of the HIPAA Regulations, including 45 CFR Subpart C with respect to ePHI and Subpart E of 45 CFR with respect to PHI. This shall include, without limitation, using appropriate Security Measures and developing, implementing, maintaining and using appropriate and reasonable Administrative, Physical, and Technical Safeguards for the privacy and security of PHI to ensure the Integrity, Confidentiality and Availability of, and to prevent non-permitted uses and disclosures of PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate further acknowledges and agrees that pursuant to HITECH it will implement and document its Security Measures and will comply with 45 C.F.R. sections 164.306 (Security Standards), 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), 164.314 (Organizational Safeguards), and 164.316 (Policy and Procedures and documentation requirements), and all other applicable requirements of HIPAA, the HIPAA Regulations, HITECH and other applicable privacy and security laws. Business Associate agrees to adopt the technology and methodology standards provided in guidance issued by the HHS Secretary pursuant to HITECH. 1.4 Business Associate agrees to take prompt action to correct any deficiencies and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an access, use, disclosure, modification or destruction of PHI by Business Associate, its agents or Subcontractors, if any, in violation of the requirements of this Agreement. 1.5 Business Associate agrees to promptly notify Covered Entity within forty-eight (48) hours of any Use access, use, disclosure, modification or Disclosure destruction of Protected Health Information PHI not provided for by this BAA Agreement or that is in violation of which it becomes aware, including breaches the requirements of Unsecured Protected Health Information as required at 45 CFR 164.410this Agreement, and to provide Covered Entity or its designee such information as may be reasonably requested by Covered Entity to investigate the violation. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. If Business Associate has been requested orally or in writing by law enforcement officials that notification of affected Individuals of a Breach may impede a criminal investigation, Business Associate shall so inform Covered Entity. In the event of a Breach of PHI caused by Business Associate or anyone acting on its behalf, Business Associate shall be responsible for all costs and expenses of responding to the Breach, including without limitation, the costs of notifying Individuals of the Breach. Nothing in this section shall limit any other rights or remedies of Covered Entity. 1.6 Business Associate further agrees to provide a report in writing to Covered Entity within ten (10) days of, and to cooperate with Covered Entity in investigating and resolving, any of the following as they relate to PHI under this Agreement: (i) Any unauthorized access, use, disclosure, modification or destruction of PHI of which Business Associate becomes aware; d. (ii) Any Security Incident of which Business Associate becomes aware; or (iii) Any Breach or potential Breach of Unsecured PHI of which Business Associate becomes aware. In accordance with 45 CFR 164.502(e)(1)(iisuch event, Business Associate will document its investigation and provide such additional information as may reasonably be requested to enable Covered Entity to determine the extent to which the PHI has been compromised. Notice to affected Individuals will be made by or at the direction of Covered Entity at Business Associate’s expense. The written report from Business Associate required by this Section shall set forth the following: (i) and 164.308(b)(2)A brief description of what happened, including the date of any unauthorized access, use, disclosure, modification or destruction, and, if applicableknown, ensure the date of Discovery, the number of individuals affected, the time period involved, and the nature and extent of any harm resulting from the violation; (ii) A description of the type(s) of PHI and Identifiers involved (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, and other types of information were involved); (iii) Information regarding whether and to what extent the PHI was Unsecured PHI, Encrypted, or was rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section 13402(h)(2) of HITECH on the HHS Web site; (iv) A description of the manner in which the PHI could be identified or, if known, how and whether the PHI could be re-identified; (v) To the extent possible, the name of each Individual whose PHI has been, or is reasonably believed to have been accessed, used, disclosed, modified or destroyed; (vi) To the extent possible, the name of the unauthorized person and entity who used the PHI or to whom the disclosure was made; (vii) To the extent possible, whether the unauthorized person or entity is another covered entity, business associate, employee of Business Associate, Subcontractor or entity affiliated with Business Associate; (viii) Whether any opportunity existed for an unauthorized person to acquire, view, transfer or otherwise compromise the PHI; (ix) Whether the PHI was actually acquired, viewed, transferred or otherwise compromised by an unauthorized person; (x) Any steps Individuals should take to protect themselves from potential harm resulting from the unauthorized access, use, disclosure, modification or destruction of PHI; and (xi) A description of what the Business Associate is doing to investigate, mitigate harm to Individuals, and protect against any further unauthorized access, use, disclosure, modification or destruction of PHI. 1.7 Business Associate agrees that any Subcontractors Subcontractor that createcreates, receivereceives, maintainmaintains, or transmit Protected Health Information transmits PHI on behalf of the Business Associate agree or Covered Entity will enter into in an enforceable written HIPAA-compliant business associate agreement requiring that the Subcontractor: (a) agrees to comply with the HIPAA Privacy Regulations, HIPAA Security Regulations, HITECH law, and other applicable state, Federal and local laws and regulations related to privacy and security of PHI, including ePHI; (b) agrees to the same restrictions, conditionsreporting and contracting obligations, and requirements conditions that apply in this Agreement to Business Associate with respect to PHI including, by way of example and without limitation, that the Subcontractor develop, implement, maintain and use appropriate and reasonable Security Measures and Administrative, Physical, and Technical Safeguards for the privacy and security of PHI to ensure the Integrity, Confidentiality and Availability of, and prevent non-permitted access, use, disclosure, modification or destruction of PHI, including ePHI; that the Subcontractor enter into business associate agreements with its subcontractors that create, receive, maintain or transmit PHI on behalf of Subcontractor, Business Associate or Covered Entity; and that the Subcontractor adopt a HIPAA compliance program and policies and procedures. If Business Associate becomes aware of a pattern of activity or practice of a Subcontractor that constitutes a material breach of their written business associate agreement, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and if such information;steps are unsuccessful, terminate the contract. e. Make available Protected Health Information 1.8 Business Associate shall provide notice within ten (10) days of the receipt of a request from an Individual (or their authorized personal representative) for access to, amendment to, an accounting of disclosures of, a copy or electronic copy of, or a restriction on the use or disclosure of PHI. 1.9 Business Associate agrees to provide access to and copies of PHI maintained in a Designated Record Set to Covered Entity or or, when requested in writing by Covered Entity, to an individual whose Protected Health Information is maintained Individual in order for Covered entity to meet the requirements of 45 C.F.R. §164.524. Business Associate shall provide access to and copies of PHI in a reasonable time, not to exceed fifteen (15) days (unless the parties reasonably agree otherwise in writing) and in a reasonable manner. If requested by Covered Entity or an Individual, Business AssociateAssociate shall provide access to ePHI to Covered Entity or, when requested in writing by Covered Entity, to an Individual in the electronic form and format requested by Covered Entity or by the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j)Individual, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information applicable, if it is readily producible and, if not, in a Designated Record Set readable electronic form and format as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526or Individual, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;applicable. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the 1.10 Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate, on behalf of Covered Entity available to the Secretary Secretary, in the time and manner designated by the Secretary, for purposes of the Secretary determining compliance with the HIPAA Regulations. Upon receipt of a request from the Secretary, Business Associate’s or Associate shall notify Covered Entity in writing unless such notification would be contrary to law. 1.11 Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity determines is required to enable Covered Entity to comply with 45 C.F.R. §164.526. Except for good cause shown in writing to Covered Entity, Business Associate shall act upon Covered Entity’s compliance request for an amendment within thirty (30) days of receipt Covered Entity’s request. 1.12 Business Associate agrees to identify, track and document disclosures of PHI and other information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA 45 C.F.R. §164.528. Business Associate agrees to provide the information collected to Covered Entity or to an Individual when requested by Covered Entity, in writing and HIPAA Regulationsnot later than thirty (30) days after receiving a request under this subsection, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Upon written request, Business Associate shall furnish to Covered Entity a copy of its policies or procedures that it has, and will maintain, that describe how it carries out its obligations under this subsection. 1.13 Business Associate agrees that if it has a legal obligation to disclose any PHI, it will notify Covered Entity as soon as reasonably practicable after it learns of such obligation, sufficiently in advance of the proposed release date such that the rights of Covered Entity and the Individual to whom the PHI relates would not be prejudiced. If Covered Entity or the Individual objects to the release of such PHI, Business Associate will allow Covered Entity and/or the Individual to exercise any legal rights or remedies Covered Entity and/or the Individual might have to object to the release of the PHI, and Business Associate agrees to provide such assistance as Covered Entity or the Individual may reasonably request in connection therewith.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information PHI other than as necessary or advisable to perform its service obligations specified in the Services Agreement or as otherwise permitted or required by this BAA, the Agreement, BAA or as required Required by lawLaw; b. (b) Use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationEPHI, to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA. Without limiting the foregoing, Business Associate agrees to implement and maintain appropriate administrative, physical, and technical safeguards designed to prevent the unauthorized use and disclosure of PHI, and to protect the confidentiality, integrity, and availability of EPHI as and to the extent required by 45 CFR §§164.306, 164.308, 164.310, 164.312, and 164.316, as may be amended from time to time; c. Report (c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or by a Subcontractor of Business Associate in violation of the requirements of this BAA; (d) Promptly report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information PHI not provided for permitted by this BAA of which it Business Associate becomes aware, including breaches any Breach of Unsecured Protected Health Information PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j§164.410. Business Associate will treat any Breach as being “discovered” in accordance with the HIPAA Rules. Business Associate will make an initial report in writing to the Covered Entity without unreasonable delay, but no later than twenty (20) business days after Business Associate discovers such non-permitted use or disclosure. Business Associate’s report shall include at least the following information: (1) the identity of each Individual whose information was accessed, acquired or disclosed during the Breach; (2) a brief description of what happened; (3) the date of discovery of the Breach; (4) the nature of the PHI that was involved (e.g., health information, social security numbers, date of birth, etc.), and whether it was Unsecured PHI; (5) any steps affected Individuals should take to protect themselves from potential harm resulting from the Breach; (6) a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches; and (7) such other information as necessary the Covered Entity may reasonably request and/or is required for Covered Entity to satisfy meet its notice obligations under 45 CFR §164.404 with respect to a Breach. The parties recognize that some of the above information that must be reported may not be immediately available to Business Associate. Business Associate should collect and provide such information to Covered Entity as it becomes available, without unreasonable delay, but in each case a detailed report of the above categories of information shall be provided to Covered Entity no later than thirty (30) calendar days after Business Associate’s initial report to Covered Entity pursuant to the first paragraph of this Subsection 2(d). Business Associate shall continue to supplement any such report(s) with additional relevant information as and when such information subsequently becomes available to Business Associate. Business Associate shall reasonably cooperate with and assist Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) the HIPAA Rules, the HITECH Act and other applicable Breach notification laws. In addition to Protected Health Information in a Designated Record Set as directed or agreed providing notice to by the Covered Entity pursuant to 45 CFR 164.526of a Breach, or take other measures as necessary to satisfy upon Covered Entity’s obligations under 45 CFR 164.526; g. Maintain request and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the permitted by law, Business Associate is will provide any required notice to carry out one or more Individuals and applicable regulators on behalf of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the . Unless Covered Entity in the performance makes such a request of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s , Covered Entity shall be responsible for providing any required notices to affected Individuals and applicable regulators. The parties agree that Business Associate shall only be responsible for its obligations under this subsection (d), including providing said required notices to Individuals and applicable regulators, if the Breach or Covered Entity’s compliance with HIPAA and HIPAA Regulationsother unauthorized use or disclosure results from the material acts or omissions of Business Associate or its Subcontractors.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Submit system and program information to the Privacy Official, upon request, to document and verify compliance with federal and state privacy rules and regulations; (d) Report to the Privacy Official of the Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes awareaware within 72 hours of discovery; d. (e) Notwithstanding the requirements of 45 CFR 164.410, Business Associate shall notify the Privacy Official of the Covered Entity of potential breaches within 72 hours of discovery and keep the Privacy Official of the Covered Entity informed in their breach determination process; (f) Unless otherwise directed by Covered Entity, Business Associate shall be responsible for breach notifications to individuals, the US DHHS Office of Civil Rights (OCR), the media, and Consumer Affairs, if applicable, on behalf of CoveredEntity and shall include Covered Entity’s designee as part of the breach response team; (g) For breaches resulting from the action or inaction of Business Associate, or its subcontractors, surrounding the use, receipt, storage, and/or transmission of PHI and PII under this Agreement, be responsible for any and all costs, damages, liabilities, expenses, fines, and/or penalties; (h) In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(1) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements requirements, to include reporting and notification requirements, that apply to the Business Associate with respect to such information; e. (i) All reporting or notifications requirements pursuant to letters (d), (e), (f), (g) and (h) above, should be submitted using the “Incident Reporting for Business Associates” form, addressed to the Privacy Official of the Covered Entity, by email to xxxxxxxxxxxxx@xxxxxx.xxx. Additional contact information for the Privacy Official is: South Carolina Department of Health and Human Services Privacy Xxxxxx Xxxx Xxxxxx Xxx 0000 Xxxxxxxx, XX 00000-0000 Phone: (000) 000-0000 Fax: (000) 000-0000 (j) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (k) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (l) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Entity, or an individual if directed by Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (m) Notify Covered Entity within five (5) business days of receipt of any request covered under paragraphs (j), (k) or (l) above; (n) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (o) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate acknowledges that in providing services to Covered Entity, it will create, receive, use or disclose PHI. b. Business Associate agrees to: a. Not that it will not use or disclose Protected Health Information other than PHI except as permitted or required by this BAA, the Agreement, or as required by law;Required By Law. b. Use c. Business Associate agrees that it will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for in this Agreement. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effects known to it which are caused by a use or disclosure of PHI by it or by one of its agents or subcontractors in violation of the requirements of this BAA;Agreement. c. Report e. Business Associate agrees that it will report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information PHI not provided for allowed by this BAA of which Agreement if it becomes aware, including breaches aware of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which the use or disclosure. f. Business Associate agrees that it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, will ensure that any Subcontractors that create, receive, maintain, agent or transmit Protected Health Information on behalf of the Business Associate agree subcontractor to whom it provides PHI pertaining to Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply to this Agreement imposes on Business Associate. g. Business Associate agrees to provide an appropriate Individual with respect access to such information; e. Make available Protected Health Information PHI in a Designated Record Set to in the manner required of Covered Entity or pursuant to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by requirements of 45 CFR 164.530(j), as necessary §164.524. h. Business Associate agrees to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any allow an appropriate Individual to make amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by in the manner required of Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E requirements of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and§164.526. i. Make Business Associate agrees to make its internal practices, books, and records (including PHI pertaining to Covered Entity) available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule. j. Business Associate agrees to document disclosures of PHI and information related to these disclosures so it or Covered Entity may respond to requests by Individuals for an accounting of disclosures of PHI pursuant to the requirements of 45 CFR §164.528. k. Business Associate agrees to provide PHI in the possession or control of Business Associate to appropriate Individuals in order to respond to requests for an accounting of disclosures of PHI pursuant to the requirements of 45 CFR §164.528. l. Business Associate’s or responses to requests for action with respect to PHI described in this Section II shall be completed in a manner which complies with the timeliness requirements contained in the Privacy Rules. m. Business Associate agrees to notify Covered Entity’s compliance with HIPAA and HIPAA RegulationsEntity if there is a breach of unsecure PHI pursuant to the requirements of 45 CFR § § 164.410.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. (e) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528; h. (h) To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 1. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware, within five (5) days of becoming aware of such use, disclosure, breach or security incident. If such use, disclosure, breach or security incident was caused by the business associate then the business associate shall, at the request of the covered entity, provide any required notifications to individuals, the HHS Office for Civil Rights, or the media. Business associate shall furnish to covered entity as part of the notice required by law the following information: (i) identification of each individual whose unsecured protected health information has been, or is reasonably believed by business associate to have been, accessed, acquired or disclosed during such breach; (ii) a description of events, including the date of the breach and the date of discovery of the breach; (iii) a description of the type(s) of unsecured protected health information involved in the breach (such as name, Social Security number, date of birth, address, account number); and (iv) such other information as may be required by applicable regulations or reasonably requested by covered entity; d. (d) Mitigate, as much as possible, any harmful effect of which it is aware of any use or disclosure of protected health information in violation of the Underlying Agreement or this Agreement; (e) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. (f) Make available Protected Health Information protected health information in a Designated Record Set designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), covered entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524; f. (g) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526; g. (h) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity covered entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528; h. (i) To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and; i. (j) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA Rules; (k) If business associate (a) becomes legally compelled by law, process, or order of any court or governmental agency to disclose protected health information, or (b) receives a request from the Secretary to inspect business associate’s books and HIPAA Regulationsrecords relating to the use and disclosure of protected health information, business associate, to the extent it is not legally prohibited from so doing, shall promptly notify covered entity and cooperate with covered entity in connection with any reasonable and appropriate action covered entity deems necessary with respect to such protected health information.

Obligations and Activities of Business Associate. Business Associate agrees toas follows: a. Not (a) not to use or further disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. Use appropriate safeguards(b) to establish, maintain, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, use appropriate safeguards to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAApermitted herein; c. Report (c) to report to Covered Entity any Use use, access or Disclosure disclosure of Protected Health Information the PHI not provided for by this BAA Agreement, or any misuse of the PHI, including but not limited to systems compromises of which it becomes aware, including breaches of Unsecured Protected Health Information and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as required at 45 CFR 164.410a result thereof; (d) to enforce and maintain appropriate policies, procedures, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, access control mechanisms to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintainto whom it provides PHI received from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. The access and privileges granted to any such agent shall be the minimum necessary to perform the assigned functions; e. Make available Protected Health Information (e) to provide access, at the request of Covered Entity, and in the time and manner reasonable designated by Covered Entity, to PHI in a Designated Record Set (as defined in the Privacy Rule), to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR §164.524; f. Make (f) to make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526§164.526 at the request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner reasonably requested by Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and (g) to make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule; (h) to document such disclosures of PHI, and HIPAA Regulationsinformation related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; (i) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(i) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; (j) to promptly notify Covered Entity of all actual or suspected instances of deliberate unauthorized attempts (both successful and unsuccessful) to access PHI; (k) to maintain and enforce policies, procedures and processes to protect physical access to hardware, software and/or media containing PHI (e.g., hardcopy, tapes, removable media, etc. ) against unauthorized physical access during use, storage, transportation, disposition and /or destruction; (l) to ensure that access controls in place to protect PHI and processing resources from unauthorized access are controlled by two-factor identification and authentication: a user ID and a Token, Password or Biometrics.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;Required By Law. b. Use (b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. Report (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware. (e) Business Associate agrees to ensure that any agent, including breaches of Unsecured a [[Page 53265]] subcontractor, to whom it provides Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintainreceived from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Business Associate agrees to provide access, at the request of Covered Entity, to Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. Business Associate agrees to provide requested information within 7 days of receipt of the request, unless an alternative time is agreed upon by both parties. f. Make (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available 164.526 at the information required to provide an accounting request of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the or an Individual. Business Associate will make such amendments(s) within 7 days of receipt of the amendment, unless an alternative time is agreed upon by both parties. (h) Business Associate agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or to the Secretary, or individual designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. Business Associate will provide information to the Covered Entity within 7 days of the receipt of the request for information, unless an alternative time is agreed upon by the Covered Entity and the Business Associate’s . (i) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide to Covered Entity or an Individual, information collected in accordance with Section 2(i) of this Agreement, to permit Covered Entity’s compliance Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA and HIPAA Regulations45 CFR 164.528. Covered Entity will direct whether the information is to be provided to the Covered Entity or an Individual. Business Associate will provide information to the Covered Entity 7 days of the receipt of the request for information, unless an alternative time is agreed upon by both parties.

Obligations and Activities of Business Associate. Business Associate agrees to: a. : Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Consulting Services Agreement that has been entered into by and between the parties or as required by law; b. ; Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA; c. the Agreement; Report to Covered Entity Client any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. ; In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. ; Make available Protected Health Information protected health information in a Designated Record Set designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), Client as necessary to satisfy Covered Entity’s obligations Client's obligations, if any, under 45 CFR 164.524; f. ; Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity Client pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations Client's obligations, if any, under 45 CFR 164.526; g. ; Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Client as necessary to satisfy Covered Entity’s obligations Client's obligations, if any, under 45 CFR 164.528; h. ; To the extent the Business Associate is to carry out one or more of Covered EntityClient's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity Client in the performance of such obligation(s); and i. and Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA Regulations.Rules

Obligations and Activities of Business Associate. Business Associate agrees Agrees to: a. (a) Not use or further disclose Protected Health Information other than as permitted or required by sections 3.0, 5.0 and 6.0 of this BAA, the Agreement, or as required by law;applicable federal laws or laws of the State. b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, Information to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. (c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches Breaches of Unsecured unsecured Protected Health Information as required at by 45 CFR 164.410, 164.410 and any Security security Incident of which it becomes aware;. d. In accordance with 45 CFR 164.502(e)(1)(ii(e) and 164.308(b)(2), if applicable, ensure Ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Provide access, at the request of Covered Entity or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations, to Protected Health Information in a Designated Record Set designated record set, to the Covered Entity or directly to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. (g) Make any amendment(sAmendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by designated record set that the Covered Entity or an Individual directs or agrees to pursuant to 45 CFR 164.526, in a prompt and reasonable manner consistent with the HIPAA regulations, or take other measures as necessary to satisfy Covered Entity’s obligations Entity obligation(s) under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s(h) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity's compliance with the Privacy Rule. (i) Document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) At Covered Entity’s or Individual’s request, Business Associate agrees to provide to Individual or Covered Entity an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. The Business Associate shall assist the Covered Entity in complying with the HIPAA regulations relating to the required Disclosure, Amendment or Accounting. (k) Business Associate certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and HIPAA Regulationscode sets, also known as the Electronic Data Interchange (EDI) Standards, at 45 CFR Part 162; and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, sec. 13401. Business Associate further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, agrees to comply with the EDI Standards and the Annual Guidance. (l) Business Associate agrees to determine the Minimum Necessary type and amount of Protected Health Information required to perform services and will comply with 45 CFR 164.502(b) and 164.514(d).

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make available (e) To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set Set, Business Associate agrees to make available protected health information in a designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s(f) to To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set Set, Business Associate agrees to make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (h) To the extent extent, if any, the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. a. Business Associate agrees to: a. Not to not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, ENI Service Agreement or as required by law;. b. Use Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationEPHI, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA;the ENI Service Agreement. c. Report Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information PHI not provided for by this BAA the ENI Service Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured PHI as required at 45 CFR § 164.410, and any Security Incident security incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)Business Associate agrees to mitigate, if applicableto the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI or EPHI by Business Associate in violation of the requirements of the ENI Service Agreement, this Agreement or of applicable law. e. Business Associate agrees to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI or EPHI on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;, in accordance with 45 CFR § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable. e. Make f. Business Associate agrees to make available Protected Health Information PHI in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individualCovered Entity’s designee, and document and retain the documentation required by 45 CFR 164.530(j), designee as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524; f. Make g. Business Associate agrees to make any amendment(s) to Protected Health Information PHI or EPHI in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; g. Maintain h. Business Associate agrees to maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity or Covered Entity’s designee as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528; h. To i. Business Associate agrees, to the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make x. Xxxxxxxx Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAAAgreement; c. Report (c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement; (d) Immediately report (within 5 days) to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR §164.410, and any Security Incident security incident of which it becomes aware. Such report shall include at least the following information: (1) the identity of each individual whose information was accessed, acquired or disclosed during the breach; d. (2) a brief description of what happened; (3) the date of the breach and the date of discovery of the breach; (4) the nature of the Unsecured Protected Health Information that was involved (e.g., social security numbers, date of birth, etc.); (5) any steps individuals should take to protect themselves from potential harm resulting from the breach; and (6) a brief description of what the Business Associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; (e) In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), if applicable, ensure that any Subcontractors agent, including a subcontractor, that createcreates, receivereceives, maintainmaintains, or transmit Protected Health Information transmits on behalf of the Business Associate agree agrees to the same restrictions, conditions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information;; Business Associate shall enter into written agreements with any subcontractors, and the terms of such agreements shall incorporate the applicable requirements of, and otherwise comply with, the HIPAA Rules. e. Make available (f) Provide access to Protected Health Information in a Designated Record Set to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR C.F.R. §164.524; f. (g) Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526, C.F.R. §164.526 or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain in the time and make available the information required to provide an accounting of Disclosures to the manner designated by Covered Entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR §164.526. (h) Make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Regulations; (i) Document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity or Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528; h. (j) Provide to Covered Entity information collected in accordance with Section 2(i) of this Agreement, to satisfy the requirements for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528 or Section 13405(c)(3) of the HITECH Act. The Parties agree and acknowledge that it is the Covered Entity’s responsibility to respond to all such requests; (k) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, and, effective February 17, 2010, to comply with the provisions of the Security Rule identified in Section 3(a)(1)(B) of this Agreement; (l) Ensure that any agent, including a subcontractor, to whom it provides electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it; (m) Immediately report to Covered Entity any material attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system; (n) To the extent the Business Associate business associate is to carry out one or more of Covered Entity's obligation(scovered entity’s obligations(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(sobligation; (o) None of its employees, contractors, Governing Body members or shareholders appear in the list of excluded individuals/entities as published by the Department of Health and Human Services (DHHS) Office of the inspector General (OIG List); and, nor in the list of debarred contractors as published in the System for Award Management by the General Services Administration (GSA) list; i. Make its internal practices, books, (p) Review the OIG List and records available the GSA List prior to the Secretary hiring of any new employees, contractors, or Governing Body Members and shall, on a monthly basis, for purposes all employees, contractors or Governing Body members and shareholders, review the OIG and GSA Lists to ensure that none of determining Business Associate’s these persons or Covered Entity’s compliance with HIPAA and HIPAA Regulations.entities are excluded or become excluded from participation in Federal programs;

Obligations and Activities of Business Associate. 14.3.2.1 Business Associate’s obligations under Section 14.3.2 are conditioned upon Covered Entity’s satisfactory performance of its obligations under Section 14.3.4 and Section 14.3.5. Any failure of Covered Entity to perform its obligations hereunder shall excuse Business Associate from performing its obligations hereunder to the extent such performance is hindered or prevented by such failure to perform by Covered Entity. Business Associate’s obligations under this Section 14.3.2 exist and occur solely to the extent required by HIPAA and the Privacy Rule. 14.3.2.2 Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Section 14.3 or as required by law;Law. b. Use 14.3.2.3 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Section 14.3. c. Report 14.3.2.4 Business Associate agrees to mitigate, to the extent commercially reasonable and practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Section 14.3. 14.3.2.5 Business Associate agrees to report to Covered Entity any Use known use or Disclosure disclosure of the Protected Health Information not provided for by this BAA of which it becomes awareSection 14.3. 14.3.2.6 Business Associate agrees to ensure that any agent, including breaches of Unsecured a subcontractor, to whom it provides Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintainreceived from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity agrees to substantially the same restrictions, conditions, restrictions and requirements conditions that apply through this Section 14.3 to Business Associate with respect to such information;. e. Make available 14.3.2.7 Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to Protected Health Information in a Designated Record Set designated record set, if any, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. Make 14.3.2.8 Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526164.526 at the reasonable request of Covered Entity or an Individual, or take other measures as necessary to satisfy and in the time and manner designated by Covered Entity’s obligations . For all requested amendments under 45 CFR 164.526; g. Maintain and make available the information required this Section 14.3.2.8, Business Associate shall be entitled to provide an accounting of Disclosures rely entirely on such requests for all matters relating to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;accuracy and completeness of such Protected Health information. h. To the extent the 14.3.2.9 Business Associate is agrees, subject to carry out one or more Business Associate’s security requirements, confidentiality obligations and Section 17.0 (Audits) of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164this Agreement, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner mutually agreed on by Covered Entity and Business Associate or designated by the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule. 14.3.2.10 Business Associate agrees to document such disclosures of Protected Health Information, and HIPAA Regulationsinformation related to such disclosures, as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.(i.e. the date of the disclosure, the name of the entity or person who received the Protected Health Information and, if known, the address of such entity or person, a description of the information disclosed and a brief statement of the purpose for the disclosure or a copy of the individual’s authorization or the request for disclosure). 14.3.2.11 Business Associate agrees to provide to Covered Entity or an individual, in time and manner reasonably designated by Covered Entity, information collected in accordance with Section 14.3.2.10, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 14.3.2.12 The Parties acknowledge and agree that the obligations set forth in Sections 14.3.2.7 (access), 14.3.2.8 (amendment) and 14.3.2.10 (accounting) are needed so that Covered Entity can comply with the Privacy Rule in accordance with Section 8.2 (Changes in Law) and that Business Associate may incur costs and expenses to provide these new services on behalf of Covered Entity so that Covered Entity will be in compliance with the Privacy Rule. Due to the timing of the Privacy Rule compliance date, Business Associate agrees to implement and provide the services set forth in this Section 14.3 for Covered Entity’s benefit prior to the Parties defining the impact on Fees and Service Levels (if any impact). Covered Entity and Business Associate agree to engage in Change Control Management to equitably adjust the Fees to compensate Business Associate, and changes in Service Levels, if any as soon as practicable after implementation of the new services and processes set forth in this Section 14.3 in response to changes in Law that apply to Covered Entity.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (e) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 3.1. Business Associate agrees to: a. Not use to not Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BAA or as required Required by law;Law. b. Use 3.2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA;Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act. c. Report 3.3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches and in a manner as prescribed herein. 3.4. Business Associate agrees to report to Covered Entity all data Breaches or compromises, whether internal or external, related to Protected Health Information, whether the Protected Health Information is secured or unsecured, of which Business Associate becomes aware. 3.5. If a Breach pertains to Unsecured Protected Health Information, then Business Associate agrees to report any such data Breach to Covered Entity within ten (10) business days of discovery of said Breach; all other compromises of Protected Health Information as required at 45 CFR 164.410will be reported to Covered Entity within twenty (20) business days of discovery. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity with information necessary for Covered Entity to meet the requirements of said section, and any Security Incident of which it becomes aware;in a manner and format to be specified by Covered Entity. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, 3.6. Business Associate agrees to ensure that any Subcontractors that createSubcontractor, receive, maintain, or transmit to whom Business Associate provides Protected Health Information on behalf of the Business Associate agree Information, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such information;. Business Associate further agrees that restrictions and conditions analogous to those contained herein will be imposed on said Subcontractors via a written agreement that complies with all the requirements specified in §164.504(e)(2), and that Business Associate will only provide said Subcontractors Protected Health Information consistent with Section 13405(b) of the HITECH Act. e. Make available 3.7. Business Associate agrees to provide access, at the request of Covered Entity and during normal business hours, to Protected Health Information in a Designated Record Set to Covered Entity or or, as directed by Covered Entity, to an individual whose Individual, in order to meet Covered Entity’s requirements under 45 CFR §164.524, provided that Covered Entity delivers to Business Associate a written notice at least three (3) business days in advance of requesting such access. Business Associate further agrees, in the case where Business Associate controls access to Protected Health Information is maintained by Business Associatein an Electronic Health Record, or controls access to Protected Health Information stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements under the individual’s designee, HIPAA Rules and document under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy its employees or Subcontractors have no Protected Health Information in a Designated Record Set of Covered Entity’s obligations under 45 CFR 164.524;. f. Make 3.8. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the that Covered Entity directs or agrees to pursuant to 45 CFR §164.526, at the request of Covered Entity or take other measures as necessary to satisfy an Individual. This provision does not apply if Business Associate and its employees or Subcontractors have no Protected Health Information from a Designated Record Set of Covered Entity’s obligations under 45 CFR 164.526;. g. Maintain 3.9. Unless otherwise protected or prohibited from discovery or disclosure by law, Business Associate agrees to make internal practices, books, and make records, including policies and procedures (collectively “Compliance Information”), relating to the Use or Disclosure of Protected Health Information and the protection of same, available the information required to provide an accounting of Disclosures to the Covered Entity as necessary or to satisfy the Secretary for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with evidence that its Compliance Information ensures Business Associate’s obligations under compliance with this BAA over time. Business Associate will have a reasonable time within which to comply with requests for such access and/or evidence, consistent with this Agreement. In no case will access, or evidence, be required in less than ten (10) business days after Business Associate’s receipt of such request, unless otherwise designated by the Secretary. 3.10. Business Associate agrees to maintain necessary and sufficient documentation of Disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528;. h. 3.11. On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this BAA to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528. Business Associate will provide said documentation in a manner and format to be specified by Covered Entity. Business Associate will have a reasonable time within which to comply with such a request from Covered Entity and in no case will Business Associate be required to provide such documentation in less than three (3) business days after Business Associate's receipt of such request. 3.12. Except as provided for in this Agreement, in the event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate will redirect the Individual to the Covered Entity. 3.13. To the extent the that Business Associate is to carry carries out one or more of Covered Entity's obligation(s) ’s obligations under Subpart E of 45 CFR Part 164the HIPAA Rules, the Business Associate must comply with the all requirements of Subpart E the HIPAA Rules that apply would be applicable to the Covered Entity. 3.14. A Business Associate must honor all restrictions consistent with 45 C.F.R. §164.522 that the Covered Entity or the Individual makes the Business Associate aware of, including the Individual’s right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the performance of such obligation(shealthcare item or service, in accordance with HITECH Act Section 13405(a); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. 2.1. Business Associate agrees to: a. Not not to use or further disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use 2.2. Business Associate agrees to use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;the Agreement. c. Report 2.3. Business Associate agrees to Covered Entity report to Regis University any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at in 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. d. In 2.3.1. Such disclosures must be made to Regis University within 5 days of discovery by the Business Associate to: Xxxxxx Xxxxxx, HSA Division Director Regis University 0000 Xxxxx Xxxx. Xxxxxx, XX 00000 000 000 0000 With a copy to: Xxxxx Xxxxxxxxxxx, Information Security Officer Regis University Mail Stop N-4 0000 Xxxxx Xxxx. Xxxxxx, XX 00000 xxxxxxxx@xxxxx.xxx 2.4. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Regis University agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the . 2.5. Business Associate agree agrees to provide access, at the same restrictions, conditionsrequest of Regis University, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained the time and manner designated by Business AssociateRegis University, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set Set, to Regis University or, as directed by Regis University, to an Individual in order to meet the requirements under 45 CFR 164.524. 2.6. Business Associate agrees to make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity Regis University pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s Regis University obligations under 45 CFR 164.526; g. Maintain 2.7. Business Associate agrees to document such disclosures of Protected Health Information and make available the information related to such disclosures as would be required for Regis University to provide respond to a request by an Individual for an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under disclosures of Protected Health Information in accordance with 45 CFR 164.528;. h. To the extent the 2.8. Business Associate is agrees to carry out one or more make its internal practices, books, and records available to Regis University for purposes of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply determining compliance with the requirements of Subpart E that apply HIPAA Rules. 2.9. Business Associate agrees to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services or the Secretary’s duly authorized representative for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees Agrees to: a. (a) Not use or further disclose Protected Health Information other than as permitted or required by Sections 3.0, 5.0 and 6.0 of this BAA, the Agreement, or as required by law;applicable federal or laws of the state b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, Information to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. (c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches Breaches of Unsecured unsecured Protected Health Information as required at by 45 CFR 164.410, 164.410 and any Security security Incident of which it becomes become aware;. d. In accordance with 45 CFR 164.502(e)(1)(ii(e) and 164.308(b)(2), if applicable, ensure Ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Provide access, at the request of Covered Entity or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations, to Protected Health Information in a Designated Record Set designated record set, to the Covered Entity or directly to an individual whose Protected Health Information is maintained by Business Associate, or Individual in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR 164.524;. f. (g) Make any amendment(sAmendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by designated record set that the Covered Entity or an Individual directs or agrees to pursuant to 45 CFR 164.526, in a prompt and reasonable manner consistent with the HIPAA regulations, or take other measures as necessary to satisfy Covered Entity’s obligations Entity obligation under 45 CFR 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s(h) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity's compliance with the Privacy Rule. (i) Document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) At Covered Entity’s or Individual’s request, Business Associate agrees to provide to Individual or Covered Entity an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. The Business Associate shall assist the Covered Entity in complying with the HIPAA regulations relating to the required Disclosure, Amendment or Accounting. (k) Business Associate certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and HIPAA Regulationscode sets, also known as the Electronic Data Interchange (EDI) Standards, at 45 CFR Part 162; and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, sec. 00000.Xxxxxxxx Associate further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, agrees to comply with the EDI Standards and the Annual Guidance. (l) Business Associate agrees to determine the Minimum Necessary type and amount of PHI required to perform its services and will comply with 45 CFR 164.502(b) and 164.514(d).

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. (e) Make available Protected Health Information protected health information in a Designated Record Set designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), “covered entity” as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity “covered entity” as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528; h. (h) To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. 2.1. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. 2.2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. 2.3. Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. 2.4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors Business associate's subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information; e. 2.5. Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.524; f. 2.6. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526; g. 2.7. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity but not to the individual, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. 2.8. To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); andrequirements i. 2.9. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA Rules. 2.10. Pursuant to regulations regarding the security of Electronic Protected Health Information, specially 45 CFR §164.314, Business Association agrees to report to Covered Entity and HIPAA RegulationsSecurity Incident involving Electronic Protected Health Information of which it becomes aware and that it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the regulations. In accordance with HITECH §13401 (a), these safeguards include those specified in 45 CFR §164.308 (Administrative Safeguards), 164.310 (Covered Entity Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements). 2.11. Subject to the law enforcement delay exception contained in 45 CFR

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not use to not Use or disclose Protected Health Information Disclose PHI other than as permitted or required by this BAA, the Agreement, Addendum or as required Required by law;Law. b. Use (b) Business Associate agrees to use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationPHI, to prevent Use or Disclosure of Protected Health Information the PHI other than as provided for by this BAA;Addendum. c. Report (c) Business Associate agrees to report to Covered Entity Entity's Privacy Official, within ten (10) business days, any Use or Disclosure of the Protected Health Information not provided for by this BAA Addendum, of which it becomes aware, including breaches of Unsecured Protected Health Information PHI as required at by 45 CFR Part 164.410. Such report shall include, and any Security Incident without limitation, the identification of which it becomes aware;each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. d. (d) In accordance with 45 CFR Part 164.502(e)(1)(ii) and Part 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors agent or Subcontractor that create, receive, maintain, maintain or transmit Protected Health Information PHI on behalf of the Business Associate agree agrees in writing to the same restrictions, conditions, conditions and requirements that apply to Business Associate with respect to such information;. Upon Covered Entity’s request, Business Associate shall make such written agreements between Business Associate and its agents or Subcontractors available to Covered Entity for its review. e. Make available Protected Health Information (e) To the extent Business Associate has PHI in a Designated Record Set Set, Business Associate agrees to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or provide access within five (5) days of receiving the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) request, to Protected Health Information in a Designated Record Set as directed or agreed Set, to Covered Entity in order to meet the requirements under 45 CFR Part 164.524, including provision of records in electronic form, to the extent required by the HITECH Act. (f) Business Associate agrees to make any amendment(s) to PHI in its possession contained in a Designated Record Set within five (5) days of the Covered Entity’s request, that Covered Entity directs or agrees to pursuant to 45 CFR Part 164.526, at the request of Covered Entity, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR Part 164.526;. g. Maintain (g) Business Associate agrees to document and make available the maintain a record of all Disclosures of PHI in its possession and information related to such Disclosures as would be required for Covered Entity to provide respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR Part 164.528 and HITECH. Business Associate agrees to the provide to Covered Entity as necessary information collected in accordance with this section of this Addendum, to satisfy permit Covered Entity’s obligations under Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528;Part 164.528 and HITECH. h. (h) To the extent the that Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make (i) Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules. (j) Business Associate agrees to mitigate, to the extent practicable, any harmful effect by Business Associate’s , its agents or subcontractors, which is known to either party, of a use or Disclosure of PHI in violation of this Addendum. (k) Business Associate agrees to indemnify and hold harmless Covered Entity’s compliance Entity and its affiliates, directors, officers, employees and agents against any and all losses, liabilities, judgments, penalties, awards and costs, including costs of investigation and legal fees and expenses, arising out of or related to a breach of this Addendum by Business Associate. The provisions of this paragraph shall survive the expiration or termination of this Addendum for any reason. (l) In addition to its overall obligations with HIPAA respect to PHI, to the extent required by the Security Rule, Business Associate will: (1) implement administrative, physical, and HIPAA Regulationstechnical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information (EPHI) that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA; (2) ensure that any agent or Subcontractor to whom it provides such EPHI agrees to implement reasonable and appropriate safeguards to protect the EPHI; and (3) report to Covered Entity any Security Incident of which it becomes aware in accordance with section 2(c) of this Addendum. (4) periodically conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by Business Associate and implement security measures sufficient to reduce risks and vulnerabilities in accordance with 45 CFR § 164.306(a). (m) Business Associate shall not sell Protected Health Information or receive any direct or indirect remuneration in exchange for Protected Health Information except as permitted by the Addendum or federal law. Business Associate shall not make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. § 17936(a). Business Associate shall not make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. § 17936(b). (n) Business Associate shall use and disclose only the Minimum Necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure or request. Prior to any Use or Disclosure, Business Associate shall determine whether a Limited Data Set would be sufficient for these purposes.

Obligations and Activities of Business Associate. a) Business Associate agrees to: a. Not not to use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Business Associate Agreement or as required Required by law;Law. b. Use b) Business Associate agrees to use safeguards appropriate safeguards, to its size and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, complexity to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Business Associate Agreement. c. Report c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Business Associate Agreement. d) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA Business Associate Agreement, without unreasonable delay, after Business Associate becomes aware of which it becomes aware, including breaches of Unsecured Protected Health Information as required at such use or disclosure in accordance with 45 CFR 164.410, and C.F.R. 164.504(e)(2)(ii)(C); and/or (ii) any Security Incident of which it Business Associate becomes awareaware in accordance with 45 C.F.R. 164.314(a)(2)(i)(C). with respect to any use or disclosure of Unsecured PHI not permitted by the Privacy Rule that is caused solely by Business Associate’s failure to comply with one or more of its obligations under this BAA, Covered Entity hereby delegates to Business Associate the responsibility for determining when any such incident is a Breach. In the event of a Breach, Business Associate shall (i) provide Covered Entity with written notification, and (ii) provide all legally required notifications to Individuals, HHS and/or the media, on behalf of Covered Entity, in accordance with 45 C.F.R. 164 (Subpart D) Business Associate shall pay for the reasonable and actual costs associated with those notifications. Breaches shall contain at least the following information: i. Identify nature of Breach; d. In ii. Identify elements of PHI which were breached or part of the Breach; iii. Identify who was responsible for Breach; iv. Identify who received PHI; v. Identify what mitigating actions Business Associate took or will take; vi. Identify Business Associate’s contact information to enable Covered Entity to obtain additional information should it be required; and vii. Provide other information as Covered Entity may reasonable request. e) Business Associate agrees to include in any written agreement with any agent, including a subcontractor, to whom it provides Protected Health Information, a requirement that such agent agrees to restrictions and conditions with respect to such information that are at least as restrictive as those that apply through this Business Associate Agreement to Business Associate, and to enforce those restrictions and conditions against such agent or subcontractor. f) Business Associate agrees to provide access, at the request of an Individual or Covered Entity, and in the time and manner specified by the Individual or Covered Entity, to Protected Health Information to the Individual or Covered Entity, in accordance with 45 CFR 164.502(e)(1)(ii§ 164.524. g) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make make any amendment(s) to Protected Health Information in a Designated Record Set as directed at the request of an Individual or agreed Covered Entity, in accordance with 45 CFR § 164.526. h) Business Associate agrees to by the respond to a request from an Individual or Covered Entity pursuant to for an Accounting of Disclosures of an Individual’s Protected Health Information, in accordance with 45 CFR 164.526§ 164.528. Additionally, or take other measures as necessary notwithstanding any provision in this Business Associate Agreement to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain the contrary, Business Associate agrees to retain all PHI throughout the term of this Business Associate Agreement and make available the shall continue to maintain all information required to provide an accounting Accounting of Disclosures for the legally required period of time after termination of this Business Associate Agreement. i) Upon reasonable notice, Business Associate agrees to make Protected Health Information and books and records relating to the use and disclosure of Protected Health Information available to Covered Entity as necessary or to satisfy the Secretary of the Department of Health and Human Services, or his designee, (the “Secretary”) at Covered Entity’s obligations under 45 CFR 164.528; h. To reasonable expense in the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the time and manner specified by Covered Entity in or the performance of such obligation(s); and i. Make its internal practicesSecretary, books, and records available to the Secretary for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Health Insurance Portability and HIPAA RegulationsAccountability Act and its implementing regulations, as may be modified or amended from time to time (HIPAA). Upon Covered Entity’s request, Business Associate agrees to provide Covered Entity with a copy of all documents furnished to the Secretary. j) In the event that Business Associate carries out any obligation imposed upon the Covered Entity by the Privacy Rules, Business Associate shall abide by the applicable terms of the Privacy Rules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware; d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (e) Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), designated record as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (f) Make any amendment(s) to Protected Health Information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAAAgreement, the Services Agreement, or as required by law;. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;Agreement or the Services Agreement. c. Report to Covered Entity covered entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA Agreement or the Services Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate business associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information;. e. Make Given the nature of the services provided, there should be no need for Business Associate to make available Protected Health Information protected health information to either the covered entity or an individual, in a Designated Record Set to order for the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s its obligations under 45 CFR 164.524;. Should the Business Associate receive a direct request to access health information from an individual, the Business Associate will respond to the request by the request to the Covered Entity to fulfill. f. Make Given the nature of the services provided, there should be no need for Business Associate to make any amendment(s) amendment to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity covered entity pursuant to 45 CFR 164.526, 164.526 or to take other measures as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.526;. If an individual patient should contact the Business Associate to request an amendment, the business associate will forward the individual’s request to the covered entity as soon as practicable. g. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528;. If the Business Associate receives a request for an accounting of disclosures from an individual patient, Business Associate will forward the request to the Covered Entity to fulfill. h. To the extent the Business Associate business associate is to carry out one or more of Covered Entitycovered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity covered entity in the performance of such obligation(s); and. i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. A. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. B. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. C. Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes awareaware (see Section IV. IV.below); d. D. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, evidenced by written agreement with subcontractor; e. E. Make available Protected Health Information protected health information in a Designated Record Set an Individual’s designated record set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), Individual as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. F. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. G. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Entity, a third party or individual as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. H. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. I. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. J. Mitigation: to mitigate, to the extent practicable, any harmful effect that is known to Business Associate’s Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement. K. Tracking and Accounting of Disclosures. So that Covered Entity may meet its accounting obligations under the Privacy Rule, Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. For each Disclosure of PHI that Business Associate makes to Covered Entity or to a third party that is subject to Disclosure under 45 CFR § 164.528, Business Associate will record (i) the Disclosure date, (ii) the name and (if known) address of the person or entity to whom Business Associate made the Disclosure, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose of the Disclosure. For repetitive disclosures which Business Associate makes to the same person or entity, including the Covered Entity’s compliance with HIPAA , for a single purpose, Business Associate may provide (i) the Disclosure information for the first of these repetitive disclosures, (ii) the frequency, duration or number of these repetitive disclosures, and HIPAA Regulations(iii) the date of the last of these repetitive disclosures. Business Associate will make this log of Disclosure information available to the Covered Entity within five (5) business days of the Covered Entity's request. Business Associate must retain the Disclosure information for the six-year period preceding Covered Entity's request for the Disclosure information.

Obligations and Activities of Business Associate. (a) The Business Associate agrees to: a. Not shall not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use (b) The Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 the DoD HIPAA Rules with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA;Agreement. c. Report (c) The Business Associate shall report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA Breach of which it becomes aware, including breaches of Unsecured Protected Health Information and shall proceed with breach response steps as required at 45 CFR 164.410by Part V of this BAA. With respect to electronic PHI, and the Business Associate shall also respond to any Security Incident security incident of which it becomes aware;aware in accordance with any Information Assurance provisions of this Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. d. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), if respectively, and corresponding DoD HIPAA Issuances, as applicable, the Business Associate shall ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;PHI. e. Make (e) The Business Associate shall make available Protected Health Information PHI in a Designated Record Set Set, to the Covered Entity or or, as directed by the Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j)Individual, as necessary to satisfy the Covered Entity’s Entity obligations under 45 CFR 164.524;164.524 and corresponding DoD HIPAA Issuances. f. Make (f) The Business Associate shall make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;, and corresponding DoD HIPAA Issuances. g. Maintain (g) The Business Associate shall maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528;164.528 and corresponding DoD HIPAA Issuances. h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of Subpart E theHIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and i. Make (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. 2.1 Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required Required by lawLaw; b. 2.2 Use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAAAgreement; c. 2.3 Report to Covered Entity covered entity any Use or Disclosure of Protected Health Information not provided for by this BAA the Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, as further provided for in Par. 12.1, et seq.; d. 2.4 Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement; 2.5 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. 2.6 Make available Protected Health Information in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. 2.7 Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, 164.526 or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. 2.8 Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules; and 2.9 Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entitycovered entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulations.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not use to not Use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BA Agreement or as required Required by law;Law. b. Use (b) Business Associate agrees to use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use or Disclosure of the Protected Health Information other than as provided for by this BAA;BA Agreement. c. Report (c) Business Associate agrees to report to Covered Entity Entity's Privacy Official, within five (5) business days, any Use or Disclosure of the Protected Health Information not provided for by this BAA BA Agreement, of which it becomes aware, including breaches of Unsecured Protected Health Information as required at by 45 CFR Part 164.410. Such report shall include, and without limitation, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. This includes, but is not limited to, a Breach of the security of any Security Incident of which it becomes aware;data covered by section 501.171, Florida Statutes. d. (d) In accordance with 45 CFR Part 164.502(e)(1)(ii) and Part 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors agent or Subcontractor that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree agrees in writing to the same restrictions, conditions, conditions and requirements that apply to Business Associate with respect to such information;. Upon Covered Entity’s request, Business Associate shall make such written agreements between Business Associate and its agents or Subcontractors available to Covered Entity for its review. e. Make available (e) To the extent Business Associate has Protected Health Information in a Designated Record Set that is not maintained by Covered Entity, Business Associate agrees to provide access, at the request of Covered Entity (which may also be on behalf of an Individual), to Protected Health Information in a Designated Record Set, to Covered Entity or in order to an individual whose Protected Health Information is maintained by Business Associate, or meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR Part 164.524;, including provision of records in electronic form (including those requests made by Covered Entity on behalf of an Individual), to the extent required by the HITECH Act. f. Make (f) Business Associate agrees to make any amendment(s) to Protected Health Information in its possession contained in a Designated Record Set as directed or agreed to by the that Covered Entity directs or agrees to pursuant to 45 CFR Part 164.526, at the request of Covered Entity, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR Part 164.526;. g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (g) To the extent the that Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make (h) Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules. (i) Business Associate agrees to document and maintain a record of all Disclosures of Protected Health Information in its possession and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 CFR Part 164.528, the HITECH Act, and Florida law. (j) Business Associate agrees to provide to Covered Entity information collected in accordance with Section 2(i) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 CFR Part 164.528, the HITECH Act, and Florida law. Such accounting must be provided without cost to the individual or Covered Entity if it is the first accounting requested by an individual within any twelve (12) month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if Business Associate informs the individual in advance of the fee and is afforded an opportunity to withdraw or modify the request. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) and shall be provided for as long as Business Associate maintains the PHI. (k) Business Associate agrees to, subject to subsection 4(c) below, return to the Covered Entity or destroy, within fifteen (15) days of the termination of this BA Agreement, the Protected Health Information in its possession and retain no copies. (l) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, of a use or Disclosure of Protected Health Information in violation of this BA Agreement. (m) Business Associate agrees to indemnify, insure, defend and hold harmless Covered Entity and Covered Entity's employees, directors, officers, subcontractors, agents, or members of its workforce, each of the foregoing hereinafter referred to as an "indemnified party," against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any Breach of this BA Agreement or of any warranty hereunder or from any negligence, wrongful acts, or omissions, including the failure to perform its obligations under HIPAA, as well as the additional obligations under the HITECH Act, by Business Associate or its employees, directors, officers, subcontractors, agents, or members of its workforce. This includes, but is not limited to, expenses associated with notification to Individuals and/or the media in the event of a Breach of Protected Health Information held by Business Associate. Accordingly, on demand, Business Associate shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party's Breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason. (n) In addition to its overall obligations with respect to Protected Health Information, to the extent required by the Security Rule, Business Associate will: (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information (EPHI) that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA; and (2) ensure that any agent or Subcontractor to whom it provides such XXXX agrees to implement reasonable and appropriate safeguards to protect the EPHI; and (3) ensure that all PHI or EPHI be secured when accessed by Business Associate’s employees, agents, or subcontractors, limited to the legitimate business needs while working with the PHI or EPHI; and (4) ensure that any personnel changes by Business Associate, eliminating the legitimate business needs for employees, agents or contractors access to PHI – either by revision of duties or termination – shall be immediately reported to Covered Entity’s compliance , no later than the third business day after the personnel change becomes effective; and (5) report to Covered Entity any Security Incident of which it becomes aware in accordance with HIPAA and HIPAA Regulations.section 2(c) of this BA Agreement; and

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Submit system and program information to the Privacy Official, upon request, to document and verify compliance with federal and state privacy rules and regulations; (d) Report to the Privacy Official of the Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes awareaware within 72 hours of discovery; d. (e) Notwithstanding the requirements of 45 CFR 164.410, Business Associate shall notify the Privacy Official of the Covered Entity of potential breaches within 72 hours of discovery and keep the Privacy Official of the Covered Entity informed in their breach determination process; (f) Unless otherwise directed by Covered Entity, Business Associate shall be responsible for the cost incurred by the Covered Entity for breach notifications to individuals, the US DHHS Office of Civil Rights (OCR), the media, and Consumer Affairs. Information for breach notifications shall be submitted within 15 days of discovery to the Privacy Official of the Covered Entity by email to xxxxxxxxxxxxx@xxxxxx.xxx; (g) For breaches resulting from the action or inaction of Business Associate, or its subcontractors, surrounding the use, receipt, storage, and/or transmission of PHI and PII under this Agreement, be responsible for any and all costs, damages, liabilities, expenses, fines, and/or penalties; (h) In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(1) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements requirements, to include reporting and notification requirements, that apply to the Business Associate with respect to such information; e. (i) All reporting or notifications requirements pursuant to letters (d), (e), (f), (g) and (h) above, should be submitted using the “Incident Reporting for Business Associates” form, addressed to the Privacy Official of the Covered Entity, by email to xxxxxxxxxxxxx@xxxxxx.xxx. Additional contact information for the Privacy Official is: South Carolina Department of Health and Human Services Privacy Office Post Office Box 8206 Columbia, SC 00000-0000 Phone: (000) 000-0000 Fax: (000) 000-0000 (j) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. (k) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. (l) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity Entity, or an individual if directed by Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. (m) Notify Covered Entity within five (5) business days of receipt of any request covered under paragraphs (j), (k) or (l) above; (n) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (o) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 2.1 Business Associate acknowledges that it is directly subject to the Security Rule and to certain portions of the Privacy Rule and will maintain the compliance documentation required under the HIPAA Rules. For purposes of HIPAA, Business Associate is not an agent of Covered Entity. Business Associate agrees to: a. 2.1.1 Not use or disclose Protected Health Information PHI other than as permitted or required by this BAA, to furnish services under the Agreement, Agreement or as required Required by law;Law. b. 2.1.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA;Agreement. c. 2.1.3 Report in writing to Covered Entity without unreasonable delay and in no case later than 15 business days after discovery any Use use or Disclosure disclosure of Protected Health Information the PHI not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured PHI as required at 45 CFR 164.410, and any Security Incident (as defined in 45 CFR 164.304) of which it becomes aware;. d. 2.1.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors and agents that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate on behalf of Covered Entity agree to the same restrictions, conditions, conditions and requirements that apply to Business Associate with respect to such information;information and do not store PHI beyond the borders of the United States of America. Remote access to data stored within the borders of the United Stated of America is allowed as long as appropriate HIPAA technical controls are utilized. These controls must be approved by the HSIS Information Security Team. Printing of PHI beyond the borders of the United States of America is not allowed. e. Make 2.1.5 Within five (5) business days of a request by Covered Entity or the Secretary, make available Protected Health Information PHI in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is 164.524, as well as make any amendments to carry out one PHI in a Designated Record Set (and incorporate any amendments, if required) as directed or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply agreed to by the Covered Entity in order to meet the performance requirements under 45 CFR 164.526. 2.1.6 Within five (5) business days of such obligation(s); and i. Make a request by Covered Entity or the Secretary, make its internal practices, books, and records available relating to the Secretary use and disclosure of PHI received from, or created or received or transmitted or maintained by Business Associate on behalf of Covered Entity, to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's or Business Associate’s compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity promptly of such request. 2.1.7 Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. 2.1.8 Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity’s compliance , information collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. 2.1.9 Comply with the minimum necessary requirements under the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. 1. Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. 2. Use appropriate safeguards, and comply with Subpart C of 45 CFR CFR, Part 164 with respect to protected electronic Protected Health Information, health information and to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAA;Agreement. c. 3. Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at by 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;. Business Associate agrees to promptly notify covered entity following the discovery of a Breach of unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach. d. 4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;. e. Make 5. Business Associate agrees to mitigate, to the extent possible, any harmful resulting from use or disclosure of PHI by Business Associate or its agents or subcontractors, in violation of the requirements of this Agreement. 6. Maintain and make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;. If an Individual makes a request for access to the protected health information directly to Business Associate, business associate shall notify covered entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. f. 7. Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;. If an Individual makes a request for amendment to the protected health information directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. g. 8. Maintain and make available the information required to provide to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;. If an Individual makes a request for accounting of disclosures directly to Business Associate, Business Associate shall notify Covered Entity within three (3) business days of such request and shall cooperate with the Covered Entity to send the response to the Individual. h. 9. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s’s obligations(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. 10. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use (b) Business Associate agrees to use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. Report (c) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410unsecured PHI not provided for by the Agreement, and any Security Incident security incident of which it becomes aware;. In event of a Breach of Unsecured Protected Health Information by Business Associate or any of its officers, directors, employees, or subcontractors, Business Associate shall promptly notify Covered Entity in accordance with 45 C.F.R. 164.410. d. (d) Business Associate and Covered Entity agree to mitigate, to the extent practicable, any harmful effect that is known to it arising out of a use or disclosure of Protected Health Information in violation of the requirements of this Agreement. (e) In accordance with 45 CFR 164.502(e)(1)(ii164.502(e)(1) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;. e. Make (f) In accordance with 45 CFR 164.524, Business Associate agrees to make available PHI in a designated record set to the Covered Entity within twenty (20) days of a request by Covered Entity for access to PHI about an individual. In the event that any individual request access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within twenty (20) days of receiving such request. Business Associate may impose a reasonable cost-based fee for the provision of copies of Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by designated record set in accordance with 45 CFR 164.530(jC.F.R. 164.524(c)(4), as necessary to satisfy Covered Entity’s obligations under . (g) In accordance with 45 CFR 164.524; f. Make , Business Associate agrees to make available any amendment(s) to Protected Health Information in within twenty (20) days of a Designated Record Set as directed or agreed request by Covered Entity. Business Associate shall provide such information to by the Covered Entity pursuant for amendment and incorporate any amendments in the PHI as required by 45 C.F.R. 164.526. In the event a request for an amendment is delivered directly to 45 CFR 164.526Business Associate, Business Associate shall forward such request to Covered Entity within twenty (20) days of receiving such request. (h) Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or take other measures as necessary created or received by Business Associate, on behalf of Covered Entity, available to satisfy the Secretary, for purposes of the Secretary determining Covered Entity’s obligations under 45 CFR 164.526;or Business Associate’s compliance with HIPAA. g. Maintain (i) Business Associate agrees to document such disclosures of Protected Health Information and make available the information related to such disclosures as would be required for Covered Entity to provide respond to a request by an Individual for an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under disclosures of Protected Health Information in accordance with 45 CFR C.F.R. 164.528;. h. (j) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) ’s obligations under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make its internal practices(k) Except for disclosures of PHI by Business Associate that are excluded from the accounting obligation as set forth in 45 CFR 164.528 or regulations issued pursuant to HITECH, books, and records available Business Associate shall record for each disclosure the information required to the Secretary for purposes of determining Business Associate’s or be recorded by Covered Entity’s compliance with HIPAA and HIPAA Regulations.Entities pursuant to 45 CFR 164.528. Within twenty

Obligations and Activities of Business Associate. 1. Business Associate agrees to: a. Not to not use or disclose Protected Health Information PHI received from, or created or received by Business Associate on behalf of, Covered Entity other than as permitted or required by this BAA, the Agreement, BAA or as required Required by law;Law. b. Use 2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAA or as Required by Law. 3. Business Associate agrees to mitigate, in cooperation with Covered Entity, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA;. c. Report 4. Business Associate agrees to report to Covered Entity any Use unauthorized use or Disclosure disclosure of Protected Health Information the PHI not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information aware as required at by 45 CFR 164.410, § 164.410 and 164.504(e). Covered Entity is then responsible for any Security Incident of which it becomes aware; d. In accordance with further notification requirements in 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, § 164.404 through 45 CFR § 164.408 as a result of any breach of unsecured PHI. 5. Business Associate agrees to ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintainto whom it provides PHI received from, or transmit Protected Health Information created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such information;. e. Make available Protected Health Information 6. Business Associate agrees to provide access in a timely manner, at the request of Covered Entity, to PHI in a Designated Record Set, to Covered Entity in order for the Covered Entity to meet the requirements under 45 CFR § 164.524. 7. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available § 164.526 at the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more request of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply . 8. Business Associate agrees to the Covered Entity in the performance of such obligation(s); and i. Make its make internal practices, books, and records records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary Covered Entity, or to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s 's compliance with HIPAA the Privacy and HIPAA RegulationsSecurity Rules. 9. Business Associate agrees to document unauthorized disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 10. Business Associate agrees to provide to Covered Entity information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

Obligations and Activities of Business Associate. Notwithstanding any provision to the contrary in the Agreement, Business Associate agrees toshall: a. Not use or disclose Protected Health Information that it receives from or on behalf of Covered Entity (including Protected Health Information of Covered Entity’s customers) or that it creates on behalf of Covered Entity (collectively “PHI”) other than as permitted or required by this BAA, the AgreementExhibit, or as required by law; b. Use appropriate safeguardsNot use or disclose PHI in a manner that would violate the requirements of the Privacy Rule when done by Covered Entity, except as permitted by Section 3(b) or 3(c), below, and comply with Subpart C Business Associate shall be permitted to (i) use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; (ii) disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if (A) the disclosure is required by law; or (B) Business Associate obtains reasonable written assurances from the person to whom it disclosed the PHI that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; and (iii) use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR Part 164 with respect C.F.R. Section 164.504(e)(2)(i)(B) if the performance of data aggregation services is necessary for Business Associate to electronic Protected Health Informationperform its obligations under the Agreement or Covered Entity otherwise requests data aggregation services from Business Associate; c. When it has possession of PHI, is accessing PHI, (other than when present at a any facility owned or leased by or on behalf of Covered Entity (each a “Covered Entity Facility”) or when accessing or utilizing any equipment, software, tools or other information technology owned, leased or licensed by or on behalf of Covered Entity (“Covered Entity Systems”), each of which is governed by Section 2(e) below), it shall use appropriate safeguards as required by the Privacy Rule to prevent Use use or Disclosure disclosure of Protected Health Information the PHI other than as provided for by this BAAAgreement; c. d. When it has possession of electronic PHI, is accessing electronic PHI, or is transmitting electronic PHI (other than when present at a Covered Entity Facility or when accessing or utilizing a Covered Entity System, each of which is governed by Section 2(e) below), it shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of such electronic PHI as required by, and as more specifically set forth in, the Security Rule; e. When present at a Covered Entity Facility (e.g., when providing Services at a Covered Entity Facility) or accessing or utilizing a Covered Entity System, Business Associate shall comply with Covered Entity’s standard safeguards to prevent the use or disclosure of PHI (including Covered Entity’s standard administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI) applicable to such Covered Entity Facility or such Covered Entity System, provided Covered Entity has given Business Associate prior written notice of such safeguards; f. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Exhibit; g. Report promptly to Covered Entity (i) any Use use or Disclosure disclosure of Protected Health Information the PHI by Business Associate not provided for by this BAA Exhibit of which it becomes aware, including breaches of Unsecured Protected Health Information aware and (ii) any “security incident” as required at 45 CFR 164.410, and any defined in the Security Incident Rule of which it becomes aware; d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure h. Ensure that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to whom it provides PHI agrees to the same restrictions, conditions, restrictions and requirements conditions that are substantially similar in all material respects to the restrictions and conditions that apply through this Exhibit to Business Associate with respect to such information; e. Make available Protected Health Information i. Provide access, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to PHI in a Designated Record Set that is being maintained by Business Associate in the format and on the media in use as of the date of the request, to Covered Entity or, as directed by Covered Entity, to an individual in order for Covered Entity to meet the requirements under 45 CFR §164.524, at no cost to Covered Entity or to an the individual whose Protected Health Information is maintained other than payment by Business Associate, or Covered Entity for the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524media then in use; f. j. Make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to that is being maintained by the Business Associate that Covered Entity directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy §164.526 at the request of Covered Entity’s obligations , and in the time and manner reasonably designated by Covered Entity in order for Covered Entity to meet the requirements under 45 CFR §164.526; g. Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. k. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule; l. Unless otherwise mutually agreed in writing between the Business Associate and HIPAA Regulationsthe Covered Entity, make available to the Covered Entity the information pertaining to the disclosures of PHI made by Business Associate and information related to such disclosures pursuant to the Agreement in order to assist the Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; m. Upon Business Associate’s receipt of written notice from Covered Entity that Covered Entity has received a request for an accounting of disclosures of PHI regarding an individual, provide to Covered Entity , in a time and manner reasonably designated by Covered Entity, information collected in accordance with Section 2(l), to permit Covered Entity to respond to a request by that individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528, and it shall be Covered Entity’s responsibility to prepare and deliver any such requested accounting; n. Establish and enforce appropriate clearance procedures and supervision to assure that its workforce follows requirements consistent with Business Associate’s obligations under this Exhibit. o. Act immediately and effectively to terminate access to PHI of any of its staff upon such staff member’s termination or reassignment; and p. Provide appropriate training for its staff to assure that its staff complies with its obligations consistent with the requirements of this Exhibit.

Obligations and Activities of Business Associate. Business Associate agrees to: a. : Not use Use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. Required By Law; Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Agreement; Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. ; unless otherwise agreed, Business Associate shall handle Breach notifications to Individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of Covered Entity. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate Covered Entity agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. ; Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; f. ; Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. ; Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; h. ; To the extent the Business Associate is to carry out one or more of the Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. and Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. Business Associate agrees to: a. (a) Not use or disclose Protected Health Information protected health information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law; b. (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Informationprotected health information, to prevent Use use or Disclosure disclosure of Protected Health Information protected health information other than as provided for by this BAAthe Agreement; c. (c) Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information protected health information not provided for by this BAA the Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information unsecured protected health information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware;; The Business Associate will notify Covered Entity appropriate staff within 3 business days upon discovery of any breach or other security incident related to ICANotes software or hardware that might result in unauthorized disclosure of protected health information of the Covered Entity. This includes any attempt to access protected health information by anyone including unauthorized ICANotes staff. ICANotes LLC will report to the Covered Entity: the date, time, nature of incident and other pertinent details. ICANotes LLC will report any possible breach notifications to the Covered Entity as required. d. (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ICANotes LLC will ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit Protected Health Information protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. (e) Make available Protected Health Information protected health information in a Designated Record Set designated record set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.524;; any requests made by an individual will be forwarded by the Business Associate to the Covered Entity within 7 business days of the individual's request. f. (f) Make any amendment(s) to Protected Health Information protected health information in a Designated Record Set designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.526;; any requests for amendment from the individual will be forwarded to the Covered Entity within 7 business days. g. (g) Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity within 7 business days as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.528;; any requests for accounting of disclosures from an individual will be forwarded to the Covered Entity within 7 business days. h. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. (i) Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 3.1 Business Associate agrees to: a. Not to not use or further disclose Protected Health Information PHI other than as permitted or required by this BAA, the Agreement, agreement or as required by lawRequired By Law. 3.2 Business Associate agrees to: (a) Implement policies and procedures to prevent, detect, contain and correct Security violations in accordance with 45 C.F.R. § 164.306; b. Use appropriate safeguards, and comply with Subpart C (b) Prevent use or disclosure of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information PHI other than as provided for by this BAAAgreement or as Required By Law; c. Report (c) Use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. §164 with respect to ePHI that the Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity, to prevent use or disclosure of the information other than as provided for by this Agreement or by law; and (d) Comply with the Security Rule requirements including the Administrative Safeguards, Physical Safeguards, Technical Safeguards, and policies and procedures and documentation requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, including the provisions of training on such policies and procedures to applicable employees, independent contractors, and volunteers, that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of PHI and/or ePHI that the Provider creates, receives, maintains or transmits on behalf of the Department. (e) Comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations, to the extent Business Associate is to carry out Covered Entity’s obligations under 45 C.F.R. §164 or this Agreement. 3.3 Business Associate agrees to mitigate, to the extent practicable, any Use harmful effect that is known to Business Associate of a use or Disclosure disclosure of Protected Health Information PHI by Business Associate in violation of the requirements of this Agreement. 3.4 Business Associate agrees to report to Covered Entity, without unreasonable delay, any use or disclosure of PHI not provided for by this BAA Agreement of which it becomes aware. This includes any copying or amendment of such information and any Security Breaches involving Unsecured PHI as required by 45 C.F.R. §164.410. Business Associate agrees to include in such notice: (a) Identification of any individual whose Unsecured PHI has been, including breaches or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Security Breach in accordance with 45 C.F.R. §164.404; and (b) All information required for the Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information Information, available on the U.S. Department of Health and Human Services website. 3.5 Business Associate agrees to maintain and provide to the Secretary such records and compliance reports as the Secretary may determine to be necessary and to comply with all compliance reviews and complaint investigations as required at by the 45 CFR 164.410C.F.R. §160, and any Security Incident of which it becomes aware;Subsection C. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, 3.6 Business Associate agrees to ensure that any Subcontractors agent, including a subcontractor, to whom it provides PHI that create, receive, maintain, was created or transmit Protected Health Information received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information;. e. Make available Protected Health Information 3.7 If Business Associate has PHI in a Designated Record Set: (a) Business Associate agrees to provide at the request of Covered Entity during regular business hours, Access to PHI in a Designated Record Set to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business Associate, or in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR C.F.R. §164.524;; and f. Make (b) Business Associate agrees to make any amendment(s) to Protected Health Information PHI in a Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; g. Maintain and make available C.F.R. § 164.526 at the information required to provide an accounting request of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;or an Individual within 10 business days of receiving the request. h. To the extent the 3.8 Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. Make make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary upon request from the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA the Privacy Rule. 3.9 Business Associate agrees to document such disclosures of PHI and HIPAA Regulationsinformation related thereto as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 3.10 Business Associate agrees to provide to Covered Entity or an Individual, upon request, information collected in accordance with Paragraphs 3.7 and 3.9 above, in response to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528, § 164.502 and § 164.504. 3.11 Business Associate specifically agrees to use Security Measures that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of PHI in electronic or any other form that it creates, receives, maintains, or transmits on behalf of the Covered Entity. 3.12 Business Associate agrees to implement Security Measures to secure Passwords used to Access ePHI that it accesses, maintains, or transmits as part of this Agreement from Malicious Software and other man-made and natural vulnerabilities to assure the Availability, Integrity, and Confidentiality of such information. 3.13 Business Associate agrees to implement Security Measures to safeguard ePHI that it accesses, maintains, or transmits as part of this agreement from Malicious Software and other man- made and natural vulnerabilities to assure the Availability, Integrity, and Confidentiality of such information. 3.14 Business Associate agrees to comply with: (a) ARRA § 13404 (Application of Knowledge Elements Associated with Contracts), as set forth in 45 C.F.R. §§164.502, 164.504; (b) ARRA § 13405 (Restrictions on Certain Disclosures and Sales of Health Information), as set forth in 45 C.F.R. §164, Subpart E; and (c) ARRA § 13406 (Conditions on Certain Contacts as Part of Health Care Operations), as set forth in 45 C.F.R. §§164.508(a)(3), 164.514(f)(1).

Obligations and Activities of Business Associate. Business Associate agrees to: a. A. Not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by lawRequired By Law; b. B. Use appropriate safeguards, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of Protected Health Information other than as provided for by this BAAAgreement; c. C. Report to Covered Entity any Use use or Disclosure disclosure of Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR C.F.R. § 164.410, and any Security Incident of which it becomes aware; d. D. In accordance with 45 CFR C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; e. E. Make available Protected Health Information in a Designated Record Set to Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations under 45 CFR C.F.R. § 164.524; f. F. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR C.F.R § 164.526; g. G. Maintain and make available the information required to provide an accounting of Disclosures disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR C.F.R. § 164.528; h. H. To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. I. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. (a) Business Associate agrees to: a. Not to not use or disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, Agreement or as required by law;. b. Use (b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this BAA;Agreement. c. Report (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Form BA Agreement – Managed Entity as Covered Entity (9-23-2013) (d) Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA Agreement of which it becomes aware, including breaches of Unsecured unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware. Business Associate will make the report to Covered Entity’s Privacy Officer not more than five (5) calendar days after Business Associate learns of such non-permitted use or disclosure. Business Associate’s report will at least: (i) identify the nature of the non-permitted use or disclosure including how such use or disclosure was made; d. (ii) identify Covered Entity’s Protected Health Information used or disclosed; (iii) identify who received the non-permitted disclosure; (iv) identify what corrective action Business Associate took or will take to prevent further non- permitted uses or disclosures; (v) identify what Business Associate did or will do to mitigate any deleterious effect of the non- permitted use or disclosure; and (vi) provide such other information, including a written report, as Covered Entity may reasonably request. (e) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2164.308.(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors agent of Business Associate, including a subcontractor, that createcreates, receivereceives, maintain, maintains or transmit transmits Protected Health Information on behalf of the Business Associate agree agrees to the same restrictions, conditions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information;. e. Make available (f) Business Associate agrees to make available, at the request of Covered Entity and within five (5) business days of Covered Entity’s request, Protected Health Information in a Designated Record Set Set, to Covered Entity or or, as directed by Covered Entity, to an individual whose Protected Health Information is maintained by Business AssociateIndividual, or in order to meet the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s obligations requirements under 45 CFR § 164.524;. f. Make (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;. Business Associate shall make such amendments or take such other measures within ten (10) days following Covered Entity’s request. g. Maintain (h) With reasonable notice, Covered Entity may audit Business Associate to monitor compliance with this Agreement. Business Associate will promptly correct any violation of this Agreement found by Covered Entity and will certify in writing that the correction has been made. Covered Entity’s failure to detect any unsatisfactory practice does not constitute acceptance of the practice or a waiver of Covered Entity’s enforcement rights under this Agreement. Business Associate agrees to make its internal practices, books and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available the information required to provide an accounting of Disclosures to the Covered Entity as necessary and to satisfy the Secretary for purposes of the Secretary determining Covered Entity’s obligations under compliance with HIPAA. (i) Business Associate agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528;. h. To (j) Business Associate agrees to provide to Covered Entity or an Individual, within thirty (30) days of Covered Entity’s request, information collected in accordance with Section 2(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. (k) Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity in accordance with Subpart C of 45 CFR Part 164 (the HIPAA Security standards). (l) Business Associate agrees that, to the extent the Business Associate is to carry carrying out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and. i. Make its internal practices(m) Business Associate agrees to ensure, booksthrough a written contractual arrangement, that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information that was created, received, maintained, or transmitted on behalf of the Covered Entity agrees to implement reasonable and records available appropriate safeguards to protect the Secretary for purposes Electronic Protected Health Information. Such written contractual arrangement will identify Covered Entity as a third-party beneficiary with rights of determining enforcement in the event of any violations. (n) Business Associate agrees to alert Covered Entity of any Security Incident of which it becomes aware involving Covered Entity’s Electronic Protected Health Information within 48 hours of any such incident. (o) Business Associate shall maintain insurance with respect to Business Associate’s or obligations under this Agreement reasonably satisfactory to Covered Entity’s compliance , and provide from time to time as requested by Covered Entity, proof of such insurance. (p) Business Associate will indemnify, defend and hold harmless Covered Entity and its respective employees, directors, officers, subcontractors, agents and affiliates from and against all claims, actions, damages, losses, liabilities, fines, penalties, costs or expenses (including, without limitation, reasonable attorneys’ fees) suffered by Covered Entity arising from or in connection with HIPAA and HIPAA Regulationsany breach of this Agreement, or any negligent or wrongful acts or omissions in connection with this Agreement, by Business Associate or by its employees, directors, officers, subcontractors, or agents.

Obligations and Activities of Business Associate. The Business Associate agrees to: a. Not use Use or disclose Disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BAA or as required by lawRequired By Law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; c. Report to the Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches Breaches of Unsecured Protected Health Information as required at 45 CFR C.F.R. § 164.410, and any Security Incident security ncident of which it becomes awareaware in accordance with subsection 7, below; d. In accordance with 45 CFR C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; e. Make available Protected Health Information in a Designated Record Set to the Covered Entity or to an individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. §164.524; f. Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR C.F.R. §164.526, or take other measures as necessary to satisfy the Covered Entity’s obligations under 45 CFR C.F.R. § 164.526; g. Maintain and promptly make available available, as directed by the Covered Entity, the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered the Cover Entity’s obligations under 45 CFR C.F.R. § 164.528; h. Immediately (i.e., within 72 hours) forward any request that the Business Associate receives directly from an Individual who (1) seeks access to Protected Health Information held by the Business Associate pursuant to this BAA, (2) requests amendment of Protected Health Information held by the Business Associate pursuant to this BAA, or (3) requests an accounting of Disclosures, so that the Covered Entity can coordinate the response; i. To the extent the Business Associate is to carry out one or more of the Covered Entity's ’s obligation(s) under Subpart E of 45 CFR C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and i. j. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with the HIPAA and HIPAA RegulationsRules.

Obligations and Activities of Business Associate. 2.1. Business Associate agrees to: a. Not to not use or further disclose Protected Health Information other than as permitted or required by this BAA, the Agreement, BAA or as required by law;Required By Law. b. Use 2.2. Business Associate agrees to use appropriate safeguardssafeguards and comply, and comply where applicable, with Subpart C of 45 CFR Part 164 the Security Rule with respect to electronic Electronic Protected Health Information, to prevent Use use or Disclosure disclosure of Protected Health Information the information other than as provided for by this BAA;. c. Report 2.3. Business Associate agrees to report to Covered Entity any Use use or Disclosure disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware, including breaches any Breaches of Unsecured Protected Health Information as required at by 45 CFR §164.410, and any Security Incident of which it becomes aware;. d. 2.4. In accordance with 45 CFR §164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions substantially similar to those that apply through this BAA to Business Associate with respect to such information;. e. Make available 2.5. If Business Associate maintains Protected Health Information in a Designated Record Set Set, Business Associate agrees to Covered Entity or to an individual whose make available such Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.524; f. Make any amendment(s) to § 164.524 and make available such Protected Health Information in a Designated Record Set as directed or agreed for amendment and incorporate any amendments to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures such Protected Health Information as necessary to satisfy Covered Entity’s 's obligations under 45 CFR § 164.526;. g. Maintain 2.6. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. 2.7. Business Associate agrees to maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity disclosures of Protected Health Information as necessary to satisfy Covered Entity’s 's obligations under 45 CFR 164.528;§ 164.528 and the HITECH Act. h. 2.8. With respect to Electronic Protected Health Information, Business Associate agrees to (a) comply with the applicable requirements of the Security Rule, (b) in accordance with 45 CFR §164.308(b)(2), ensure that any Subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with 45 CFR §164.314, and (c) report to Covered Entity any Security Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 CFR 2.9. To the extent the Business Associate is to carry out one or more any obligation of Covered Entity's obligation(s) Entity under Subpart E of 45 CFR Part 164the Privacy Rule, Business Associate shall comply with the requirements of Subpart E the Privacy Rule that apply to the Covered Entity in the performance of with respect to such obligation(s); and i. Make its internal practices, books, and records available to the Secretary for purposes of determining Business Associate’s or Covered Entity’s compliance with HIPAA and HIPAA Regulationsobligation.

Obligations and Activities of Business Associate. Business Associate agrees to: a. Not 2.1 BUSINESS ASSOCIATE shall use or and disclose Protected Health Information other than PHI only as permitted or required by this BAA, the Agreement, BAA or as required by law;, and shall not authorize, enable or permit any other use or disclosure of PHI. b. Use 2.2 BUSINESS ASSOCIATE shall use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health InformationPHI, to prevent Use use or Disclosure disclosure of Protected Health Information PHI other than as provided for by this BAA;BAA and to protect against any anticipated threats or hazards to the security or integrity thereof. c. Report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; d. 2.3 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, BUSINESS ASSOCIATE shall ensure that any Subcontractors subcontractors that create, receive, maintain, transmit or transmit Protected Health Information otherwise have access to, use or disclose PHI on behalf of the Business Associate BUSINESS ASSOCIATE agree to the same restrictions, conditions, conditions and requirements that apply to Business Associate BUSINESS ASSOCIATE with respect to such information;PHI, it being understood that BUSINESS ASSOCIATE shall remain jointly and severally liable for any violation of the HIPAA Rules or this BAA by its subcontractors. e. Make available Protected Health Information 2.4 Promptly and no later than ten (10) days after COVERED ENTITY’s request, in a Designated Record Set manner designated or agreed to Covered Entity by COVERED ENTITY and at no charge, BUSINESS ASSOCIATE shall make available PHI in a designated record set to COVERED ENTITY or, if designated or agreed to an by COVERED ENTITY, to the individual whose Protected Health Information is maintained by Business Associate, or the individual’s designee, and document and retain the documentation required by 45 CFR 164.530(j), as shall take any other actions necessary to satisfy Covered EntityCOVERED ENTITY’s obligations under 45 CFR 164.524;. If an individual requests his or her PHI directly from BUSINESS ASSOCIATE, BUSINESS ASSOCIATE shall notify COVERED ENTITY promptly and no later than five (5) days after receipt of the request. f. Make any amendment(s2.5 Promptly and no later than ten (10) to Protected Health Information days after COVERED ENTITY’s request, in a Designated Record Set as directed manner designated or agreed to by the Covered Entity pursuant COVERED ENTITY and at no charge, BUSINESS ASSOCIATE shall make amendments to 45 CFR 164.526PHI in a designated record set, or and shall take any other measures as actions necessary to satisfy Covered EntityCOVERED ENTITY’s obligations under 45 CFR 164.526;. If an individual requests amendment to his or her PHI directly from BUSINESS ASSOCIATE, BUSINESS ASSOCIATE shall notify COVERED ENTITY promptly and no later than five (5) days after receipt of the request. g. Maintain 2.6 Promptly and no later than ten (10) days after COVERED ENTITY’s request, in a manner designated or agreed to by COVERED ENTITY and at no charge, BUSINESS ASSOCIATE shall make available the all information required to provide an accounting of Disclosures disclosures to COVERED ENTITY or, if designated or agreed to by COVERED ENTITY, to the Covered Entity as individual or the individual’s designee, and shall take any other actions necessary to satisfy Covered EntityCOVERED ENTITY’s obligations under 45 CFR 164.528;. If an individual requests an accounting of disclosures directly from BUSINESS ASSOCIATE, BUSINESS ASSOCIATE shall notify COVERED ENTITY promptly and no later than five (5) days after receipt of the request. h. 2.7 To the extent the Business Associate BUSINESS ASSOCIATE is to carry out one or more of Covered EntityCOVERED ENTITY's obligation(s) obligations under Subpart E of 45 CFR Part 164, BUSINESS ASSOCIATE shall comply with the requirements of Subpart E that apply to the Covered Entity COVERED ENTITY in the performance of such obligation(s); andobligations. i. Make 2.8 Promptly and no later than ten (10) days after the request, in a manner designated or agreed to by the Secretary or COVERED ENTITY and at no charge, BUSINESS ASSOCIATE shall make its internal policies, practices, books, books and records relating to the use and disclosure of PHI available to the Secretary Secretary, COVERED ENTITY and/or their designee(s) for purposes of determining Business AssociateCOVERED ENTITY’s or Covered Entityand/or BUSINESS ASSOCIATE’s compliance with the HIPAA Rules and this BAA. 2.9 BUSINESS ASSOCIATE shall not destroy PHI unless expressly designated or agreed to in writing by COVERED ENTITY, and further subject to BUSINESS ASSOCIATE (i) notifying COVERED ENTITY in advance of such planned destruction; (ii) ensuring that, prior to such destruction, COVERED ENTITY has received a copy of any PHI that it desires or is required by law to retain, and (iii) complying with the return and destruction requirements of the HIPAA RegulationsRules and this BAA. 2.10 BUSINESS ASSOCIATE shall not (i) remove PHI from COVERED ENTITY’s facilities or systems, (ii) export, transfer or make available PHI outside of the United States, whether for storage, processing or otherwise, or (iii) allow workforce or subcontractors not residing in the United States to access, receive or view PHI, unless expressly authorized in writing by COVERED ENTITY in each instance. 2.11 In connection with any visits to COVERED ENTITY’s facilities or access to COVERED ENTITY’s systems, BUSINESS ASSOCIATE shall comply with all on-site and remote access rules and procedures communicated by COVERED ENTITY, including all sign-in, badging, escort, and restricted access requirements, and shall exercise reasonable care and appropriate judgment in connection therewith. 2.12 BUSINESS ASSOCIATE shall evaluate and adjust its safeguards, policies and procedures as necessary to respond to evolving security threats, keep pace with generally accepted industry standards and best practices, and comply with the HIPAA Rules and other applicable laws and regulations pertaining to the privacy, security, integrity, retention, disposal, use and disclosure of PHI. BUSINESS ASSOCIATE shall promptly correct any deficiencies identified as part of internal or external monitoring, testing or auditing, and shall provide COVERED ENTITY at no charge with copies of any audit and testing reports prepared in connection therewith. 2.13 BUSINESS ASSOCIATE shall encrypt PHI transmitted, received, processed or maintained on electronic media, both while in transit and at rest, in accordance with the guidance established under the HIPAA Rules to “Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” as amended. Whenever feasible, BUSINESS ASSOCIATE shall secure all other PHI using measures that comply with the foregoing guidance. BUSINESS ASSOCIATE shall provide COVERED ENTITY with all information and assistance necessary to decrypt and otherwise access and use PHI that has been secured by BUSINESS ASSOCIATE in one of the foregoing manners. 2.14 BUSINESS ASSOCIATE acknowledges that it is directly subject to and responsible for ensuring its compliance with the HIPAA Rules. BUSINESS ASSOCIATE shall indemnify and hold COVERED ENTITY, its affiliates and their respective directors, officers, employees and agents harmless from and against any and all claims, demands, causes of action, investigations, liabilities, losses, damages, judgments, awards, penalties, fines, settlements, costs and expenses (including reasonable attorneys’ fees, expert witness fees, court costs, and costs of investigation, notification and remediation) caused by, attributable to, or otherwise arising out of or resulting from any violation of the HIPAA Rules or other applicable law, breach of this BAA, or negligent or wrongful acts or omissions by BUSINESS ASSOCIATE, its workforce or subcontractors. 2.15 BUSINESS ASSOCIATE shall, at all times, maintain liability insurance coverage, including coverage for adverse privacy and security events, covering its responsibilities provided for in this Agreement on an occurrence basis in minimum amounts of One Million Dollars ($1,000,000) per occurrence and One Million Dollars ($1,000,000) annual aggregate. In the event BUSINESS ASSOCIATE procures insurance coverage which is not on an occurrence basis, BUSINESS ASSOCIATE shall, upon the termination of such coverage, secure a continued reporting endorsement which effectively converts such coverage to occurrence based coverage.