Common use of Obligations and Activities of Business Associate Clause in Contracts

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by the Service Agreement or as Required by Law. b. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than comply with those provisions of the Security Rule that are set forth at 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, as permitted or required by amended from time to time, with respect the Service Agreement or as Required by Lawsecurity of PHI, in the same manner that such regulations apply to the Provider. b. Business Associate agrees to comply with the Privacy Rule at 45 C.F.R. § 164.504(e), as amended from time to time, with respect to its use and disclosure of PHI, in the same manner that such regulation applies to Provider. The additional requirements of the HITECH Act that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into the Business Associate Agreement. c. Business Associate agrees to not use or further disclose PHI other than as specifically permitted or required by this Agreement or as required by law. d. Business Associate agrees to use appropriate safeguards and comply comply, where applicable, with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) Electronic PHI, to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. e. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. f. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery report to Provider if it becomes aware of any actual use or suspected disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHIPHI as required by 45 CFR 164.410, all in accordance with 45 C.F.R. § 164.410and any Security Incident of which it becomes aware. The notification shall include, Notwithstanding anything herein to the extent possible and subsequently as the information becomes availablecontrary, the identification of all Individuals whose Unsecured PHI is reasonably believed by parties acknowledge and agree that this Agreement shall constitute notice to Provider that Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individualmay periodically experience broadcast attacks on its firewall, HHSport scans, and/or the mediaunsuccessful log-on attempts, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMdenials of service and similar unsuccessful security incidents, and Business Associate agrees need not further report such incidents to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use Provider so long as such incidents do not result in unauthorized access, use or Disclosure disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410PHI. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will on behalf of Provider agree to comply with the applicable requirements of the Security Rule same restrictions and Privacy Rule by entering into a conditions that apply to Business Associate Agreement and Business Associate shall provide DOM with a copy respect to such information, including, without limitation, implementation of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior appropriate safeguards to disclosing any protect the security of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsElectronic PHI. l. h. Upon the written request of Provider, Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, access to Provider to PHI that Business Associate maintains in a Designated Record SetSet (if in fact its arrangements with Provider require Business Associate to maintain Designated Record Sets on behalf of Provider), to DOM or, as directed by XXX, to an Individual in order for Provider to meet the Patient access and copying requirements under 45 CFR § 164.524. If Business Associate maintains an electronic health record which contains the PHI, Business Associate shall provide such information produced in accordance with this section 2(h) in electronic format to enable Provider to fulfill its obligations under applicable regulations. m. i. Upon the written request of Provider, Business Associate agrees to make any amendment(s) to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associates to maintain Designated Record Sets on behalf of Provider), that DOM the Provider directs or agrees to pursuant to 45 CFR § 164.526 164.526. j. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI available at the request of DOM the Provider to the Secretary, for purposes of determining Provider’s compliance with the Privacy Rule, subject to attorney-client or an Individual, and in the time and manner designated by XXXother applicable legal privileges. n. k. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees , as may be amended from time to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationtime. o. l. Upon written request of Provider, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, Provider with information collected in accordance with section (III)(h) Section II.i. of this Agreement, Agreement to permit XXX Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. m. Business Associate agrees that to the extent that Business Associate carries it is to carry out DOMProvider’s obligations obligation under the Privacy Rule, Business Associate Rule that it will comply with the requirements of the Privacy Rule that apply to DOM Provider in the performance of such obligation. r. n. Business Associate agrees to make internal practicesnotify Provider without unreasonable delay, books, and records, including policies and procedures, available but in no event more than 60 days after Business Associate becomes aware of an unauthorized use or disclosure by or on behalf of Business Associate which constitutes a Breach of Unsecured PHI unless it receives a request to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule delay such notification from a law enforcement official pursuant to 45 C.F.R. § 160.310CFR 164.412. Such notification shall include a list of impacted Patients, and describe the Breach in such reasonable detail. s. o. Upon written request of Provider, Business Associate agrees will comply with a Patient request for restriction of certain disclosures to health plans in accordance with 45 CFR 164.522 and the HITECH Act, if the disclosure is to a health care plan for the purposes of carrying out payment or health care operations and the PHI pertains solely to a health care item or service for which Patient has paid for out of pocket in full. Except to the extent that nothing in this Agreement shall permit Provider must agree to a Patient request for restriction under the HITECH Act, Business Associate shall not be required to access, store, share, maintain, transmit or comply with a Patient’s request to restrict the use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction disclosure of the United States without express written authorization from DOMPHI.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by the Service Agreement this BAA or as Required required by Lawlaw. b. Business Associate shall agrees to use appropriate safeguards safeguards, and comply comply, as applicable, with Subpart C of 45 C.F.R. Part CFR §164 with respect to electronic PHI (ePHI) PHI, to prevent Use Uses or Disclosure Disclosures of the PHI other than as provided for by this BAA or the Agreement; however, the parties acknowledge and agree it shall be the responsibility of Customer and not Business Associate to comply with requirements under 45 CFR §164.312 to implement encryption or decryption mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Customer with Business Associate. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discoverypromptly report to Customer any Security Incident, of any Breach, or other Use or Disclosure of PHI not provided for by this Agreement of which it becomes awareaware that is not permitted or required by this BAA or the Agreement. In the event of a Breach, such notification shall be made in accordance with and as required of a business associate by the HIPAA Rules, including without limitation pursuant to 45 CFR 164.410, but in no event more than three (3) business days after Business Associate has completed its internal investigation and confirmed a Breach as occurred. Business Associate will provide reasonable assistance and cooperation in the investigation of any such Breach and shall document the specific Deposits which have been compromised, the identity of any unauthorized third party who may have accessed or received the PHI, if known, and any Security Incident actions that have been taken by Business Associate to mitigate the effects of which it becomes awaresuch Breach. d. Business Associate agrees to mitigateshall, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to as applicable, ensure that any subcontractors business associate that createis a subcontractor that creates, receivereceives, maintainmaintains, or transmit protected health information transmits PHI on behalf of the Business Associate agree for the purpose of assisting in providing services pursuant to the Agreement, agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. PHI through this BAA. e. If Business Associate agrees has custody of PHI in a Designated Record Set with respect to ensure that any Subcontractors that createIndividuals, receiveand if Customer so requests, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, access to such PHI to Customer by retrieving and in the time and manner designated by XXX, to delivering such PHI in a Designated Record Setaccordance with the terms and conditions of the Agreement, to DOM or, as directed by XXX, so that Customer may respond to an Individual in order to meet the requirements under of 45 CFR § §164.524. m. f. Business Associate agrees to make any amendment(s) that if an amendment to PHI in a Designated Record Set in the custody of Business Associate is required, and if Customer instructs Business Associate to retrieve such PHI in accordance with the Agreement, Business Associate shall perform such service so that DOM directs Customer may make any amendment to such PHI as may be required by either Customer or agrees to an Individual pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX§164.526. n. g. Business Associate agrees to document such and make available to Customer the information required to provide an accounting of Disclosures of PHI and PHI, provided that Customer has provided Business Associate with information related sufficient to enable Business Associate to determine which records or data received from or on behalf of Customer by Business Associate contain PHI. The documentation of Disclosures shall contain such Disclosures information as would be required for DOM Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. §164.528 or other provisions of the HIPAA Rules. h. Business Associate agrees shall promptly notify Customer of any requests by Individuals for access to retain or knowledge or correction of PHI, without responding to such documentation requests, and Customer shall be responsible for at least six (6) years after the date of disclosure or provide a full accounting receiving and relevant documentation responding to DOM at the time of terminationany such Individual requests. o. i. To the extent the Business Associate agrees is to provide to DOM carry out one or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(hmore of Customer's obligation(s) under Subpart E of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule§164, Business Associate will shall comply with the requirements of the Privacy Rule Subpart E that apply to DOM Customer in the performance of such obligationobligation(s). r. Business x. Xxxxxxxx Associate agrees to make its internal practices, books, and records, including policies and procedures, records available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service this Agreement or as Required by By Law. b. , or if such use or disclosure does not otherwise cause a Breach of Unsecured Protected Health Information. Business Associate agrees that 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 shall apply to Business Associate in the same manner that such sections apply to Covered Entity, and that Business Associate shall use appropriate administrative, physical, and technical safeguards and comply in compliance with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) the Security Rule, to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this Agreement. c. . Business Associate shall ensure that all Protected Health Information is Secured. The written policies and procedures and documentation required by 45 CFR § 164.316 shall be made available to Covered Entity, upon Covered Entity’s request. Business Associate shall comply with all the obligations required of a Business Associate under the HITECH Act. The additional requirements of the HITECH Act that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into this Agreement. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to promptly mitigate, to the extent practicableRequired by Law with respect to Business Associate, any harmful effect that is known to Business Associate as a result of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence Agreement, or that would otherwise cause a Breach of any Incident, including any action required by applicable federal and state laws and regulations. e. Unsecured Protected Health Information. Business Associate agrees to notify DOM without unreasonable delayimmediately report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement. Business Associate agrees, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §CFR § 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees ) to ensure that any subcontractors that createagent, receiveincluding Subcontractors, maintainto whom it provides Protected Health Information in any form, including electronic form, created, maintained, transmitted, or transmit protected health information received by Business Associate from or on behalf of the Business Associate agree Covered Entity agrees in writing to the same restrictions, conditions, and requirements that apply through to Business Associate with respect to such information. Moreover, Business Associate agrees to shall ensure that any Subcontractors that createsuch agent or Subcontractor agrees to implement reasonable and appropriate safeguards to protect the Covered Entity’s Protected Health Information. Notwithstanding anything to the contrary in this BAA, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy not use any agent or Subcontractor to perform any service requiring access to Protected Health Information without the express written consent of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any an authorized representative of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this AgreementCovered Entity. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide prompt access, at the request of XXX, and in the time and manner designated by XXX, Covered Entity to PHI Protected Health Information in a Designated Record Set, to DOM Covered Entity, or, as if directed by XXXCovered Entity, to an Individual Individual, in order to meet the requirements under 45 CFR § 164.524. m. . If an Individual requests directly from Business Associate (i) to inspect or copy his or her Protected Health Information, or (ii) requests its disclosure to a third party, the Business Associate shall promptly notify Covered Entity in writing of such request. Business Associate also agrees to comply with an Individual’s request to restrict the disclosure of his or her personal Protected Health Information in a manner consistent with 45 CFR § 164.522, except where such use, disclosure or request is required or permitted under applicable law. Business Associate further agrees that when requesting, using or disclosing Protected Health Information in accordance with 45 CFR § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 CFR § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time. Business Associate agrees to promptly make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and Covered Entity in the time and manner designated as mutually agreed by XXX. n. the parties, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526. Business Associate agrees to make its internal practices, books, and records, including its policies and procedures, relating to the use and disclosure of Protected Health Information and Breach of any Unsecured Protected Health Information created, transmitted, or received by Business Associate from or on behalf of Covered Entity, available to Covered Entity or the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of Covered Entity or the Secretary determining compliance with the Privacy Rule. Business Associate agrees to account for and document such Disclosures disclosures of PHI Protected Health Information, Breaches of Unsecured Protected Health Information, and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI Protected Health Information in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to promptly provide to DOM Covered Entity or an Individual, in a time and manner designated by DOM, Individual information collected in accordance with section (III)(hSection 2(j) of this AgreementBAA, to permit XXX Covered Entity to respond to a request by an Individual or the Secretary for an accounting of disclosures of Protected Health Information and Breaches of Unsecured Protected Health Information. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate hereby represents and warrants that to the extent it is transmitting a financial or administrative transaction described in the Regulations (each a “Transaction”) for Covered Entity, the format and structure of such transmissions shall be in compliance with the Transaction Standards. With respect to any such Transactions, neither party shall: (i) change the definition, data, condition, or use of a data element or segment in a Transaction Standard; (ii) add any data elements or segments to the maximum defined data set; (iii) use any code or data elements that are either marked “not used” in the Transaction Standard’s implementation specification or are not in the Transaction Standard’s implementation specification(s); or (iv) change the meaning or intent of the Transaction Standard’s implementation specification(s). With respect to Electronic Protected Health Information, Business Associate will: Implement, in compliance with the requirements of the Security Rule, administrative, physical, and technical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information it creates, transmits, maintains, or receives from or on behalf of Covered Entity; Ensure that any agent, including a Subcontractor, to whom Business Associate provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect such information in compliance with the Security Rule; Business Associate acknowledges that, effective on the Effective Date of this BAA, (x) the foregoing safeguards, policies and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (y) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements; Report to Covered Entity any Security Incident of which Business Associate becomes aware, including any failure of safeguards or unauthorized access to Electronic Protected Health Information. Business Associate agrees to account for and document any disclosure of Protected Health Information used or maintained as Electronic Protected Health Information and Breaches of Unsecured Protected Health Information in electronic form in a manner consistent with 45 CFR § 164.528 as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI Protected Health Information. Business Associate agrees to promptly provide to Covered Entity, or an Individual, information collected in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use this paragraph, to permit Covered Entity to respond to a request by an Individual or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service AgreementsSecretary for an accounting of disclosures of Protected Health Information and Breaches of Unsecured Protected Health Information. Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in section 13405(d) of Subtitle D (Privacy) of the HITECH Act, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in section 13406 of Subtitle D (Privacy) of the HITECH Act and related guidance issued by the Secretary from time to time. Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, from time to time with respect to such use and any minimum necessary policies and procedures communicated to Business Associate by DOMdisclosure requirements. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. 1. Business Associate agrees to not Use use or Disclose disclose PHI other than as permitted or required by the Service Agreement this BAA or as Required by Law. b. 2. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) protected health information to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this AgreementBAA. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any paper or electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity. c. 3. Business Associate agrees shall have procedures in place to notify DOM without unreasonable delay mitigate and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBAA. e. 4. Business Associate agrees to notify DOM without unreasonable delayreport immediately, and but no later than seventy-two three (723) hours after discovery days, to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware including breaches of unsecured protected health information as required at 45 CFR 164.410, and any actual or suspected security incident of which it becomes aware Breach of Unsecured PHI, all notification will be written in accordance with 45 C.F.R. § 164.410. The notification shall plain language and will include, to the extent possible and subsequently as the information becomes or available, the following: a. The identification of all Individuals the individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in been, accessed, acquired or disclosed during the notification to Breach; b. A brief description of what happened, including the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one date of the exceptions to Breach and the definition date of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the IncidentBreach; c. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); d. Any steps Individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the Breach; e. A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to individuals, and perform such notifications if so required by DOM in its sole discretionto protect against further Breaches; and f. Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, Web site, or postal address. h. 5. Business Associate agrees to be solely responsible will pay or reimburse Covered Entity for all costs and expenses penalties incurred as by Covered Entity in connection with any incident giving rise to a result Breach of an IncidentPHI and/or a Breach of System Security, including without limitation all costs associated with mitigation of the Incident and preparation and delivery of related to any investigation, any notices to affected individuals be given, reasonable legal fees, credit monitoring (where applicable), and government agenciesother efforts to mitigate the harm to Individuals or other actions taken to comply with HIPAA, the HITECH Act, or any other applicable law or regulation, where (i) the PHI was in the custody or control of Business Associate when the Breach of PHI and/or Breach of System Security occurred, or (ii) the Breach of PHI and/or Breach of System Security was caused by the negligence or wrongful acts or omissions of Business Associate and its employees, directors, officers, subcontractors, agents or other members of its workforce. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), 6. Business Associate agrees to ensure that any agents or subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. 7. Business Associate agrees to provide access, at the request of XXXCovered Entity, and in the a reasonable time and manner designated by XXXmanner, to PHI in a Designated Record Set, to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual Individual, in order to meet the requirements under 45 CFR § 164.524. m. 8. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM Covered Entity or an Individual, and in the a reasonable time and manner designated by XXXmanner. n. 9. Business Associate agrees to make internal practices, books, and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a reasonable time and manner, for the purpose of permitting the Secretary to determine Covered Entity's compliance with the HIPAA Rules. 10. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § §164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. 11. Business Associate agrees to provide to DOM Covered Entity or an Individual, in a time and manner designated by DOMreasonable time, information collected in accordance with section (III)(hSection B.(10) of this AgreementBAA, to permit XXX Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements12. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Ruleagrees, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that the Business Associate carries is to carry out DOM’s obligations one or more of Covered Entity's obligation(s) under the Privacy RuleSubpart E of 45 CFR Part 164, Business Associate will to comply with the requirements of the Privacy Rule Subpart E that apply to DOM the Covered Entity in the performance of such obligationobligation(s). r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use to: Only use or Disclose PHI other than disclose Protected Health Information as permitted or required by the Service Agreement or as Required required by Law. b. Business Associate shall use law; Use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) Electronic Protected Health Information, to prevent Use use or Disclosure disclosure of PHI Protected Health Information other than as provided for by this the Agreement. c. ; Report immediately, but in any case within not more than five (5) days, in writing to Covered Entity any non-permitted use or disclosure of Individually Identifiable Health Information, Protected Health Information or Electronic Health Information, by Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI Business Associate’s subcontractors not provided for by this the Agreement or otherwise required by law of which it becomes aware, . The report at minimum should include: Nature of the non-permitted or violating use or disclosure; The health information used or disclosed; Name of individual(s) who made the non-permitted or violating use or disclosure; Name of individual(s) or entity who received the non-permitted or violating use or disclosure; Identify corrective action(s) Business Associate did or will take to mitigate any adverse effect of the non-permitted use or disclosure; and any Provide such other information as Covered Entity may reasonably request. Monitor all Security Incidents and report a successful Security Incident in accordance with Section II (c) above and shall report unsuccessful Security Incidents upon request of which it becomes aware. d. Business Associate agrees to mitigate, Covered Entity; Mitigate to the extent practicable, any practicable harmful effect effects that is are known to Business Associate of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any IncidentAgreement, including any action or as required by applicable federal and state laws and regulations. e. law; Report immediately, but in any case within not more than five (5) days, in writing to Covered Entity any Breach or potential Breach of unsecured Individually Identifiable Health Information, Protected Health information, or Electronic Protected Health Information, as required by 45 CFR 164.410, involving Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one ’s subcontractors. The report at minimum should include: Nature of the exceptions to breach or potential breach; The Information involved; Suspected individual(s) or entity if known responsible for the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. breach or potential breach; Identify corrective action(s) Business Associate agrees did or will take to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that mitigate any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery adverse effect of the Incident, breach; and perform Provide such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred other information as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. Covered Entity may reasonably request. In accordance with 45 C.F.R. §§ CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI ; Make available Protected Health Information in a Designated Record Set that DOM directs to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agrees agreed to by Covered Entity pursuant to 45 CFR § 164.526 164.526, or take other appropriate measures within thirty (30) days as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526; Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CF 164.528. Such information shall include at minimum: Date each disclosure is made; Name and address of the person or entity to whom each disclosure is made; A brief description of the health information disclosed; and A brief statement of the purpose of each disclosure. Notify Covered Entity’s HIPAA Compliance Officer in writing of any request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent disclosures that Business Associate carries out DOM’s obligations under receives directly from an individual within five (5) days of receipt of request; To the Privacy Rule, extent Business Associate will is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of the Privacy Rule Subpart E that apply to DOM Covered Entity in the performance of such obligation. r. Business Associate agrees to make obligation(s); Make its internal practices, books, and records, including policies and procedures, records available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees HIPAA Rules; Implement administrative, physical, and technical safeguards that nothing in this Agreement shall permit Business Associate to accessreasonably and appropriately protect the confidentiality, storeintegrity, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction availability of the United States without express written authorization from DOMelectronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity in accordance with the 45 CFR 164.306 (the HIPAA Security standards); and Maintain policies and procedures to detect, prevent, mitigate, and promptly notify Covered Entity regarding indicators of a possible risk of identity theft in connection with Covered Accounts as required by the Red Flags Rule, set forth in 16 CFR 681.1.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service this Agreement or as Required by By Law. b. . Business Associate shall also comply with any further limitations on uses and disclosures agreed to by Covered Entity in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to Business Associate according with Section 4.l(c) of this Agreement. (b) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72c) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. (d) Business Associate agrees to notify DOM without unreasonable delayreport to Covered Entity any use or disclosure of the Protected Health Information not allowed by this Agreement of which it becomes aware. (e) Beginning on the later of the Effective Date of this Agreement or the Security Breach Compliance Date, and no later than seventy-two (72) hours after discovery of Business Associate agrees to report to Covered Entity any actual or suspected Security Breach of Unsecured PHI, all Protected Health Information without unreasonable delay and in accordance with 45 C.F.R. § 164.410no case later than sixty (60) calendar days after Discovery of a Security Breach. The notification Such notice shall include, to the extent possible and subsequently as the information becomes available, include the identification of all Individuals each individual whose Unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate Associate, to have been Breached along been, accessed, acquired, or disclosed In connection with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMsuch Security Breach. In addition, Business Associate agrees to shall provide a written assessment to determine whether any additional information reasonably requested by Covered Entity for purposes of investigating the incident is reportable within ten (10) working daysSecurity Breach. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as notification of a business associate for DOM, regardless Security Breach under this section shall comply in all respects with each applicable provision of whether DOM and/or Business Associate are named as parties Section 13400 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to such Actionstime. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii(f) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that createagent, receiveincluding a subcontractor, maintainto whom it provides Protected Health Information received from, or transmit protected health information created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. In no event shall Business Associate, without Covered Entity’s prior written approval, provide Protected Health Information received from, or created or received by Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree Covered Entity, to comply with any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, processes or otherwise has access to the applicable requirements Protected Health Information outside of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsUnited States. l. (g) Business Associate agrees to provide access, at the request of XXXCovered Entity, and in the time and manner designated by XXXCovered Entity, to PHI Protected Health Information in a Designated Record Set, to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § C.F.R. 164.524. Covered Entity’s determination of what constitutes “Protected Health Information” or a “Designated Record Set” shall be final and conclusive. If Business Associate provides copies or summaries of Protected Health Information to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4). m. (h) Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § C.F.R. 164.526 at the request of DOM Covered Entity or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528Covered Entity. Business Associate agrees shall not charge any fee for fulfilling requests for amendments. Covered Entity’s determination of what Protected Health Information is subject to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting amendment pursuant to 45 C.F.R. 164.526 shall be final and relevant documentation to DOM at the time of terminationconclusive. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(hi) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make (i) internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, and (ii) policies, procedures, and documentation relating to the safeguarding of Electronic Protected Health Information available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Business AssociateCovered Entity’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310and Security Rules. s. (j) Business Associate agrees to document such disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. (k) Business Associate agrees to provide to Covered Entity, in the time and manner designated by Covered Entity, the information collected in accordance with Section 2(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. In addition, with respect to information contained in an Electronic Health Record, Business Associate shall document, and maintain such documentation for three (3) years from date of disclosure, such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of information contained in an Electronic Health Record, as required by Section 13405(c) of Subtitle D (Privacy) of ARRA and related regulations issued by the Secretary from time to time. (l) Business Associate acknowledges that nothing it shall request from the Covered Entity and so disclose to its affiliates, agents and subcontractors or other third parties, only (i) the information contained in a “limited data set,” as such term is defined at 45 C.F.R. 164.514(e)(2), or, (ii) if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such requests or disclosures. In all cases, Business Associate shall request and disclose Protected Health Information only in a manner that is consistent with guidance issued by the Secretary from time to time. (m) With respect to Electronic Protected Health Information, Business Associate shall implement and comply with (and ensure that its subcontractors implement and comply with) the administrative safeguards set forth at 45 C.F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate acknowledges that, effective the later of the Effective Date of this Agreement or February 17, 2010, (i) the foregoing safeguards, policies and procedures requirements shall permit apply to Business Associate in the same manner that such requirements apply to accessCovered Entity, storeand (ii) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, shareas amended from time to time, maintainfor failure to comply with the safeguards, transmit or use or disclose PHI in policies and procedures requirements and any form via guidance issued by the Secretary from time to time with respect to such requirements. (n) With respect to Electronic Protected Health Information, Business Associate shall ensure that any medium with any third partyagent, including a subcontractor, to whom it provides Electronic Protected Health Information, agrees to implement reasonable and appropriate safeguards to protect it. (o) Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. (p) If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Parts 160-162. (q) During the term of this Agreement, Business Associate may be asked to complete a security survey and/or attestation document designed to assist Covered Entity in understanding and documenting Business Associate’s Subcontractorssecurity procedures and compliance with the requirements contained herein. Business Associate’s failure to complete either of these documents within the reasonable timeframe specified by Covered Entity shall constitute a material breach of this Agreement. (r) Business Associate acknowledges that, beyond effective the boundaries and jurisdiction later of the United States without express written authorization Effective Date of this Agreement or February 17, 2010, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from DOMtime to time, for failure to comply with any of the use and disclosure requirements of this Agreement and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by the Service Agreement this BAA or as Required required by Lawlaw. b. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) designed to prevent Use Uses or Disclosure Disclosures of the PHI other than as provided for by this BAA or the Services Agreement. c. Business Associate agrees to notify DOM without unreasonable delay implement and no later than seventy-two (72) hours after discoverymaintain procedures that reasonably and appropriately protect the confidentiality, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awareintegrity, and any Security Incident availability of which electronic PHI, and consistent with and as required of business associates by the HIPAA Rules. However, it becomes awareshall be the responsibility of Customer and not Business Associate to comply with requirements under 45 CFR §164.312 to implement encryption or decryption mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Business Associate. d. Business Associate agrees to mitigatepromptly report to Customer any Security Incident, to the extent practicableBreach, any harmful effect that is known to Business Associate of a or other Use or Disclosure of PHI of which it becomes aware that is not permitted or required by this BAA or the Services Agreement. In the event of a Breach, such notification shall be made in accordance with and as required of a business associate by the HIPAA Rules, including without limitation pursuant to 45 CFR 164.410. Business Associate will provide reasonable assistance and cooperation in the investigation of any such Breach and shall document the specific PHI which have been compromised, the identity of any unauthorized third party who may have accessed or received the PHI, if known, and any actions that have been taken by Business Associate in Violation to mitigate the effects of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationssuch Breach. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of require any actual agent or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall includesubcontractor, to whom it delivers PHI for the extent possible purposes of assisting in providing services pursuant to the Services Agreement, to enter into a written agreement requiring such agent or subcontractor to provide privacy and subsequently security protections to such PHI at least as the information becomes available, the identification stringent as those required of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410through this BAA. f. Once an actual or suspected Breach is reported If Business Associate has custody of PHI in a Designated Record Set with respect to DOMIndividuals, and if Customer so requests, Business Associate agrees to provide a written assessment access to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed such PHI to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the Customer by retrieving such PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, the terms and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery conditions of the IncidentServices Agreement, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, Customer may respond to an Individual in order to meet the requirements under of 45 CFR § §164.524. m. g. Business Associate agrees to make any amendment(s) that if an amendment to PHI in a Designated Record Set is required, if Business Associate has custody of PHI in a Designated Record Set with respect to Individuals, and if Customer instructs Business Associate to retrieve such PHI in accordance with the Services Agreement, Business Associate shall perform such service so that DOM directs Customer may make any amendment to such PHI as may be required by either Customer or agrees to an Individual pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX§164.526. n. h. Business Associate agrees to document such and make available to Customer the information required to provide an accounting of Disclosures of PHI and PHI, provided that Customer has provided Business Associate with information related sufficient to enable Business Associate to know which records or data received from or on behalf of Customer by Business Associate contain PHI. The documentation of Disclosures shall contain such Disclosures information as would be required for DOM Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after §164.528 or other provisions of the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationHIPAA Rules. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified i. Unless otherwise expressly agreed in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy RuleServices Agreement, Business Associate will shall promptly notify Customer of any requests by Individuals for access to or knowledge or correction of PHI, without responding to such requests, and Customer shall be responsible for receiving and responding to any such Individual requests. j. To the extent the Business Associate is to carry out one or more of Customer's obligation(s) under Subpart E of 45 CFR §164, Business Associate shall comply with the requirements of the Privacy Rule Subpart E that apply to DOM Customer in the performance of such obligationobligation(s). r. k. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, records available to the Secretary of Health and Human Services (“Secretary”) for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. a) Business Associate acknowledges and agrees that it is obligated by law (or upon the effective date of any portion thereof shall be obligated) to meet the applicable provisions of HIPAA and such provisions are incorporated herein and made a part of this Business Associate Agreement. Covered Entity and Business Associate agree that any regulations and/or guidance issued by DHHS with respect to HIPAA that relate to the obligations of business associates shall be deemed incorporated into and made a part of this Business Associate Agreement. b) In accordance with 45 CFR §164.502(a)(3), Business Associate agrees not to not Use use or Disclose disclose PHI other than as permitted or required by the Service this Business Associate Agreement or as Required by Law. b. c) Business Associate shall agrees to develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to that reasonably prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Business Associate Agreement. c. , in accordance with 45 CFR §§164.306, 310 and 312. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discoverydevelop, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awareimplement, maintain, and any Security Incident use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of which it becomes awareElectronic PHI, in accordance with 45 CFR §§164.306, 308, 310, and 312. In accordance with 45 CFR §164.316, Business Associate shall also develop and implement policies and procedures and meet the documentation requirements as and at such time as may be required by HIPAA. d. d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate Associate, of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBusiness Associate Agreement. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72e) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. CFR §§ 164.502(e)(1)(ii) §164.308, 314 and 164.308(b)(2)502, Business Associate agrees to will ensure that any subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree Associate’s behalf, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Business Associate Agreement to Business Associate with respect to such information, including minimum necessary limitations. Business Associate agrees to will ensure that any Subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit electronic PHI (ePHIon Business Associate’s behalf, agrees to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of the PHI. f) on behalf At the request of Covered Entity, Business Associate will agree provide Covered Entity, or as directed by Covered Entity, an Individual, access to comply with PHI maintained in a Designated Record Set in a time and manner that is sufficient to meet the applicable requirements of the Security Rule and Privacy Rule 45 CFR § 164.524, and, where required by entering into a Business Associate Agreement and Business Associate HIPAA, shall provide DOM with a copy of all make such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or information available in an electronic copy to DOM’s Privacy Officer format where directed by the Covered Entity. g) At the written request of Covered Entity, (or if so, directed by Covered Entity, at the address included in Section VII(f) written request of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindan Individual), including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, make any amendment to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order a time and manner that is sufficient to meet the requirements under of 45 CFR § 164.524164.526. m. h) In accordance with 45 CFR §164.504(e)(2), Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, and any PHI, relating to the use and disclosure of PHI, available to Covered Entity or to the Secretary for purposes of determining compliance with applicable law. To the extent permitted by law, said disclosures shall be held in strictest confidence by the Covered Entity. Business Associate will provide such access in a time and manner that is sufficient to meet any applicable requirements of applicable law. i) Business Associate agrees to document and maintain a record of disclosures of PHI and information related to such disclosures, including the date, recipient, and purpose of such disclosures, in a manner that is sufficient for Covered Entity or Business Associate to respond to a request by Covered Entity or an Individual for an Accounting of disclosures of PHI and in accordance with 45 CFR § 164.528. Business Associate further shall provide any additional information where required by HIPAA and any implementing regulations. Unless otherwise provided under HIPAA, Business Associate will maintain the Accounting with respect to each disclosure for at least six years following the date of the disclosure. j) Business Associate agrees to provide to Covered Entity upon written request, or, as directed by Covered Entity, to an Individual, an Accounting of disclosures in a time and manner that is sufficient to meet the requirements of HIPAA, in accordance with 45 CFR §164.528. In addition, where Business Associate is contacted directly by an Individual based upon information provided to the Individual by Covered Entity and where so required by HIPAA and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual. k) In accordance with 45 CFR §164.502(b), Business Associate agrees to make reasonable efforts to limit use, disclosure, and/or requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Where required by HIPAA, Business Associate shall determine (in its reasonable judgment) what constitutes the minimum necessary to accomplish the intended purpose of a disclosure. l) In accordance with 45 CFR §502(a)(5), Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual, except with the express written pre- approval of Covered Entity. m) To the extent Business Associate is to carry out one or more obligation(s) of the Covered Entity’s under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). n) In accordance with 45 CFR §164.314(a)(1)(i)(C), Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. o) In accordance with 45 CFR §164.410 and the provisions of this Business Associate Agreement, Business Associate will report to Covered Entity, following Discovery and without unreasonable delay, but in no event later than five business days following Discovery, any Breach of Unsecured Protected Health Information. Business Associate shall cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws, including, but not limited to, providing Covered Entity with such information in addition to Business Associate’s and/or DOM's compliance with report as Covered Entity may reasonably request, e.g., for purposes of Covered Entity making an assessment as to whether/what Breach Notification is required. Business Associate’s report under this subsection shall, to the Privacy Rule pursuant to 45 C.F.R. § 160.310.extent available at the time the initial report is required, or as promptly thereafter as such information becomes available but no later than 30 days from discovery, include: s. Business Associate agrees that nothing in this Agreement shall permit 1. The identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; 2. A description of the nature of the unauthorized acquisition, access, storeuse, share, maintain, transmit or use or disclose PHI in any form via any medium with any third partydisclosure, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction date of the United States without express written authorization from DOM.Breach and the date of discovery of the Breach;

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use to: a. Not use or Disclose disclose PHI other than as permitted or required by the Service this Agreement or as Required required to perform services under a Participation Agreement into which the Parties may enter or as required by Lawlaw. b. Business Associate shall use Use appropriate safeguards administrative, technical and physical safeguards, and comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) PHI, to preserve the integrity and confidentiality of PHI, and to prevent Use or Disclosure of PHI other than as provided for by the HIPAA Rules and this Agreement. c. Business Associate agrees Report to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of Covered Entity any Use or Disclosure of PHI not provided for by this the Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410, and any Security Incident of which it becomes aware. d. . Such incidents shall be reported without delay, but in no event later than fifteen (15) calendar days from the date the incident was discovered by the Business Associate. Notification from Business Associate agrees to mitigateCovered Entity must include information regarding individuals affected and number of individuals affected, to description of the extent practicableBreach or situation, any harmful effect that is known to Business Associate of a Use or Disclosure types of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt involved, steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed taken by Business Associate to have been Breached along with any other available investigate, mitigate and protect against similar future incidents, and contact information that for the individual who is required reporting the incident to be included in Covered Entity. Covered Entity reserves the notification right to make further inquiries or request further action related to the Individual, HHS, and/or reported incident. All reporting requirements related to the media, all in accordance with incident shall be handled by the data Breach notification requirements set forth in 45 C.F.R.§ 164.410Covered Entity. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. d. In accordance with 45 C.F.R. §§ CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to shall ensure that any subcontractors Subcontractor that createcreates, receivereceives, maintainmaintains, or transmit protected health information transmits PHI on behalf of the Business Associate agree agrees in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such informationPHI. The Business Associate agrees to ensure is not in compliance with the HIPAA Rules if it knew of a pattern of activity or practice of a Subcontractor that any Subcontractors that create, receive, maintain, constitute a material breach or transmit electronic PHI (ePHI) on behalf violation of the subcontractor’s obligation under its contact with Business Associate will agree to comply with or other arrangement, unless the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement took reasonable steps to cure the breach or end the violation, and Business Associate shall provide DOM with a copy of all if such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written steps were unsuccessful terminated the Subcontractor or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindarrangement, including of the use of such Subcontractors or of the adequacy of such agreementsif feasible. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to e. Make available PHI in a Designated Record Set, Set to DOM or, as directed by XXX, to an Individual Covered Entity in order to timely meet the requirements Covered Entity’s obligations under 45 CFR § 164.524. m. . Any request received by the Business Associate agrees from an Individual who is requesting access to a Designated Record Set shall be promptly forwarded to the Covered Entity. Promptly make any amendment(s) to PHI in a Designated Record Set that DOM directs as directed or agrees agreed to pursuant to 45 CFR § 164.526 at 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations timely under 45 CFR 164.526. Any request received by the request of DOM or Business Associate from an Individual, and in Individual who is requesting amendment to a Designated Record Set shall be promptly forwarded to the time and manner designated by XXXCovered Entity. n. Business Associate agrees f. Maintain a system of documentation to document such Disclosures of PHI and make available the information related required to such Disclosures as would be required for DOM to respond to a request by an Individual for provide an accounting of Disclosures of PHI in accordance with disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. Any request received by the Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by from an Individual for who is requesting an accounting of Disclosures disclosures shall be promptly forwarded to the Covered Entity. g. To the extent Business Associate is to carry out one or more of PHI in accordance with Covered Entities obligations under Subpart E of 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose Part 164, the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the HIPAA Privacy Rule, Business Associate will shall comply with the requirements of the Privacy Rule Subpart E that apply to DOM the Covered Entity in the performance of such obligation. r. Business Associate agrees to make h. Make its internal practices, books, and records, including policies and procedures, records available to the Secretary of the Department of Health and Human Services or his or her designee, in a reasonable time and manner for purposes the purpose of determining Business Associate’s and/or DOM's permitting the Secretary to determine compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. a) Business Associate acknowledges and agrees that it is obligated by law (or upon the effective date of any portion thereof shall be obligated) to meet the applicable provisions of HIPAA and such provisions are incorporated herein and made a part of this Business Associate Agreement. Covered Entity and Business Associate agree that any regulations and/or guidance issued by DHHS with respect to HIPAA that relate to the obligations of business associates shall be deemed incorporated into and made a part of this Business Associate Agreement. b) In accordance with 45 CFR §164.502(a)(3), Business Associate agrees not to not Use use or Disclose disclose PHI other than as permitted or required by the Service this Business Associate Agreement or as Required by Law. b. c) Business Associate shall agrees to develop, implement, maintain and use appropriate administrative, technical, and physical safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to that reasonably prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Business Associate Agreement. c. , in accordance with 45 CFR §§164.306, 310 and 312. Business Associate agrees to notify DOM without unreasonable delay develop, implement, maintain and no later than seventy-two (72) hours after discoveryuse administrative, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awarephysical, and any Security Incident technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of which it becomes awareElectronic PHI, in accordance with 45 CFR §§164.306, 308, 310, and 312. In accordance with 45 CFR §164.316, Business Associate shall also develop and implement policies and procedures and meet the documentation requirements as and at such time as may be required by HIPAA. d. d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate Associate, of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBusiness Associate Agreement. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72e) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. CFR §§ 164.502(e)(1)(ii) §164.308, 314 and 164.308(b)(2)502, Business Associate agrees to will ensure that any subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree Associate’s behalf, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Business Associate Agreement to Business Associate with respect to such information, including minimum necessary limitations. Business Associate agrees to will ensure that any Subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit electronic PHI (ePHIon Business Associate’s behalf, agrees to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of the PHI. f) on behalf At the request of Covered Entity, Business Associate will agree provide Covered Entity, or as directed by Covered Entity, an Individual, access to comply with PHI maintained in a Designated Record Set in a time and manner that is sufficient to meet the applicable requirements of the Security Rule and Privacy Rule 45 CFR § 164.524, and, where required by entering into a Business Associate Agreement and Business Associate HIPAA, shall provide DOM with a copy of all make such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or information available in an electronic copy to DOM’s Privacy Officer format where directed by the Covered Entity. g) At the written request of Covered Entity, (or if so directed by Covered Entity, at the address included in Section VII(f) written request of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindan Individual), including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, make any amendment to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order a time and manner that is sufficient to meet the requirements under of 45 CFR § 164.524164.526. m. h) In accordance with 45 CFR §164.504(e)(2), Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, and any PHI, relating to the use and disclosure of PHI, available to Covered Entity or to the Secretary for purposes of determining compliance with applicable law. To the extent permitted by law, said disclosures shall be held in strictest confidence by the Covered Entity. Business Associate will provide such access in a time and manner that is sufficient to meet any applicable requirements of applicable law. i) Business Associate agrees to document and maintain a record of disclosures of PHI and information related to such disclosures, including the date, recipient and purpose of such disclosures, in a manner that is sufficient for Covered Entity or Business Associate to respond to a request by Covered Entity or an Individual for an Accounting of disclosures of PHI and in accordance with 45 CFR § 164.528. Business Associate further shall provide any additional information where required by HIPAA and any implementing regulations. Unless otherwise provided under HIPAA, Business Associate will maintain the Accounting with respect to each disclosure for at least six years following the date of the disclosure. j) Business Associate agrees to provide to Covered Entity upon written request, or, as directed by Covered Entity, to an Individual, an Accounting of disclosures in a time and manner that is sufficient to meet the requirements of HIPAA, in accordance with 45 CFR §164.528. In addition, where Business Associate is contacted directly by an Individual based upon information provided to the Individual by Covered Entity and where so required by HIPAA and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual. k) In accordance with 45 CFR §164.502(b), Business Associate agrees to make reasonable efforts to limit use, disclosure, and/or requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Where required by HIPAA, Business Associate shall determine (in its reasonable judgment) what constitutes the minimum necessary to accomplish the intended purpose of a disclosure. l) In accordance with 45 CFR §502(a)(5), Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual, except with the express written pre- approval of Covered Entity. m) To the extent Business Associate is to carry out one or more obligation(s) of the Covered Entity’s under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). n) In accordance with 45 CFR §164.314(a)(1)(i)(C), Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. o) In accordance with 45 CFR §164.410 and the provisions of this Business Associate Agreement, Business Associate will report to Covered Entity, following Discovery and without unreasonable delay, but in no event later than five business days following Discovery, any Breach of Unsecured Protected Health Information. Business Associate shall cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws, including, but not limited to, providing Covered Entity with such information in addition to Business Associate’s and/or DOM's compliance with report as Covered Entity may reasonably request, e.g., for purposes of Covered Entity making an assessment as to whether/what Breach Notification is required. Business Associate’s report under this subsection shall, to the Privacy Rule pursuant to 45 C.F.R. § 160.310.extent available at the time the initial report is required, or as promptly thereafter as such information becomes available but no later than 30 days from discovery, include: s. Business Associate agrees that nothing in this Agreement shall permit 1. The identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; 2. A description of the nature of the unauthorized acquisition, access, storeuse, share, maintain, transmit or use or disclose PHI in any form via any medium with any third partydisclosure, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction date of the United States without express written authorization from DOM.Breach and the date of discovery of the Breach;

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use use or Disclose disclose PHI or other Confidential Information other than as permitted or required by the Service this Agreement or as Required by Law. b. Business Associate shall agrees to use appropriate safeguards and comply comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) the Security Rule, to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI or other Confidential Information by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. d. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 42 U.S.C. § 17932 and 45 C.F.R.§ 164.410.C.F.R. Parts 160 and 164, Subparts A, D, and E. f. e. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use use or Disclosure disclosure of protected health information is presumed to be a Breach unless the DOM Covered Entity or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § §164.410. g. f. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent DOM without unreasonable delay, and in no case more later than 60 days seventy-two (72) hours after discovery discovery, any use or disclosure of the IncidentPHI not provided for by this Agreement of which it becomes aware, and perform such notifications if so required by DOM in its sole discretionany Security Incident of which it becomes aware. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), g. Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI or Confidential Information on behalf of the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions that apply to the Business Associate with respect to such information. , in accordance with 45 C.F.R. §§ 164.308 and 164.502. h. Business Associate agrees to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement Agreement, in accordance with 45 C.F.R. §§ 164.308, 164.314, 164.502, and 164.504, and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreementsubcontractors. Business Associate understands that submission of their Subcontractorssubcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors subcontractors or of the adequacy of such agreements. l. i. Business Associate agrees to provide access, at the request of XXXDOM, and in the time and manner designated by XXXDOM, to PHI in a Designated Record Set, to DOM or, as directed by XXXDOM, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. j. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXXDOM. n. k. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at disclosure; the time provisions of terminationthis section shall survive termination of this Agreement for any reason. o. l. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(hIII)(j) of this Agreement, to permit XXX DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. m. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. n. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. o. Business Associate agrees to make internal practices, books, and records, including policies and proceduresprocedures and PHI, relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of DOM available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Rule. s. p. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractorssubcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM. q. Business Associate agrees that all DOM data shall not be co-mingled with other trading partner’s data, and shall be easily identifiable and exportable. DOM Data shall be stored in an individual structure in accordance with the following: Business Associate shall create an instance (single-tenant) of the particular database software utilized by Business Associate, and only DOM data shall reside in that instance of the database. The intent of this section is not to require separate procurement of hardware specific to DOM, however DOM data must not reside in a database that contains other entities’ data. r. Business Associate agrees that all DOM data will be encrypted using industry standard algorithms Triple DESDESK, AES or SSL/TLS. s. Business Associate agrees to comply with the State of Mississippi ITS Enterprise Security Policy, which will be provided upon request. t. The provisions of the HITECH Act that apply to Business Associate and are required to be incorporated by reference in a business associate agreement are hereby incorporated into this Agreement, including, without limitation, 42 U.S.C. §§ 17935(b), (c), (d) and (e), and 17936(a) and (b), and their implementing regulations. u. Without limitation of the foregoing: i. Pursuant to 42 U.S.C. § 17931(a), the following sections of the Security Rule shall apply to Business Associate in the same manner as they apply to DOM: 45 C.F.R. §§ 164.308 (Administrative Safeguards); 164.310 (Physical Safeguards); 164.312 (Technical Safeguards); and 164.316 (Policies and procedures and documentation requirements). ii. 42 U.S.C. §§ 17931(b) and 17934(c), and their implementing regulations, each apply to Business Associate with respect to its status as a business associate to the extent set forth in each such section.

Obligations and Activities of Business Associate. a. a) Business Associate agrees to shall not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service Agreement this BAA or as permitted or Required by Law. b. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHIb) to prevent Use or Disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay provide those physical, technical and no later than seventy-two (72) hours after discoveryadministrative safeguards described in the Agreement including those safeguards and services selected by you and described in a Order. If Business Associate agrees as part of this BAA to carry out an obligation of yours under the Privacy Rule, then Business Associate will comply with the requirements of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes awarethe Privacy Rule applicable to such obligation. d. c) Business Associate agrees to mitigate, to the extent commercially reasonable and reasonably practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate or its agents or subcontractors in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBAA. e. d) Within five Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery Days of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMbecoming aware, Business Associate agrees to provide a written assessment report to determine whether you (i) Security Incidents (as defined in 45 C.F.R. §164.304 and as further described below), (ii) the incident is reportable within ten Breach of unsecured PHI (10as defined in 45 CFR §164.402), or (iii) working days. An impermissible Use an access, acquisition, use or Disclosure disclosure of protected health information is presumed PHI in violation of this BAA. e) Both parties acknowledge that there are likely to be a Breach unless significant number of meaningless or unsuccessful attempts to access the DOM or Services, which make a real-time reporting requirement impractical for both parties. The parties acknowledge that Business Associate’s ability to report on system activity, as applicableincluding Security Incidents, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applieslimited by, all in accordance with 45 C.F.R. § 164.410and to, Customer’s specific Services and instances thereof, and does not include End User Devices. g. f) Business Associate undertakes no obligation to report unsuccessful security incidents or to report network security related incidents which occur on the Impero managed network or systems but do not directly involve Customer Data. The parties agree that the following are illustrative examples of unsuccessful security incidents which, when they do not result in the unAuthorised access, use, disclosure, modification or destruction of PHI need not be reported by Business Associate: pings against network devices, port scans, attempts to log on to a system or database with an invalid password or username, malware. g) Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that obtain from any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incidentagent, including costs associated with mitigation of the Incident and preparation and delivery of notices a subcontractor to affected individuals and government agencies. i. With respect to an Incidentwhom it provides Protected Health Information, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure reasonable assurances that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree it will adhere to the same restrictions, conditions, restrictions and requirements conditions that apply to Business Associate under this BAA with respect to such information. . h) All Protected Health Information maintained by Business Associate agrees for you will be available to ensure you in a time and manner that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree reasonably allows you to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than you. m. i) All Protected Health Information and other information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.526. j) Business Associate agrees to make any amendment(s) internal practices, books, and records available to PHI the Secretary, in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXXthe Secretary, for purposes of the Secretary’s determining your compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to you at Business Associate’s then current hourly rate for additional services. n. k) You acknowledge that Business Associate agrees is not required by this BAA to make disclosures of Protected Health Information to Individuals or any person other than you, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR § 164.528. In the event that Business Associate does make such disclosure, it shall document such Disclosures of PHI and information related to such Disclosures the disclosure as would be required for DOM you to respond to a request by an Individual for an accounting of Disclosures of PHI disclosures in accordance with 45 CFR § §164.504(e)(2)(ii)(G) and §164.528. Business Associate agrees to retain , and shall provide such documentation for at least six (6) years after to you promptly on your request. In the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to event that a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated is made directly to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy RuleAssociate, Business Associate will comply with the requirements of the Privacy Rule that apply shall, within 2 Business Days, forward such request to DOM in the performance of such obligationCustomer. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose further disclose PHI other than as permitted or required by the Service Agreement or as Required by Law, or as otherwise permitted or as required by this Agreement. b. (b) Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity pursuant to this Agreement. c. , in accordance with 42 CFR Part 2 (the Confidentiality Rule) and 45 CFR §164 (the HIPAA Security Rule). Business Associate agrees to notify DOM without unreasonable delay fully comply with the responsibilities of Business Associates as set forth in Sections 13401 and no later than seventy-two (72) hours after discovery, 13404 of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes awarethe HITECH Act. d. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. (d) Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery report to Covered Entity any use or disclosure of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410PHI not provided for by this Agreement. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMFurther, Business Associate agrees to report to Covered Entity any security incident, including a breach of Unsecured PHI as defined by the Security Rule, of which it becomes aware. In the event of such a breach: (1) Business Associate shall promptly notify Covered Entity of a breach when it is discovered. A breach is considered discovered on the first day on which Business Associate knows or should have known of such breach. Such notification shall identify the Individuals (and their contact information) whose Unsecured PHI has, or is reasonably believed to have been, the subject of the breach. Business Associate shall provide a written assessment additional information concerning such breach to determine whether the incident is reportable within ten Covered Entity as requested. (102) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM Covered Entity or Business Associate, as applicabledetermined by Covered Entity, demonstrates there is shall promptly notify individuals about a low probability the breach of their Unsecured PHI has been compromised or one of the exceptions to the definition of Breach appliesas soon as possible, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more but not later than 60 calendar days after discovery of the IncidentBreach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Notification shall be in a form and perform such notifications if so required format prescribed by DOM in its sole discretionCovered Entity and shall meet the requirements of Section 13402 of the HITECH Act. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15e) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that createagent, receiveincluding a subcontractor, maintainto whom it provides PHI received from, or transmit protected health information created or received by Business Associate on behalf of the Business Associate agree Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Notwithstanding the preceding language of this subsection, Business Associate agrees to ensure acknowledges that any Subcontractors that create, receive, maintainthe PHI received from Covered Entity, or transmit electronic PHI (ePHI) on behalf of created by Business Associate will agree is covered by 42 CFR Part 2 and, therefore, Business Associate is specifically prohibited from disclosing such information to comply with the applicable requirements agents or subcontractors without specific written consent of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementssubject individual. l. (f) Business Associate agrees to provide access, at the request of XXX, Covered Entity and in the time and manner designated by XXXCovered Entity, to PHI in a Designated Record Set, to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § §164.524, if the Business Associate has PHI in a Designated Record Set. m. (g) Business Associate agrees to make any amendment(s) amendments to PHI in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § §164.526 at the request of DOM Covered Entity or an Individual, and in the time and manner designated by XXXCovered Entity, if Business Associate has PHI in a Designated Record Set. n. (h) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity, to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary’s determining Covered Entity’s compliance with the Privacy Rule. (i) Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § §164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. (j) Business Associate agrees to provide to DOM Covered Entity or an Individual, in a time and manner designated by DOMCovered Entity, information collected in accordance with section Section (III)(h2)(i) of this Agreement, to permit XXX Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § §164.528. p. (k) Business Associate hereby acknowledges and agrees that Covered Entity has notified Business Associate that it is required to comply with the confidentiality, disclosure, and redisclosure requirements of Mental Hygiene Law Sections 32.17, 33.13 and 33.16 to the extent that such requirements may be applicable. (l) Business Associate shall only use or disclose be directly responsible for full compliance with the minimum PHI necessary relevant requirements of the Confidentiality, Privacy, and the Security Rules to perform functions, activities, or services for, or on behalf of, DOM as specified the same extent that Covered Entity is responsible for compliance with such Rules. Business Associate acknowledges that it is subject to civil and criminal penalties for violations of such provisions in the Service Agreements. same manner as if Covered Entity violated such provisions. (m) Business Associate agrees to comply with resist any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated efforts in judicial proceedings to Business Associate by DOM. q. Business Associate agrees that obtain access to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM PHI except as expressly provided for in the performance regulations governing the Confidentiality of such obligationAlcohol and Drug Abuse Patient Records, 42 CFR Part 2. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. a) Business Associate acknowledges and agrees that it is obligated by law (or upon the effective date of any portion thereof shall be obligated) to meet the applicable provisions of HIPAA and such provisions are incorporated herein and made a part of this Business Associate Agreement. Covered Entity and Business Associate agree that any regulations and/or guidance issued by DHHS with respect to HIPAA that relate to the obligations of business associates shall be deemed incorporated into and made a part of this Business Associate Agreement. b) In accordance with 45 CFR §164.502(a)(3), Business Associate agrees not to not Use use or Disclose disclose PHI other than as permitted or required by the Service this Business Associate Agreement or as Required by Law. b. c) Business Associate shall agrees to develop, implement, maintain and use appropriate administrative, technical, and physical safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to that reasonably prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Business Associate Agreement. c. , in accordance with 45 CFR §§164.306, 310 and 312. Business Associate agrees to notify DOM without unreasonable delay develop, implement, maintain and no later than seventy-two (72) hours after discoveryuse administrative, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awarephysical, and any Security Incident technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of which it becomes awareElectronic PHI, in accordance with 45 CFR §§164.306, 308, 310, and 312. In accordance with 45 CFR §164.316, Business Associate shall also develop and implement policies and procedures and meet the documentation requirements as and at such time as may be required by HIPAA. d. d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate Associate, of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBusiness Associate Agreement. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72e) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. CFR §§ 164.502(e)(1)(ii) §164.308, 314 and 164.308(b)(2)502, Business Associate agrees to will ensure that any subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree Associate’s behalf, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Business Associate Agreement to Business Associate with respect to such information, including minimum necessary limitations. Business Associate agrees to will ensure that any Subcontractors that workforce member or agent, including a vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit electronic PHI (ePHIon Business Associate’s behalf, agrees to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of the PHI. f) on behalf At the request of Covered Entity, Business Associate will agree provide Covered Entity, or as directed by Covered Entity, an Individual, access to comply with PHI maintained in a Designated Record Set in a time and manner that is sufficient to meet the applicable requirements of the Security Rule and Privacy Rule 45 CFR § 164.524, and, where required by entering into a Business Associate Agreement and Business Associate HIPAA, shall provide DOM with a copy of all make such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or information available in an electronic copy to DOM’s Privacy Officer format where directed by the Covered Entity. g) At the written request of Covered Entity, (or if so directed by Covered Entity, at the address included in Section VII(f) written request of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindan Individual), including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, make any amendment to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order a time and manner that is sufficient to meet the requirements under of 45 CFR § 164.524164.526. m. h) In accordance with 45 CFR §164.504(e)(2), Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, and any PHI, relating to the use and disclosure of PHI, available to Covered Entity or to the Secretary for purposes of determining compliance with applicable law. To the extent permitted by law, said disclosures shall be held in strictest confidence by the Covered Entity. Business Associate will provide such access in a time and manner that is sufficient to meet any applicable requirements of applicable law. i) Business Associate agrees to document and maintain a record of disclosures of PHI and information related to such disclosures, including the date, recipient, and purpose of such disclosures, in a manner that is sufficient for Covered Entity or Business Associate to respond to a request by Covered Entity or an Individual for an Accounting of disclosures of PHI and in accordance with 45 CFR § 164.528. Business Associate further shall provide any additional information where required by HIPAA and any implementing regulations. Unless otherwise provided under HIPAA, Business Associate will maintain the Accounting with respect to each disclosure for at least six years following the date of the disclosure. j) Business Associate agrees to provide to Covered Entity upon written request, or, as directed by Covered Entity, to an Individual, an Accounting of disclosures in a time and manner that is sufficient to meet the requirements of HIPAA, in accordance with 45 CFR §164.528. In addition, where Business Associate is contacted directly by an Individual-based upon information provided to the Individual by Covered Entity and where so required by HIPAA and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual. k) In accordance with 45 CFR §164.502(b), Business Associate agrees to make reasonable efforts to limit use, disclosure, and/or requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Where required by HIPAA, Business Associate shall determine (in its reasonable judgment) what constitutes the minimum necessary to accomplish the intended purpose of a disclosure. l) In accordance with 45 CFR §502(a)(5), Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual, except with the express written pre- approval of Covered Entity. m) To the extent Business Associate is to carry out one or more obligation(s) of the Covered Entity’s under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). n) In accordance with 45 CFR §164.314(a)(1)(i)(C), Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. o) In accordance with 45 CFR §164.410 and the provisions of this Business Associate Agreement, Business Associate will report to Covered Entity, following Discovery and without unreasonable delay, but in no event later than five business days following Discovery, any Breach of Unsecured Protected Health Information. Business Associate shall cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws, including, but not limited to, providing Covered Entity with such information in addition to Business Associate’s and/or DOM's compliance with report as Covered Entity may reasonably request, e.g., for purposes of Covered Entity making an assessment as to whether/what Breach Notification is required. Business Associate’s report under this subsection shall, to the Privacy Rule pursuant to 45 C.F.R. § 160.310.extent available at the time the initial report is required, or as promptly thereafter as such information becomes available but no later than 30 days from discovery, include: s. Business Associate agrees that nothing in this Agreement shall permit 1. The identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; 2. A description of the nature of the unauthorized acquisition, access, storeuse, share, maintain, transmit or use or disclose PHI in any form via any medium with any third partydisclosure, including the date of the Breach and the date of discovery of the Breach; 3. A description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, Social Security number, date of birth, etc.); 4. The identity of the individual(s) who made and who received the unauthorized acquisition, access, use, or disclosure; 5. A description of what Business Associate is doing to investigate the Breach, to mitigate losses, and to protect against any further breaches; and 6. Contact information for Business Associate’s Subcontractorsrepresentatives knowledgeable about the Breach. p) Business Associate shall maintain for a period of six years all information required to be reported under paragraph "o". This records retention requirement does not in any manner change the obligation to timely disclose all required information relating to a non-permitted acquisition, beyond access, use or disclosure of Protected Health Information to the boundaries County Privacy Officer and jurisdiction of the United States without express written authorization from DOMCounty Project Officer or designee five business days following Discovery.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose PHI other than disclose Protected Health Information only as permitted or required by the Service this Agreement or as Required by Law. b. (b) Business Associate shall agrees to use reasonable and appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) security measures to prevent Use or Disclosure of PHI Protected Health Information other than as provided for by this Agreement. c. . Business Associate agrees to notify DOM without unreasonable delay implement reasonable and no later than seventy-two (72) hours after discoveryappropriate administrative, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awaretechnical, and any Security Incident physical measures to protect the confidentiality, integrity, and availability of which it becomes awareElectronic Protected Health Information as required by HIPAA. d. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. (d) Business Associate agrees to notify DOM without unreasonable delayreport any Use or Disclosure of Protected Health Information not provided for by this Agreement of which Business Associate becomes aware including any Breach of unsecured Protected Health Information, and no later than seventy-two (72) hours after discovery any successful Security Incident of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410which it becomes aware. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a make the written assessment report to determine whether the incident is reportable within Covered Entity without unreasonable delay but in no event later than ten (10) working days. An impermissible business days after Business Associate learns of such unauthorized Use or Disclosure of protected health information is presumed to be a Breach unless the DOM Disclosure, Breach, or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Security Incident. Business Associate agrees to fully cooperate, coordinate with, and assist XXX cooperate with Covered Entity in gathering information necessary to notify investigating the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, Breach and in meeting the Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws. To avoid unnecessary burden on either party, Business Associate shall only be required to report, upon the Covered Entity’s request, successful Security Incidents which Business Associate becomes aware; provided that the Covered Entity’s request shall be made no case more often than 60 days after discovery of is reasonable based upon the Incidentrelevant facts, circumstances and perform such notifications if so required by DOM in its sole discretionindustry standards. h. (e) Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident enter into a written corrective action plan agreement with each Subcontractor (“CAP”including, without limitation, a Subcontractor that is an agent under applicable law) describingthat creates, at a minimumreceives, maintains or transmits Protected Health Information on behalf of Business Associate, which agreement shall both meet the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii164.504(e) and 164.308(b)(2), Business Associate agrees 164.314(a)(2) and obligate the Subcontractor to ensure comply with restrictions and conditions that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of are at least as restrictive as the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions that apply to Business Associate with respect under this Agreement, all to such informationthe extent required by HIPAA. Notwithstanding the foregoing, Covered Entity acknowledges that Business Associate is not required to execute Business Associate Agreements prior to disclosing Protected Health Information to (a) employees of its wholly owned subsidiaries, and (b) individuals who are part of Business Associate’s workforce but are on staff as independent contractors. Business Associate agrees to ensure that remain responsible for any Subcontractors that create, receive, maintain, breach of this Agreement by such independent contractors or transmit electronic PHI (ePHI) on behalf employees of wholly owned subsidiaries as if the independent contractors and/or employees of wholly owned subsidiaries were employees of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s(f) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and proceduresprocedures and Protected Health Information, relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary Secretary, in a time and manner as reasonably requested by or designated by the Secretary, for purposes of the Secretary determining Business AssociateCovered Entity’s and/or DOM's compliance with the Privacy Rule Rule. (g) Business Associate agrees to document such Disclosures of Protected Health Information and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. Within ten (10) business days’ notice by Covered Entity to Business Associate that Covered Entity has received a request for an accounting of Disclosures of Protected Health Information (other than Disclosures to which an exception to the accounting requirement applies), Business Associate agrees to make such documentation available to Covered Entity as necessary for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. (h) Business Associate agrees to provide access to Protected Health Information about an Individual at the request of Covered Entity, and in the time and manner as reasonably requested by Covered Entity, but no later than ten (10) business days, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 C.F.R. § 164.524. If Business Associate receives a request for access to Protected Health Information directly from an Individual, Business Associate agrees to forward such request to Covered Entity within five (5) business days. (i) Business Associate agrees to make any amendment(s) to Protected Health Information that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 160.310. s. 164.526 at the request of Covered Entity, and in the time and manner mutually agreed by the parties. If Business Associate receives a request for amendment to Protected Health Information directly from an Individual, Business Associate agrees that nothing in this Agreement shall permit to forward such request to Covered Entity within five (5) business days. (j) To the extent reasonable and/or required by applicable law, Business Associate agrees to accesscomply with the determination of a request for restriction to the Use or Disclosure of Protected Health Information and/or determination of a request for alternative methods of confidential communication pursuant to 45 C.F.R § 164.522 at the request of Covered Entity, storeand in the time and manner mutually agreed to by the parties acting reasonably and in good faith. If Business Associate receives a request for restriction to the Use or Disclosure of Protected Health Information and/or request for alternative methods of confidential communication directly from an Individual, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOMAssociate agrees to forward such request to Covered Entity within five (5) business days.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service Agreement or as Required required by Lawlaw. b. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, report to Covered Entity any use or disclosure of any Use or Disclosure of PHI the Protected Health Information not provided for by this Agreement of which it becomes aware, and any Security Incident including breaches of which it becomes awareunsecured protected health information, as required at 45 C.F.R. 164.410. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. e. Report to the Covered Entity any security incident of which it becomes aware. f. Business Associate shall notify the Covered Entity of a breach of unsecured PHI on the first day on which such breach is known by Business Associate or an employee, officer or agent of Business Associate other than the person committing the breach, or as soon as possible following the first day on which Business Associate or an employee, officer or agent of Business Associate other than the person committing the breach should have known by exercising reasonable diligence of such breach. Notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the breach. Business Associate agrees shall also provide the Covered Entity with any other available information at the time Business Associate makes notification to ensure the Covered Entity or promptly thereafter as information becomes available. Such additional information shall include (i) a brief description of what happened, including the date of the breach; (ii) a description of the types of unsecured PHI that were involved in the breach; (iii) any Subcontractors steps the Business Associate believes individuals should take to protect themselves from potential harm resulting from the breach; and (iv) a brief description of what Business Associate is doing to investigate the breach, mitigate harm to individuals, and protect against any future breaches. For purposes of this paragraph, unsecured PHI means protected health information that createis not rendered unusable, receive, maintainunreadable, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree indecipherable to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of unauthorized persons through the use of such Subcontractors a technology or methodology specified by the U.S. Secretary of the adequacy of such agreementsHealth and Human Services. l. g. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, Covered Entity to PHI in a Designated Record Set, Protected Health Information to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. h. Business Associate agrees to make internal practices, books, and records, including policies and proceduresprocedures and Protected Health Information, available to the Secretary of the U.S. Department of Health and Human Services for purposes the purpose of determining Business Associate’s and/or DOM's compliance with the Privacy Rule HIPAA Rules. i. Business Associate agrees to document and provide to Covered Entity such disclosures of Protected Health Information and information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. j. Make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. § 160.310164.526, or take other measures as necessary to satisfy covered entity's obligations under 45 C.F.R. 164.526. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than comply with those provisions of the Security Rule that are set forth at 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, as permitted or required by amended from time to time, with respect the Service Agreement or as Required by Lawsecurity of PHI, in the same manner that such regulations apply to the Provider. b. Business Associate agrees to comply with the Privacy Rule at 45 C.F.R. § 164.504(e), as amended from time to time, with respect to its use and disclosure of PHI, in the same manner that such regulation applies to Provider. The additional requirements of the HITECH Act that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into the Business Associate Agreement. c. Business Associate agrees to not use or further disclose PHI other than as specifically permitted or required by this Agreement or as required by law. d. Business Associate agrees to use appropriate safeguards and comply comply, where applicable, with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) Electronic PHI, to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. e. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. f. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery report to Provider if it becomes aware of any actual use or suspected disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHIPHI as required by 45 CFR 164.410, all in accordance with 45 C.F.R. § 164.410and any Security Incident of which it becomes aware. The notification shall include, Notwithstanding anything herein to the extent possible and subsequently as the information becomes availablecontrary, the identification of all Individuals whose Unsecured PHI is reasonably believed by parties acknowledge and agree that this Agreement shall constitute notice to Provider that Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individualmay periodically experience broadcast attacks on its firewall, HHSport scans, and/or the mediaunsuccessful log-on attempts, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMdenials of service and similar unsuccessful security incidents, and Business Associate agrees need not further report such incidents to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use Provider so long as such incidents do not result in unauthorized access, use or Disclosure disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410PHI. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will on behalf of Provider agree to comply with the applicable requirements of the Security Rule same restrictions and Privacy Rule by entering into a conditions that apply to Business Associate Agreement and Business Associate shall provide DOM with a copy respect to such information, including, without limitation, implementation of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior appropriate safeguards to disclosing any protect the security of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsElectronic PHI. l. h. Upon the written request of Provider, Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, access to Provider to PHI that Business Associate maintains in a Designated Record SetSet (if in fact its arrangements with Provider require Business Associate to maintain Designated Record Sets on behalf of Provider), to DOM or, as directed by XXX, to an Individual in order for Provider to meet the Patient access and copying requirements under 45 CFR § 164.524. If Business Associate maintains an electronic health record which contains the PHI, Business Associate shall provide such information produced in accordance with this section 2(h) in electronic format to enable Provider to fulfill its obligations under applicable regulations. m. i. Upon the written request of Provider, Business Associate agrees to make any amendment(s) to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associates to maintain Designated Record Sets on behalf of Provider), that DOM the Provider directs or agrees to pursuant to 45 CFR § 164.526 164.526. j. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI available at the request of DOM the Provider to the Secretary, for purposes of determining Provider’s compliance with the Privacy Rule, subject to attorney-client or an Individual, and in the time and manner designated by XXXother applicable legal privileges. n. k. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees , as may be amended from time to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationtime. o. l. Upon written request of Provider, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, Provider with information collected in accordance with section (III)(h) Section II.k of this Agreement, Agreement to permit XXX Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. m. Business Associate agrees that to the extent that Business Associate carries it is to carry out DOMProvider’s obligations obligation under the Privacy Rule, Business Associate Rule that it will comply with the requirements of the Privacy Rule that apply to DOM Provider in the performance of such obligation. r. n. Business Associate agrees to make internal practicesnotify Provider without unreasonable delay, books, and records, including policies and procedures, available but in no event more than 60 days after Business Associate becomes aware of an unauthorized use or disclosure by or on behalf of Business Associate which constitutes a Breach of Unsecured PHI unless it receives a request to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule delay such notification from a law enforcement official pursuant to 45 C.F.R. § 160.310CFR 164.412. Such notification shall include a list of impacted Patients, and describe the Breach in such reasonable detail to enable Provider to fulfill its obligations under applicable regulations. s. o. Upon written request of Provider, Business Associate agrees will comply with a Patient request for restriction of certain disclosures to health plans in accordance with 45 CFR 164.522 and the HITECH Act, if the disclosure is to a health care plan for the purposes of carrying out payment or health care operations and the PHI pertains solely to a health care item or service for which Patient has paid for out of pocket in full. Except to the extent that nothing in this Agreement shall permit Provider must agree to a Patient request for restriction under the HITECH Act, Business Associate shall not be required to access, store, share, maintain, transmit or comply with a Patient’s request to restrict the use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction disclosure of the United States without express written authorization from DOMPHI.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by the Service this Agreement or as Required by By Law. b. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent the Use or Disclosure of PHI other than as provided for by this Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsin a manner as prescribed in this Agreement. e. d. Business Associate agrees to notify DOM without unreasonable delayreport to Covered Entity any Security Incident, and no later than seventy-two (72) hours after discovery including all data Breaches or compromises, whether internal or external, related to PHI, whether the PHI is secured or unsecured, of any actual or suspected Breach of which Business Associate becomes aware. e. If the Breach, as discussed in paragraph 2(d), pertains to Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, then Business Associate agrees to provide a written assessment report any such data Breach to determine whether the incident is reportable Covered Entity within ten (10) working daysbusiness days of discovery of the Breach; all other compromises, or attempted compromises, of PHI must be reported to Covered Entity within twenty (20) business days of discovery. An impermissible Use or Disclosure Business Associate further agrees, consistent with Section 13402 of protected health the HITECH Act, to provide Covered Entity with information is presumed necessary for Covered Entity to meet the requirements of the HITECH Act, and in a manner and format to be specified by Covered Entity. f. If Business Associate is an Agent of Covered Entity, then Business Associate agrees that any Breach of Unsecured PHI will be reported to Covered Entity immediately after the Business Associate becomes aware of the Breach, and under no circumstances later than one (1) business day after the Breach. Business Associate further agrees that any compromise, or attempted compromise, of PHI, other than a Breach unless of Unsecured PHI as specified in 2(e) of this Agreement, must be reported to Covered Entity within ten (10) business days of discovering the DOM compromise, or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410attempted compromise. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident areSubcontractor, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. whom Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or provides PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to those contained in this Agreement will be imposed on the Subcontractors via a written agreement that complies with all the requirements specified in §164.504(e)(2), and that Business Associate may only provide the Subcontractors PHI consistent with Section 13405(b) of the HITECH Act. Further, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements provide copies of the Security Rule and Privacy Rule by entering into written agreements to Covered Entity within ten (10) business days of a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business AssociateCovered Entity’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a request for the written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. h. Business Associate agrees to provide access, at the request of XXX, Covered Entity and in the time and manner designated by XXXduring normal business hours, to PHI in a Designated Record Set, Set to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual Individual, in order to meet the Covered Entity’s requirements under 45 CFR § §164.524, provided that Covered Entity delivers to Business Associate a written notice at least three (3) business days in advance of requesting such access. Business Associate further agrees, in the case where Business Associate controls access to PHI in an Electronic Health Record, or controls access to PHI stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements under the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and its employees or Subcontractors have no PHI in a Designated Record Set of Covered Entity. m. i. Business Associate agrees to make any amendment(s) amendments to PHI in a Designated Record Set that DOM Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 §164.526, at the request of DOM Covered Entity or an Individual, . This provision does not apply if Business Associate and in the time and manner designated by XXXits employees or Subcontractors have no PHI from a Designated Record Set of Covered Entity. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request j. Unless otherwise protected or prohibited from discovery or disclosure by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individuallaw, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and proceduresprocedures (collectively “Compliance Information”), relating to the Use or Disclosure of PHI and the protection of PHI, available to the Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with demonstrable evidence that its Compliance Information ensures Business Associate’s and/or DOM's compliance with this Agreement over time. Business Associate will have a reasonable time within which to comply with requests for such access or demonstrable evidence, consistent with this Agreement. In no case may access, or demonstrable evidence, be required in less than five (5) business days after Business Associate’s receipt of such request, unless otherwise designated by the Privacy Rule pursuant to 45 C.F.R. § 160.310Secretary. s. k. Business Associate agrees that nothing to maintain necessary and sufficient documentation of Disclosures of PHI as would be required for Covered Entity to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528. l. On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate shall provide the documentation in a manner and format to be specified by Covered Entity. Business Associate will have a reasonable time within which to comply with such a request from Covered Entity and in no case may Business Associate be required to provide such documentation in less than three (3) business days after Business Associate's receipt of such request. m. Except as provided for in this Agreement shall permit Agreement, in the event Business Associate to receives an access, storeamendment, shareaccounting of disclosure, maintainor other similar request directly from an Individual, transmit Business Associate shall redirect the Individual to the Covered Entity. n. To the extent that Business Associate carries out one or use more of Covered Entity’s obligations under the HIPAA Rules, the Business Associate must comply with all requirements of the HIPAA Rules that would be applicable to the Covered Entity. o. Business Associate must honor all restrictions consistent with 45 C.F.R. §164.522 that the Covered Entity or disclose PHI in any form via any medium with any third partythe Individual makes the Business Associate aware of, including Business Associatethe Individual’s Subcontractorsright to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, beyond the boundaries and jurisdiction in accordance with Section 13405(a) of the United States without express written authorization from DOMHITECH Act.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose comply with those provisions of the Security Rule that are set forth at 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, as amended from time to time, with respect the security of PHI, in the same manner that such regulations apply to the Provider. Any additional requirements of the HITECH Act that relate to security of PHI other than as permitted or required and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by the Service Agreement or as Required by Lawthis reference hereby are incorporated into this Business Associate Agreement. b. Business Associate shall use appropriate safeguards and agrees to comply with Subpart C of the Privacy Rule at 45 C.F.R. Part 164 § 164.504(e), as amended from time to time, with respect to electronic its use and disclosure of PHI, in the same manner that such regulation applies to Provider. The additional requirements of the HITECH Act that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into the Business Associate Agreement. c. Business Associate agrees to not use or further disclose PHI other than as specifically permitted or required by this Agreement or as required by law. d. Business Associate agrees to use appropriate Administrative, Technical, and Physical Safeguards to (ePHI1) to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement; and (2) reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. e. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. f. Business Associate agrees to notify DOM without unreasonable delayreport to Provider if it becomes aware of any (1) use or disclosure of PHI not provided for by this Agreement; (2) unauthorized access of Electronic PHI; (3) unauthorized destruction or modification of Electronic PHI; or (4) unauthorized interference with the systems operations of Business Associate’s electronic information systems containing Electronic PHI. Notwithstanding anything herein to the contrary, the parties acknowledge and agree that this Agreement shall constitute notice to Provider that Business Associate may periodically experience broadcast attacks on its firewall, port scans, unsuccessful log-on attempts, denials of service and similar unsuccessful security incidents, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate need not further report such incidents to have been Breached along with any other available information that is required to be included Provider so long as such incidents do not result in the notification to the Individualunauthorized access, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual use or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410PHI. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident areagent, subject including a sub-contractor, to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required whom it provides PHI created or received by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree Provider, agrees to substantially the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate agrees , including, without limitation, implementation of appropriate safeguards to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf protect the security of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsElectronic PHI. l. h. Upon the written request of Provider, Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, access to Provider to PHI that Business Associate maintains in a Designated Record SetSet (if in fact its arrangements with Provider require Business Associate to maintain Designated Record Sets on behalf of Provider), to DOM or, as directed by XXX, to an Individual in order for Provider to meet the Patient access and copying requirements under 45 CFR § 164.524. If Business Associate maintains an electronic health record which contains the PHI, Business Associate shall provide such information produced in accordance with this section 2(h) in electronic format to enable Provider to fulfill its obligations under applicable regulations. m. i. Upon the written request of Provider, Business Associate agrees to make any amendment(s) to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associates to maintain Designated Record Sets on behalf of Provider), that DOM the Provider directs or agrees to pursuant to 45 CFR § 164.526 164.526. j. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI available at the request of DOM the Provider to the Secretary, for purposes of determining Provider’s compliance with the Privacy Rule, subject to attorney-client or an Individual, and in the time and manner designated by XXXother applicable legal privileges. n. k. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees , as may be amended from time to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationtime. o. l. Upon written request of Provider, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, Provider with information collected in accordance with section (III)(h) Section II.i. of this Agreement, Agreement to permit XXX Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. m. Business Associate agrees to comply with any guidance issued notify Provider without unreasonable delay, but in no event more than 60 days after Business Associate becomes aware of an unauthorized use or disclosure by the Secretary or on what behalf of Business Associate which constitutes “minimum necessary” for purposes a Breach of the Privacy RuleUnsecured PHI. Such notification shall include a list of impacted Patients, and any minimum necessary policies and procedures communicated to Business Associate by DOMdescribe the Breach in such reasonable detail. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rulen. Upon written request of Provider, Business Associate will comply with a Patient request for restriction of certain disclosures to health plans in accordance with 45 CFR 164.522 and the requirements HITECH Act, if the disclosure is to a health care plan for the purposes of carrying out payment or health care operations and the Privacy Rule PHI pertains solely to a health care item or service for which Patient has paid for out of pocket in full. Except to the extent that apply Provider must agree to DOM in a Patient request for restriction under the performance of such obligation. r. HITECH Act, Business Associate agrees shall not be required to make internal practices, books, and records, including policies and procedures, available comply with a Patient’s request to restrict the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction disclosure of the United States without express written authorization from DOMPHI.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose PHI further disclose Protected Health Information other than as permitted or required by the Service Agreement this BAA or as Required by Law. b. . Business Associate shall also comply with any further limitations on uses and disclosures agreed by Covered Entity in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to Business Associate in accordance with Section 4.1(c) of this BAA. (b) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this AgreementBAA, including but not limited to the safeguards described in Section 2(m) of this BAA. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72c) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBAA. e. (d) Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two promptly report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware. (72e) hours after discovery of Business Associate agrees to report to Covered Entity any actual or suspected Breach of Unsecured PHI, all Protected Health Information without unreasonable delay and in accordance with 45 C.F.R. § 164.410no case later than five (5) Business days after Discovery of a Breach. The notification Such notice shall include, to the extent possible and subsequently as the information becomes available, include the identification of all Individuals each Individual whose Unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate Associate, to have been Breached along been, accessed, acquired, or disclosed In connection with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMsuch Breach. In addition, Business Associate agrees to shall provide a written assessment to determine whether any additional information reasonably requested by Covered Entity for purposes of investigating the incident is reportable within ten (10) working daysBreach. An impermissible Use or Disclosure Business Associate’s notification of protected health information is presumed to be a Breach unless under this section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of AXXX, 00 XXX 164.410, and related guidance issued by the DOM Secretary from time to time. Without limiting Covered Entity’s remedies under Section 6 or any other provision of this BAA, in the event of a Breach involving Unsecured Protected Health Information maintained, used or disclosed by Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees shall reimburse Covered Entity for the cost of providing any legally required notice to fully cooperate, coordinate with, affected Individuals and assist XXX in gathering information the cost of credit monitoring for such Individuals to extent deemed necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM Covered Entity in its sole reasonable discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15f) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(iiCFR 164.502(e)(l)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree in writing to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such information. In no event shall Business Associate, without Covered Entity’s prior written approval, provide Protected Health Information received from, or created or received by Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree Covered Entity, to comply with any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, processes or otherwise has access to the applicable requirements Protected Health Information outside of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsUnited States. l. (g) Business Associate agrees to provide access, at the request of XXXCovered Entity, and in within ten (10) business days of the time and manner designated by XXXrequest from Covered Entity, to PHI Protected Health Information in a Designated Record Set, to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § C.F.R. 164.524. Covered Entity’s determination of what constitutes “Protected Health Information” or a “Designated Record Set” shall be final and conclusive. If Business Associate provides copies or summaries of Protected Health Information to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4). m. (h) Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § C.F.R. 164.526 at the request of DOM Covered Entity or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures within ten (10) business days of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528Covered Entity. Business Associate agrees shall not charge any fee for fulfilling requests for amendments. Covered Entity’s determination of what Protected Health Information is subject to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting amendment pursuant to 45 C.F.R. 164.526 shall be final and relevant documentation to DOM at the time of terminationconclusive. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(hi) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make (i) internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, and (ii) policies, procedures, and documentation relating to the safeguarding of Electronic Protected Health Information available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s or Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310and Security Rules. s. (j) Business Associate agrees that nothing to document such disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in this Agreement shall permit accordance with 45 C.F.R. 164.528. (k) Business Associate agrees to accessprovide to Covered Entity, storein the time and manner described below, sharethe information collected in accordance with Section 2(j) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. Business Associate agrees to provide such information to Covered Entity within thirty (30) business days of receipt of a request from Covered Entity. (l) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, Licensed Agents and subcontractors or other third parties, (i) the information contained in a “limited data set,” as such term is defined at 45 C.F.R. 164.514(e)(2), or, (ii) if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such requests or disclosures, in all cases, Business Associate shall request and disclose Protected Health Information only in a manner that is consistent with guidance issued by the Secretary from time to time. (m) With respect to Electronic Protected Health Information, Business Associate shall implement and comply with (and ensure that its subcontractors implement and comply with) the administrative safeguards set forth at 45 C.F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate acknowledges that, (i) the foregoing safeguard, policies and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (ii) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguard, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements. (n) With respect to Electronic Protected Health Information, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit or use or disclose PHI in Electronic Protected Health Information on behalf of Business Associate, agree to comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 by entering into a contract that complies with 45 C.F.R. Section 164.314. (o) Business Associate shall report to Covered Entity any form via any medium with any third partySecurity Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. Section 164.410. (p) If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Parts 160- 162. (q) During the term of this BAA, Business Associate may be asked to complete a security survey and/or attestation document designed to assist Covered Entity in understanding and documenting Business Associate’s Subcontractorssecurity procedures and compliance with the requirements contained herein. Business Associate’s failure to complete either of these documents within the reasonable timeframe specified by Covered Entity shall constitute a material breach of this BAA. (r) Business Associate acknowledges that, beyond the boundaries and jurisdiction as of the United States without express written authorization Effective Date, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from DOMtime to time, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements. (s) To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). (t) To the extent that Business Associate provides services to Covered Entity relating to individuals enrolled in state or federal programs (e.g., Medicare or Medicaid), Business Associate shall comply with any additional restrictions or requirements related to the use, disclosure, maintenance, and protection of Protected Health Information of individuals enrolled in such programs through Covered Entity. With respect to the Protected Health Information of Medicare enrollees, Business Associate shall report privacy and security incidents and/or Breaches immediately, but not later than one (1) day, to Covered Entity and include the information required under this Section 2 of this Addendum.

Obligations and Activities of Business Associate. a. 2.1. Business Associate agrees to shall not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service Agreement this BAA or as Required by Law. b. 2.2. Business Associate shall agrees to use appropriate physical, technical, and administrative safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI Protected Health Information other than as provided for by this AgreementBAA. These safeguards shall include, but not be limited to, policies and procedures for reasonably and appropriately protecting the confidentiality, integrity and availability of Electronic Protected Health Information. With respect to such information, Business Associate shall meet the requirements of the Security Rule that apply to business associates. c. 2.3. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, report in writing to Covered Entity any use or disclosure of any Use or Disclosure of PHI Protected Health Information not provided for by this Agreement BAA and any Security Incidents within the meaning of 45 CFR § 164.304, of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that . Notice is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delaydeemed provided, and no later than seventy-two (72) hours after discovery further notice will be given, with respect to routine unsuccessful attempts at unauthorized access to ePHI such as pings and other broadcast attacks on firewalls, denial of any actual or suspected service attacks, failed login attempts, and port scans. Business Associate shall provide a summary of such unsuccessful Security Incidents, at an aggregate level, upon request of Covered Entity once a year. In the event of a Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed Protected Health Information by Business Associate, Business Associate to have been Breached along with any other available information that is required to be included in shall notify Covered Entity of the notification to the Individual, HHS, and/or the media, all Breach in accordance with the data Breach notification requirements set forth in under 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. CFR § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent . Incidents under this section shall be reported without unreasonable delay, delay and in no case more later than 60 thirty (30) calendar days after discovery of the Incidentincident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees unless a law enforcement delay applies pursuant to be solely responsible for all costs and expenses incurred as 45 CFR § 164.412. In the event of a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental law enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2)delay, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of shall notify Covered Entity within the time frame required by such section. 2.4. Business Associate shall, through written agreement, require any Subcontractor to agree to the same restrictions, conditions, restrictions and requirements conditions at least as strict as those that apply through this BAA to Business Associate with respect to such informationProtected Health Information. Business Associate agrees may disclose all or some of the terms of this BAA to ensure that any of its Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of to secure its compliance with such restrictions and conditions. 2.5. To the extent Business Associate will agree maintains in its systems Covered Entity’s Protected Health Information, and at Covered Entity’s reasonable and timely request, pursuant to comply with the applicable requirements of the Security Rule and Privacy Rule a request by entering into a Business Associate Agreement and an Individual, Business Associate shall provide DOM Covered Entity with a copy of all such executed agreements between Protected Health Information that Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI maintains in a Designated Record Set, Set within fifteen calendar days of receipt of notice of an Individual’s request to DOM or, as directed by XXX, allow Covered Entity to an Individual in order to meet comply with the requirements under 45 CFR § 164.524. m. 2.6. To the extent Business Associate maintains in its systems Covered Entity’s Protected Health Information, and at Covered Entity’s reasonable and timely request, pursuant to a request by an Individual, Business Associate shall make Protected Health Information that it maintains in a Designated Record Set available to Covered Entity for amendment within fifteen calendar days of receipt of notice of an Individual’s request to allow Covered Entity to comply with the requirements under 45 CFR § 164.526. 2.7. Business Associate agrees to make any amendment(s) internal practices, books, and records relating to PHI the use and disclosure of Protected Health Information available to the Secretary in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXXthe Secretary, for purposes of the Secretary’s determining Covered Entity’s compliance with the Privacy Rule. n. 2.8. Business Associate agrees to document such Disclosures disclosures of PHI Protected Health Information and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI Protected Health Information in accordance with the requirements under 45 CFR § 164.528. Upon Covered Entity’s reasonable and timely request, Business Associate agrees to retain shall provide Covered Entity with such documentation for at least six (6) years after the date accounting within fifteen calendar days of disclosure or provide a full accounting and relevant documentation to DOM at the time receipt of termination. o. Business Associate agrees to provide to DOM or notice of an Individual, in a time and manner designated by DOM, information collected in accordance ’s request to allow Covered Entity to comply with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the requirements under 45 CFR § 164.528. p. 2.9. To the extent Business Associate agrees that it shall only use is to carry out one or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes more of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOMCovered Entity’s obligations obligation(s) under the Privacy RuleSubpart E of 45 CFR Part 164, Business Associate will shall comply with the requirements of the Privacy Rule Subpart E that apply to DOM Covered Entity in the performance of such obligationobligation(s). Notwithstanding the foregoing, the Parties do not intend for Covered Entity to delegate any HIPAA regulated functions or obligations to Business Associate. r. 2.10. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or associate may not use or disclose PHI Protected Health Information in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the boundaries specific uses and jurisdiction of the United States without express written authorization from DOMdisclosures set forth below in Sections 3(c) and (d).

Obligations and Activities of Business Associate. a. A. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to not Use to: 1. Not use or Disclose disclose PHI other than as permitted or required by the Service this Agreement or as Required by By Law. b. Business Associate shall use 2. Use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this Agreement. c. 3. Appoint and authorize a Privacy Officer to monitor the Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by Associate’s compliance with this Agreement and provisions of which it becomes aware, HIPAA and any Security Incident of which it becomes awareHITECH. d. Business Associate agrees 4. Cooperate with Covered Entity to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. Business Associate agrees 5. Report to notify DOM without unreasonable delayCovered Entity within sixty (60) days of discovery any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware, and no later than seventy-two (72) hours after discovery include such detail as may be available concerning the nature of the unauthorized use or disclosure, together with any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed remedial steps taken by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410prevent further nay disclosure or recurrence. f. Once an actual 6. Ensure that any agent, including a subcontractor, to whom it provides PHI received from, or suspected Breach is reported to DOM, created or received by Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. 7. Business Associate agrees to ensure that any Subcontractors that createMake internal practices, receivebooks, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindrecords, including of policies and procedures and PHI, available to the use of such Subcontractors Covered Entity or of to the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and Secretary in the a time and manner specified by Covered Entity or designated by XXXthe Secretary, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet for purposes of the requirements under 45 CFR § 164.524Secretary determining Covered Entity’s compliance with the Privacy Rule. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document 8. Document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees 9. Provide to provide to DOM Covered Entity or an Individual, in a time and manner designated reasonably specified by DOMCovered Entity, information collected in accordance with section (III)(h) Section II.A.7. above of this Agreement, to permit XXX Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose B. In connection with the minimum PHI necessary to perform functionsperformance of its services, activities, or services for, and/or functions to or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy RuleCovered Entity, Business Associate will comply with the requirements may disclose information, including PHI, to other business associates of the Privacy Rule that apply to DOM Covered Entity which have been identified by Covered Entity in the performance of such obligation. r. writing. Likewise, Business Associate agrees to make internal practices, books, may use and recordsdisclose information, including policies and proceduresPHI, available to the Secretary for purposes received from other business associates of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Covered Entity, as if this information was received from, or originated with, Covered Entity. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by the Service Agreement or as Required by Law. b. a) Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discoveryensure, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide through a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associateagreement, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors of Business Associate that create, receive, maintain, maintain or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that createPHI, receiveincluding without limitation, maintainthe restrictions, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable conditions and requirements of the Security Rule and Privacy Rule by entering into a this Business Associate Agreement and the HIPAA Standards. b) Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Business Associate Agreement, any Breach, any breach of security of personal information as defined by any applicable state law, or any successful Security Incident involving PHI, in each case of which the Business Associate, or a subcontractor of the Business Associate, becomes aware (each, an “Incident”). Initial notice of an Incident shall be made to the Covered Entity no later than ten (10) business days after discovery of the Incident by Business Associate and Business Associate shall provide DOM with a copy to Covered Entity any information necessary for Covered Entity to notify affected individuals and/or governmental authorities of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least the Incident within thirty (30) calendar business days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at discovery. The foregoing notwithstanding, for purposes of the address included in Section VII(f) of Security Incident reporting obligation under this Agreement. paragraph 4(b), Business Associate understands hereby reports and Covered Entity acknowledges that submission of their Subcontractors’ (i) Business Associate Agreement(sexperiences inconsequential incidents from time to time such as scans or "pings" that are not permitted past Business Associate’s firewall (“Inconsequential Attempted Incidents”), and (ii) to DOM does not constitute DOM approval of any kind, including this report satisfies the requirements of the use of HIPAA Standards with respect to Inconsequential Security Incidents until such Subcontractors or of time as further guidance from the adequacy of such agreementsSecretary indicates otherwise. l. c) Business Associate agrees to shall restrict disclosures or communicate confidentially with Individuals as required by the HIPAA Standards and as requested by the Covered Entity. d) If the Business Associate maintains PHI in a Designated Record Set, the Business Associate shall: (1) provide accessaccess (including inspection, at the request of XXXobtaining a copy or both), and in the time and manner designated by XXXCovered Entity, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. and Business Associate agrees to shall not charge any fee greater than the lesser of the amount permitted by State law or the Business Associate’s actual cost of postage, labor and supplies for complying with the request; (2) make available PHI for amendment and incorporate any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXXCovered Entity; and (3) provide access to PHI that is in electronic format in the form and format requested by the Individual or Covered Entity, or if not readily producible in such form and format, in a readable electronic form and format agreed to by the Covered Entity and the Individual, and transmit such copy directly to an entity or person designated by the Individual or Covered Entity. Business Associate shall not charge any fee greater than the lesser of the amount permitted by State law or the Business Associate’s actual cost of postage, labor and supplies for complying with the request. n. e) Business Associate agrees shall make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s or Business Associate’s compliance with the HIPAA Standards. Nothing in this Section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information by Business Associate. f) Business Associate shall document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity or Business Associate under the HIPAA Standards to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528PHI. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individualshall provide, in a the time and manner designated by DOMCovered Entity, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528disclosures required by the HIPAA Standards made by the Business Associate. p. g) Business Associate agrees that it shall only prevent use or disclose disclosure of the minimum PHI other than as provided for in this Business Associate Agreement and shall comply, where applicable, with the HIPAA Standards with respect to electronic PHI and State law. The Business Associate shall implement and maintain safeguards as necessary to perform functions, activities, ensure that all PHI is used or services for, or on behalf of, DOM disclosed only as specified in authorized under the Service Agreements. HIPAA Standards and this Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOMAgreement. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose PHI further disclose Protected Health Information other than as permitted or required by the Service Agreement this BAA or as Required by Law. b. . Business Associate shall also comply with any further limitations on uses and disclosures agreed by Covered Entity in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to Business Associate in accordance with Section 4.1(c) of this BAA. (b) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this AgreementBAA, including but not limited to the safeguards described in Section 2(m) of this BAA. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72c) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBAA. e. (d) Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two promptly report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware. (72e) hours after discovery of Business Associate agrees to report to Covered Entity any actual or suspected Breach of Unsecured PHI, all Protected Health Information without unreasonable delay and in accordance with 45 C.F.R. § 164.410no case later than two (2) calendar days after Discovery of a Breach. The notification Such notice shall include, to the extent possible and subsequently as the information becomes available, include the identification of all Individuals each Individual whose Unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate Associate, to have been Breached along been, accessed, acquired, or disclosed In connection with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMsuch Breach. In addition, Business Associate agrees to shall provide a written assessment to determine whether any additional information reasonably requested by Covered Entity for purposes of investigating the incident is reportable within ten (10) working daysBreach. An impermissible Use or Disclosure Business Associate’s notification of protected health information is presumed to be a Breach unless under this section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of AXXX, 00 XXX 164.410, and related guidance issued by the DOM Secretary from time to time. Without limiting Covered Entity’s remedies under Section 6 or any other provision of this BAA, in the event of a Breach involving Unsecured Protected Health Information maintained, used or disclosed by Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees shall reimburse Covered Entity for the cost of providing any legally required notice to fully cooperate, coordinate with, affected Individuals and assist XXX in gathering information the cost of credit monitoring for such Individuals to extent deemed necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM Covered Entity in its sole reasonable discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15f) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree in writing to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such information. In no event shall Business Associate, without Covered Entity’s prior written approval, provide Protected Health Information received from, or created or received by Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree Covered Entity, to comply with any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, processes or otherwise has access to the applicable requirements Protected Health Information outside of the Security Rule and Privacy Rule by entering into a Business Associate United States. Upline Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty 2015 53 (30g) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXXCovered Entity, and in within ten (10) business days of the time and manner designated by XXXrequest from Covered Entity, to PHI Protected Health Information in a Designated Record Set, to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § C.F.R. 164.524. Covered Entity’s determination of what constitutes “Protected Health Information” or a “Designated Record Set” shall be final and conclusive. If Business Associate provides copies or summaries of Protected Health Information to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4). m. (h) Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR § C.F.R. 164.526 at the request of DOM Covered Entity or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures within ten (10 ) business days of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528Covered Entity. Business Associate agrees shall not charge any fee for fulfilling requests for amendments. Covered Entity’s determination of what Protected Health Information is subject to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting amendment pursuant to 45 C.F.R. 164.526 shall be final and relevant documentation to DOM at the time of terminationconclusive. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(hi) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make (i) internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, and (ii) policies, procedures, and documentation relating to the safeguarding of Electronic Protected Health Information available to the Secretary Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s or Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310and Security Rules. s. (j) Business Associate agrees that nothing to document such disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in this Agreement shall permit accordance with 45 C.F.R. 164.528. (k) Business Associate agrees to accessprovide to Covered Entity, storein the time and manner described below, sharethe information collected in accordance with Section 2(j) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. Business Associate agrees to provide such information to Covered Entity within thirty (30) business days of receipt of a request from Covered Entity. (l) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, agents and subcontractors or other third parties, (i) the information contained in a “limited data set,” as such term is defined at 45 C.F.R. 164.514(e)(2), or, (ii) if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such requests or disclosures. In all cases, Business Associate shall request and disclose Protected Health Information only in a manner that is consistent with guidance issued by the Secretary from time to time (m) With respect to Electronic Protected Health Information, Business Associate shall implement and comply with (and ensure that its subcontractors implement and comply with) the administrative safeguards set forth at 45 C.F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate acknowledges that, (i) the foregoing safeguard, policies and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (ii) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguard, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements. Upline Agreement 2015 54 (n) With respect to Electronic Protected Health Information, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit or use or disclose PHI in Electronic Protected Health Information on behalf of Business Associate, agree to comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 by entering into a contract that complies with 45 C.F.R. Section 164.314. (o) Business Associate shall report to Covered Entity any form via any medium with any third partySecurity Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. Section 164.410. (p) If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Parts 160-162. (q) During the term of this BAA, Business Associate may be asked to complete a security survey and/or attestation document designed to assist Covered Entity in understanding and documenting Business Associate’s Subcontractorssecurity procedures and compliance with the requirements contained herein. Business Associate’s failure to complete either of these documents within the reasonable timeframe specified by Covered Entity shall constitute a material breach of this BAA. (r) Business Associate acknowledges that, beyond the boundaries and jurisdiction as of the United States without express written authorization Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5and 1320d- 6, as amended from DOMtime to time, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements. (s) To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). (t) To the extent that Business Associate provides services to Covered Entity relating to individuals enrolled in state or federal programs (e.g., Medicare or Medicaid), Business Associate shall comply with any additional restrictions or requirements related to the use, disclosure, maintenance, and protection of Protected Health Information of individuals enrolled in such programs through Covered Entity. With respect to the Protected Health Information of Medicare enrollees, Business Associate shall report privacy and security incidents and/or Breaches immediately, but not later than one (1) day, to Covered Entity and include the information required under this Section 2 of this Addendum

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI other than comply with those provisions of the Security Rule that are set forth at 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, as permitted or required by amended from time to time, with respect the Service Agreement or as Required by Lawsecurity of PHI, in the same manner that such regulations apply to the Provider. b. Business Associate agrees to comply with the Privacy Rule at 45 C.F.R. § 164.504(e), as amended from time to time, with respect to its use and disclosure of PHI, in the same manner that such regulation applies to Provider. The additional requirements of the HITECH Act that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into the BAA. c. Business Associate agrees to not use or further disclose PHI other than as specifically permitted or required by this BAA or as required by law. d. Business Associate agrees to use appropriate safeguards and comply comply, where applicable, with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) Electronic PHI, to prevent Use use or Disclosure disclosure of PHI other than as provided for by this AgreementBAA. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. e. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsBAA. e. f. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery report to Provider if it becomes aware of any actual use or suspected disclosure of PHI not provided for by this BAA, including any Breach of Unsecured PHIPHI as required by 45 CFR 164.410, all in accordance with 45 C.F.R. § 164.410and any Security Incident of which it becomes aware. The notification shall include, Notwithstanding anything herein to the extent possible and subsequently as the information becomes availablecontrary, the identification of all Individuals whose Unsecured PHI is reasonably believed by parties acknowledge and agree that this BAA shall constitute notice to Provider that Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individualmay periodically experience broadcast attacks on its firewall, HHSport scans, and/or the mediaunsuccessful log-on attempts, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMdenials of service and similar unsuccessful security incidents, and Business Associate agrees need not further report such incidents to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use Provider so long as such incidents do not result in unauthorized access, use or Disclosure disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410PHI. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will on behalf of Provider agree to comply with the applicable requirements of the Security Rule same restrictions and Privacy Rule by entering into a conditions that apply to Business Associate Agreement and Business Associate shall provide DOM with a copy respect to such information, including, without limitation, implementation of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior appropriate safeguards to disclosing any protect the security of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsElectronic PHI. l. h. Upon the written request of Provider, Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, access to Provider to PHI that Business Associate maintains in a Designated Record SetSet (if in fact its arrangements with Provider require Business Associate to maintain Designated Record Sets on behalf of Provider), to DOM or, as directed by XXX, to an Individual in order for Provider to meet the Patient access and copying requirements under 45 CFR § 164.524. If Business Associate maintains an electronic health record which contains the PHI, Business Associate shall provide such information produced in accordance with this section 2(h) in electronic format to enable Provider to fulfill its obligations under applicable regulations. m. i. Upon the written request of Provider, Business Associate agrees to make any amendment(s) to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associates to maintain Designated Record Sets on behalf of Provider), that DOM the Provider directs or agrees to pursuant to 45 CFR § 164.526 164.526. j. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI available at the request of DOM the Provider to the Secretary, for purposes of determining Provider’s compliance with the Privacy Rule, subject to attorney-client or an Individual, and in the time and manner designated by XXXother applicable legal privileges. n. k. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees , as may be amended from time to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationtime. o. l. Upon written request of Provider, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, Provider with information collected in accordance with section (III)(h) Section II.k of this Agreement, BAA to permit XXX Provider to respond to a request by an Individual Patient for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. m. Business Associate agrees that to the extent that Business Associate carries it is to carry out DOMProvider’s obligations obligation under the Privacy Rule, Business Associate Rule that it will comply with the requirements of the Privacy Rule that apply to DOM Provider in the performance of such obligation. r. n. Business Associate agrees to make internal practicesnotify Provider without unreasonable delay, books, and records, including policies and procedures, available but in no event more than 60 days after Business Associate becomes aware of an unauthorized use or disclosure by or on behalf of Business Associate which constitutes a Breach of Unsecured PHI unless it receives a request to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule delay such notification from a law enforcement official pursuant to 45 C.F.R. § 160.310CFR 164.412. Such notification shall include a list of impacted Patients, and describe the Breach in such reasonable detail to enable Provider to fulfill its obligations under applicable regulations. s. o. Upon written request of Provider, Business Associate agrees will comply with a Patient request for restriction of certain disclosures to health plans in accordance with 45 CFR 164.522 and the HITECH Act, if the disclosure is to a health care plan for the purposes of carrying out payment or health care operations and the PHI pertains solely to a health care item or service for which Patient has paid for out of pocket in full. Except to the extent that nothing in this Agreement shall permit Provider must agree to a Patient request for restriction under the HITECH Act, Business Associate shall not be required to access, store, share, maintain, transmit or comply with a Patient’s request to restrict the use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction disclosure of the United States without express written authorization from DOMPHI.

Obligations and Activities of Business Associate. a. With regard to the use and/or disclosure of PHI the Business Associate agrees that all uses and disclosures will be in accordance with the Notice of Privacy Practices and applicable federal, state, and local law. The Business Associate will not use or disclose any PHI in violation of HIPAA. In all instances where the use or disclosure of PHI is necessary, the Business Associate will use or disclose only the minimum necessary to not Use achieve the intended purpose for such use or Disclose disclosure. Business Associate agrees that it will de-identify all PHI prior to its use or disclosure, to the extent possible. Business further agrees to: (a) Not use or further disclose PHI other than as permitted or required by the Service this Agreement or as Required required by Lawlaw. b. Business Associate shall use (b) Use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72c) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigateMitigate, to the extent practicable, any harmful effect that is known to Business Associate of from a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement Agreement. (d) Use appropriate safeguards, and take prompt steps comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual use or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure disclosure of protected health information is presumed other than as provided for by the Agreement; (e) Report to be a Breach unless the DOM covered entity any use or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one disclosure of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf not provided for by the Agreement of the Business Associate agree which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; (f) Ensure that any agent, including a subcontractor, to whom it provides PHI, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to the Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide (g) Provide access, at the request of XXXCovered Entity, and in the time and manner designated by XXXCovered Entity, to PHI in a Designated Record SetSet (if applicable), to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524Individual. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service Agreement or as Required required by Lawlaw. b. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, report to Covered Entity any use or disclosure of any Use or Disclosure of PHI the Protected Health Information not provided for by this Agreement of which it becomes aware, and any Security Incident including breaches of which it becomes awareunsecured protected health information, as required at 45 C.F.R. 164.410. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. e. Report to the Covered Entity any security incident of which it becomes aware. f. Business Associate shall notify the Covered Entity of a breach of unsecured PHI on the first day on which such breach is known by Business Associate or an employee, officer or agent of Business Associate other than the person committing the breach, or as soon as possible following the first day on which Business Associate or an employee, officer or agent of Business Associate other than the person committing the breach should have known by exercising reasonable diligence of such breach. Notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the breach. Business Associate agrees to ensure that shall also provide the Covered Entity with any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of other available information at the time Business Associate will agree makes notification to comply with the applicable requirements Covered Entity or promptly thereafter as information becomes available. Such additional information shall include (i) a brief description of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindwhat happened, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide the breach; (ii) a full accounting and relevant documentation to DOM at description of the time types of termination. o. unsecured PHI that were involved in the breach; (iii) any steps the Business Associate agrees believes individuals should take to provide to DOM or an Individual, in protect themselves from potential harm resulting from the breach; and (iv) a time and manner designated by DOM, information collected in accordance with section (III)(h) brief description of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. what Business Associate agrees that it shall only use or disclose is doing to investigate the minimum PHI necessary breach, mitigate harm to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Ruleindividuals, and protect against any minimum necessary policies and procedures communicated to Business Associate by DOMfuture breaches. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. 2.1 Business Associate agrees to not Use or Disclose access, create, maintain, use and/or disclose the PHI other than only as permitted or required by the Service this Agreement or as Required required by Lawlaw. b. 2.2 Business Associate shall agrees to use appropriate safeguards to maintain the security of the PHI and to prevent use or disclosure of PHI and comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI Electronic Protected Health Information other than as provided for by this Agreement. c. . Business Associate agrees to notify DOM without unreasonable delay implement Security Safeguards that reasonably and no later than seventy-two (72) hours after discoveryappropriately protect the Confidentiality, Integrity, and Availability of the ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Emory and that are in accord with all applicable HIPAA Regulations and HITECH. 2.3 Business Associate agrees to promptly report to Emory any Use use or Disclosure disclosure of PHI that is not provided for permitted by this Agreement Agreement, including breaches of which it becomes aware, and Unsecured PHI as required at 45 CFR 164.410 or of any Security Incident of which it Business Associate becomes aware. The parties acknowledge and agree that this section constitutes notice by Business Associate to Emory of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (defined below) for which no additional notices will be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scan, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized acquisition, access, use or disclosure of Protected Health Information. d. 2.4 Business Associate agrees to ensure that any agent, including any authorized sub- contractor, that creates, receives, maintains, transmits, uses, or has access to PHI in the performance of the Underlying Contracts agrees, in writing, to the same restrictions, conditions and requirements on the use and/or disclosure of such PHI that apply to Business Associate with respect to such information through this Agreement. 2.5 Business Associate agrees to ensure that any agent, including any authorized sub- contractor to whom it provides ePHI, agrees, in writing, to implement reasonable and appropriate Security Safeguards to protect it. 2.6 Business Associate agrees to document any disclosures of PHI by Business Associate or its agents or authorized subcontractors, and information related to such disclosures, as would be required for Emory to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 2.7 Business Associate agrees to provide to Emory information collected in accordance with Section 2.6 of this Agreement within fifteen (15) days of a request by Emory, as necessary to permit Emory to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 2.8 Business Associate agrees to make available PHI in a designated record set, within fifteen (15) days of Emory’s request, to Emory or, as directed by Emory, to an individual in order to meet the requirements under 45 C.F.R. § 164.524, relating to an individual’s right to inspect and obtain a copy of PHI relating to such individual. 2.9 Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set as Emory directs or agrees to pursuant to 45 C.F.R. § 164.526 within thirty (30) days of Emory’s request. 2.10 If Business Associate believes it has a legal obligation to disclose any PHI, it will notify Emory in writing as soon as reasonably practical after it learns of such obligation, and in any event at least five (5) business days prior to the proposed release, as to the legal requirement pursuant to which it believes the PHI must be released. If Emory objects to the release of such PHI, Business Associate will allow Emory to exercise any legal rights or remedies Business Associate might have to object to the release of the PHI, and Business Associate agrees to provide such assistance to Emory, at Emory’s expense, as Emory may reasonably request in connection therewith. 2.11 Business Associate agrees to make its internal practices, policies and procedures, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Emory’s compliance with the HIPAA Regulations. Business Associate agrees to provide Emory with prompt written notice of any request received from the Secretary for access to such documents. 2.12 Business Associate, at its sole expense, agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. 2.13 Business Associate agrees to notify DOM report to Emory any use or disclosure of PHI not provided for by this Agreement of which it becomes aware as soon as reasonably possible and in any event within five (5) days of the date on which it becomes aware of the use/disclosure. 2.14 Business Associate acknowledges that Sections 164.308, 164.310, 164.312, and 164.316 of Title 45, Code of Federal Regulations apply to Business Associate in the same manner that such sections apply to covered entities and are incorporated into this Agreement by reference. The additional requirements of HITECH that relate to security of ePHI in Subpart C of Part 164 of Title 45 of the Code of Federal Regulations that apply to covered entities also apply to Business Associate and are incorporated into this Agreement by reference. Business Associate agrees to implement the technical safeguards provided in guidance issued annually by the Secretary for carrying out the obligations under the Code of Federal Regulation sections cited above (in this Section 2.14) and the security standards in Subpart C of Part 164 of Title 45 of the Code of Federal Regulations. 2.15 Business Associate may use and disclose Protected Health Information that Business Associate obtains or creates only if such use or disclosure, respectively, complies with each applicable requirement of Section 164.504(e) of Title 45, Code of Federal Regulations, as permitted or required by this Agreement or as required by law. 2.16 Business Associate acknowledges that Section 164.504(e)(1)(ii) of Title 45, Code of Federal Regulations applies to Business Associate in the same manner that such section applies to covered entities, with respect to compliance with the standards in Sections 164.502(e) and 164.504(e) of Title 45, except that in applying such Section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract. 2.17 Business Associate shall comply with Section 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Title 45 of the Code of Federal Regulations, as such regulations may be in effect from time to time (collectively, the “Breach Notification Rules”). a. Except as provided in 45 C.F.R. § 164.412, Business Associate will give Emory notice of any Breach of Unsecured Protected Health Information without unreasonable delay, and but in no case later than seventy-two ten (7210) hours days after discovery the first day on which the Breach is known, or by the exercise of any actual or suspected Breach of Unsecured PHIreasonable diligence would have been known, all to the Business Associate. b. The notice required by Section 2.17.a. above will be written in accordance with 45 C.F.R. § 164.410. The notification shall plain language and will include, to the extent possible and subsequently as the information becomes or available, the following: i. The identification and address of all Individuals each individual(s) whose Unsecured PHI Protected Health Information has been, or is reasonably believed by the Business Associate to have been Breached along with any other available information been, accessed, acquired or disclosed during the Breach; ii. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; iii. A description of the types of Unsecured Protected Health Information that is required to be included were involved in the notification Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); iv. Any steps individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the IndividualBreach; v. A brief description of what the Business Associate is doing to investigate the Breach, HHSto mitigate the harm to individuals, and/or the mediaand to protect against further Breaches; and vi. Contact procedures for individuals to ask questions or learn additional information, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410including a toll free telephone number, an email address, Web site, or postal address. f. Once an actual or suspected Breach is reported to DOM, c. Business Associate agrees to provide shall cooperate with Emory in conducting a written risk assessment to determine whether the incident Breach definition is reportable within ten (10) working days. An impermissible Use met, requiring notice to affected individuals. 2.18 Business Associate shall secure all Protected Health Information that is maintained by Business Associate by a technology standard that renders Protected Health Information unusable, unreadable, or Disclosure of protected health information indecipherable to unauthorized individuals and is presumed to be a Breach unless consistent with guidance issued by the DOM or Business AssociateSecretary, as applicablemodified by the Secretary from time to time, demonstrates there is a low probability specifying the PHI has been compromised technologies and methodologies that render Protected Health Information unusable, unreadable, or one indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the exceptions Public Health Service Act, as added by Section 13101 of HITECH. Emory acknowledges that much of the Protected Health Information made available to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, is and assist XXX will remain resident in gathering information necessary to notify systems under the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery control of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, Emory and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2)therefore, Business Associate agrees to ensure that is not responsible for any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree technologies employed by Emory to the same restrictions, conditions, and requirements that apply to Business Associate with respect to protect such information. Business Associate agrees to ensure that any Subcontractors that create. 2.19 At Emory’s discretion, receive, maintain, or transmit electronic PHI (ePHI) Emory may require employees and permitted contractors who provide services on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule execute appropriate confidentiality or data use agreements. 2.20 Except as may be expressly permitted under an Underlying Contract or otherwise consented to by entering into a Business Associate Agreement and Emory in writing, Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing not transfer any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at across the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction borders of the United States without express written authorization or permit remote access to the PHI by any employee, affiliate, contractor or other third party from DOMoutside of the United States.

Obligations and Activities of Business Associate. a. a) Business Associate agrees to not Use use or Disclose disclose PHI other than as permitted or required by this Agreement, any underlying agreement between the Service Agreement parties, or as Required by By Law. b. b) Business Associate shall will make reasonable efforts, to the extent practicable, to limit requests for and the use and disclosure of PHI to a Limited Data Set (as defined in 45 C.F.R. § 164.514(e)(2)) or, if needed by Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such use, disclosure or request, and as applicable, in accordance with the regulations and guidance issued by the Secretary on what constitutes the minimum necessary for Business Associate to perform its obligations to Covered Entity under this Agreement, any underlying agreement, or as Required By Law. c) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. d) Business Associate agrees to notify DOM without unreasonable delay implement administrative, physical and no later than seventy-two (72) hours after discoverytechnical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any Use Electronic PHI that it creates, receives, maintains or Disclosure transmits on behalf of PHI not provided for by this Agreement Covered Entity. Business Associate shall comply with the applicable requirements of which it becomes aware, and any the Security Incident of which it becomes awareRule in the same manner such provisions apply to Covered Entity. d. e) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. f) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. To the extent that Business Associate creates, receives, maintains or transmits Electronic PHI, Business Associate agrees to report as soon as practicable to Covered Entity any Security Incident, as determined by Business Associate, involving PHI of which Business Associate becomes aware. Notwithstanding the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such unsuccessful Security Incidents is required. However, to the extent that Business Associate becomes aware of an unusually high number of such unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify DOM Covered Entity of these attempts and provide the name, if available, of said party. At the request of Covered Entity, Business Associate shall identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. g) Following Business Associate’s discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity of the Breach without unreasonable delay, and in no event later than seventy-two three (723) hours business days after discovery Business Associate, or any of any actual its employees or suspected Breach of Unsecured PHIagents, all in accordance with 45 C.F.R. § 164.410discovered the Breach. The Such notification shall include, to the extent possible and subsequently as the information becomes availablepossible, the identification of all Individuals each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been Breached along with been, accessed, acquired, used, or disclosed during the Breach and any other information available information that to Business Associate about the Breach which is required to be included in the notification of the Breach provided to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all Individual in accordance with 45 C.F.R. § 164.410. g. §164.404(c). A Breach of Unsecured PHI shall be treated as discovered as of the first day on which such Breach is known to Business Associate agrees or should have be known to fully cooperateBusiness Associate by exercising reasonable diligence. If Business Associate (or one of its subcontractors, coordinate withvendors or agents) is responsible for a Breach of Unsecured PHI, and assist XXX in gathering information necessary Covered Entity may, at its option, require Business Associate to notify provide any of the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to notifications required by 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, § 164.404 at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actionsexpense. k. h) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii164.308(b)(2) and 164.308(b)(2164.502(e)(1)(ii), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Moreover, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, such agent or transmit electronic PHI (ePHIsubcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s Electronic PHI. i) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXXCovered Entity, and in the a time and manner designated by XXXmutually acceptable to Business Associate and Covered Entity, to PHI in a Designated Record SetSet to Covered Entity, to DOM or, as directed by XXXCovered Entity, to an Individual or another person properly designated by the Individual, in order to meet the requirements under 45 CFR C.F.R. § 164.524. If Business Associate maintains PHI electronically in a Designated Record Set and if the Individual requests an electronic copy of such information, Business Associate must provide Covered Entity, or the Individual or person properly designated by the Individual, as directed by Covered Entity, access to the PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by Covered Entity and the Individual. Any fee that Business Associate may charge for such electronic copy shall not be greater than Business Associate’s labor and supply costs in responding to the request. m. j) Business Associate agrees to make any amendment(s) to PHI in its possession contained in a Designated Record Set that DOM Covered Entity directs or agrees to pursuant to 45 CFR C.F.R. § 164.526 at the request of DOM Covered Entity or an Individual, and in the a time and manner designated by XXXmutually acceptable to Business Associate and Covered Entity. n. k) Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR C.F.R. § 164.528. As of the compliance date set forth in the regulations promulgated under HITECH or as otherwise determined by the Secretary, in addition to the accounting of disclosure obligations required under 45 C.F.R. § 164.528, Business Associate agrees to retain such documentation shall account for at least six (6) years after all disclosures of PHI made through an Electronic Health Record in accordance with the date of disclosure or provide a full accounting HITECH Standards and relevant documentation to DOM at the time of terminationany future regulations promulgated thereunder. o. l) Within ten (10) business days (or such other date that Business Associate and Covered Entity may reasonably agree upon) of receiving written notice from Covered Entity that Covered Entity has received a request for an accounting of disclosures of PHI, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, Covered Entity information collected in accordance with section (III)(h) of this Agreement, to permit XXX Covered Entity to respond to a request by an Individual for an make the accounting of Disclosures of PHI required in accordance with 45 CFR C.F.R. § 164.528. p. m) Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s or Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Rule. s. n) To the extent Business Associate agrees that nothing in this Agreement shall permit is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium shall comply with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction requirements of the United States without express written authorization from DOMPrivacy Rule that apply to Covered Entity in the performance of such delegated obligation.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI Protected Health Information other than as permitted or required by the Service this Agreement or as Required by By Law. b. . • Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI Protected Health Information other than as provided for by this Agreement. c. . Business Associate further agrees to notify DOM without unreasonable delay implement administrative, physical and no later than seventy-two (72) hours after discoverytechnical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any Use or Disclosure of PHI not electronic Protected Health Information, as provided for in the Security Rule and as mandated by this Agreement Section 13401 of which it becomes aware, and any Security Incident of which it becomes aware. d. the HITECH Act. • Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and take prompt steps in a manner as prescribed herein. • If the Breach, as discussed in paragraph 2(c), pertains to prevent the recurrence of any IncidentUnsecured Protected Health Information, including any action required by applicable federal and state laws and regulations. e. then Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of report any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the such data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable Covered Entity within ten (10) working daysbusiness days of discovery of said Breach; all other compromises of Protected Health Information shall be reported to Covered Entity within twenty (20) business days of discovery. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business AssociateAssociate further agrees, as applicable, demonstrates there is a low probability the PHI has been compromised or one consistent with Section 13402 of the exceptions HITECH Act, to provide Covered Entity, via email or phone call, with information necessary for Covered Entity to meet the definition requirements of Breach appliessaid section. • If Business Associate is an Agent of Covered Entity, all in accordance with 45 C.F.R. § 164.410. g. then Business Associate agrees that any Breach of Unsecured Protected Health Information shall be reported to fully cooperate, coordinate withCovered Entity immediately after the Business Associate becomes aware of said Breach, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure under no circumstances later than one (1) business day thereafter. Business Associate further agrees that any notices sent compromise of Protected Health Information, other than a Breach of Unsecured Protected Health Information as specified in connection with the Incident are2(c) of this Agreement, subject shall be reported to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM Covered Entity within fifteen ten (1510) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civildiscovering said compromise, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), attempted compromise. • Business Associate agrees to ensure that any subcontractors that createSubcontractor, receive, maintain, or transmit protected health information on behalf of the to whom Business Associate agree provides Protected Health Information, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to ensure those contained herein shall be imposed on said Subcontractors via a written agreement that any Subcontractors complies with all the requirements specified in § 164.504(e)(2), and that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall only provide DOM said Subcontractors Protected Health Information consistent with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f13405(b) of this Agreementthe HITECH Act. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindFurther, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the copies of said written agreements to Covered Entity within ten (10) business days of a Covered Entity’s request of XXX, and in the time and manner designated by XXXfor same. • Business Associate agrees to provide access via in-app export, to PHI Protected Health Information in a Designated Record Set, Set to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual Individual, in order to meet the Covered Entity’s requirements under 45 CFR § 164.524. m. . Business Associate further agrees, in the case where Business Associate controls access to Protected Health Information in an Electronic Health Record, or controls access to Protected Health Information stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements of the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of Covered Entity. • Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM directs or agrees available to the Covered Entity for the purpose of making amendments and incorporate such amendments in the Designated Record Set pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. §164.526. This provision does not apply if Business Associate agrees to document such Disclosures and its employees or Subcontractors have no Protected Health Information from a Designated Record Set of PHI and information related to such Disclosures as would be required for DOM to respond to a request Covered Entity. • Unless otherwise protected or prohibited from discovery or disclosure by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individuallaw, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and proceduresprocedures (collectively “Compliance Information”), relating to the Use or Disclosure of Protected Health Information and the protection of same, available to the Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with demonstrable evidence that its Compliance Information ensures Business Associate’s and/or DOM's compliance with this Agreement over time. Business Associate shall have a reasonable time within which to comply with requests for such access and/or demonstrable evidence, consistent with this Agreement. In no case shall access, or demonstrable evidence, be required in less than ten (10) business days after Business Associate’s receipt of such request, unless otherwise designated by the Privacy Rule pursuant Secretary. • Business Associate agrees to maintain necessary and sufficient documentation of Disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528. • On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 160.310. s. 164.528. Business Associate agrees that nothing shall provide said documentation in this Agreement shall permit a manner and format to be specified by Covered Entity. Business Associate shall have a reasonable time within which to access, store, share, maintain, transmit or use or disclose PHI comply with such a request from Covered Entity and in any form via any medium with any third party, including no case shall Business Associate be required to provide such documentation in less than five (5) business days after Business Associate’s Subcontractorsreceipt of such request. • Except as provided for in this Agreement, beyond in the boundaries and jurisdiction event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate shall redirect the Individual to the Covered Entity. • To the extent that Business Associate carries out one or more of Covered Entity’s obligations under the HIPAA Rules, the Business Associate must comply with all requirements of the United States without express written authorization from DOMHIPAA Rules that would be applicable to the Covered Entity. • A Business Associate must honor all restrictions consistent with 45 C.F.R. § 164.522 that the Covered Entity or the Individual makes the Business Associate aware of, including the Individual’s right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a).

Obligations and Activities of Business Associate. a. (i) Business Associate agrees to shall not Use use or Disclose disclose PHI other than as permitted or required by the Service Agreement under this Agreement, or as Required by Law. b. (ii) Business Associate shall use appropriate safeguards and comply with the applicable requirements of Subpart C of 45 C.F.R. Part CFR § 164 with respect to electronic E-PHI (ePHI) to prevent Use the use or Disclosure disclosure of PHI other than as provided for herein. (iii) Business Associate shall comply with the applicable requirements of Subpart E of 45 CFR § 164. To the extent that Business Associate, in providing the Services, is carrying out one or more of Covered Entity’s obligations under Subpart E of 45 CFR § 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations. (iv) Business Associate shall ensure that any Subcontractors that create, receive, maintain or transmit PHI, including any E-PHI, on behalf of Business Associate agree to comply with the applicable requirements of Subpart C and Subpart E of 45 CFR § 164, and that each Subcontractor enters into a business associate agreement with Business Associate under which each Subcontractor agrees to the same restrictions and conditions that apply to Business Associate with respect to PHI. In addition to other provisions required by HIPAA or this Agreement, such Subcontractor agreements shall contain provisions to ensure Business Associate will meet its reporting obligations under Sections 4(a)(v) and 4(a)(vi), immediately below. (v) Business Associate shall promptly report to Covered Entity, within thirty (30) days of discovery, any use or disclosure of PHI not permitted by this Agreement. c. , as well as any Security Incident. In addition, Business Associate agrees to notify DOM shall promptly and without unreasonable delay and delay, notify Covered Entity following the discovery of a Breach of Unsecured PHI as required by 45 CFR § 164.410, except that Business Associate shall make such reports to Covered Entity no later than seventy-two thirty (7230) hours days after discoverydiscovery of the same unless a law enforcement official determines that such a report would impede a criminal investigation or cause damage to national security, in which case Business Associate will comply with 45 CFR § 164.412. A Breach is deemed discovered as of any Use or Disclosure of PHI not provided for by this Agreement of the first day on which it becomes awareis known to Business Associate or to any person, other than the person committing the Breach, who is an employee, officer or other agent of Business Associate, or, by exercising reasonable diligence, would have been known to Business Associate or such person. (vi) Business Associate shall include in any report required under Section 4(a)(v) immediately above, to the extent possible, (A) a description of the impermissible use/disclosure, Security Incident or Breach of Unsecured PHI, (B) the identification of each individual whose PHI has been, or is reasonably believed to have been, the subject of the impermissible use/disclosure, Security Incident or Breach of Unsecured PHI, and (C) such other available information, as requested by Covered Entity, which Covered Entity may be required to include in any Security Incident of which it becomes awarerequired notifications to the affected individuals. d. (vii) Business Associate agrees to shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of (A) a Use Security Incident, (B) a Breach of Unsecured PHI, and (C) a use or Disclosure disclosure of PHI by Business Associate or its employees or agents, including any Subcontractors, in Violation violation of the requirements of this Agreement Agreement. Further, Business Associate shall reasonably cooperate and take prompt steps to prevent coordinate with Covered Entity in the recurrence investigation of any Incidentviolation of the requirements of this Agreement, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delayimpermissible use/disclosure, and no later than seventy-two (72) hours after discovery of any actual Security Incident or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10viii) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXXCovered Entity, and in the time and manner designated by XXX, shall provide access to PHI in a Designated Record Set, Set to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual individual in order to meet the requirements under 45 CFR § 164.524. m. (ix) Business Associate agrees to shall make any amendment(s) amendments to PHI in a Designated Record Set that DOM Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX164.526. n. (x) Business Associate agrees shall make available to document such Disclosures of PHI and Covered Entity information related required to such Disclosures as would be required for DOM to respond to a request by an Individual for provide an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. p. (xi) Business Associate agrees that it shall only make internal practices, books and records relating to the use or disclose the minimum and disclosure of PHI necessary to perform functions, activitiesreceived from, or services for, created or received by Business Associate on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, Covered Entity available to the Secretary for purposes of determining Business Associatethe Secretary’s and/or DOM's determination of Covered Entity’s compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. In the event Business Associate creates, receives, maintains, or transmits Covered Entity’s Protected Health Information, Business Associate agrees to not Use to: (a) Not use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service this Agreement or as Required required by Lawlaw. b. Business Associate shall use (b) Use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 the HIPAA Security Rule with respect to electronic PHI (ePHI) Electronic Protected Health Information, to prevent Use the use or Disclosure disclosure of PHI Protected Health Information other than as provided for by this Agreement. Business Associate will retain Protected Health Information in accordance with the agreed upon services and its record retention procedures. c. Business Associate agrees (c) Report to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, Covered Entity any use or disclosure of any Use or Disclosure of PHI Protected Health Information not provided for by this Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 C.F.R. 164.410, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate; provided, to however, the extent practicable, any harmful effect Parties acknowledge and agree that is known to Business Associate of a Use or Disclosure of PHI this Section constitutes notice by Business Associate in Violation to Covered Entity of the requirements ongoing existence and occurrence of this Agreement attempted, but Unsuccessful Security Incidents, for which further notice to Covered Entity shall be required only upon Covered Entity’s written request. Unsuccessful Security Incidents include, but are not limited to, pings and take prompt steps to prevent the recurrence other broadcast attacks on Business Associate’s firewall, port scans, and unsuccessful log-on attempts, so long as no such incident results in unauthorized access, use, or disclosure of any Incident, including any action required by applicable federal and state laws and regulations. e. Protected Health Information. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two must report any use or disclosure that constitutes a Breach within fifteen (7215) hours after discovery calendar days of any actual or suspected Breach the date the Business Associate becomes aware of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410the Breach. The Business Associate’s notification shall include, to the extent possible and subsequently as the information becomes available, will include the identification of all Individuals each Individual whose Unsecured PHI Protected Health Information has been or is reasonably believed by Business Associate to have been Breached along with accessed, acquired, used, or disclosed during the Breach, and any other available information that is required particulars regarding the Breach Covered Entity would need to be included include in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements as set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOMC.F.R. 164.404. To the extent commercially practicable, Business Associate agrees will work cooperatively with Covered Entity to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that mitigate any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt harmful effect of any administrative, civil, use or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to disclosure not provided for by this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actionsthe Privacy Regulations. k. (d) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to if applicable, ensure that any subcontractors Subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate for services provided to Covered Entity agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees is expressly authorized to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate this Agreement to any Subcontractors it uses in its work for Covered Entity for purposes of obtaining the Subcontractor’s agreement to the terms and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) conditions of this Agreement. . (e) To the extent Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI has Protected Health Information maintained in a Designated Record Set, make available such information to DOM or, the Covered Entity as directed by XXX, necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524 within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity. If an Individual in order makes a request for access pursuant to meet 45 C.F.R. 164.524 directly to Business Associate, Business Associate will direct the requirements under 45 CFR § 164.524Individual to Covered Entity. m. (f) To the extent Business Associate agrees to has Protected Health Information maintained in a Designated Record Set, make any amendment(s) to PHI in a Designated Record Set that DOM directs such information as directed or agrees agreed to by the Covered Entity pursuant to 45 CFR § C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526 at within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity. If an Individual makes a request for amendment pursuant to 45 C.F.R. 164.526 directly to Business Associate, Business Associate will direct the request of DOM or an Individual, and in the time and manner designated by XXXIndividual to Covered Entity. n. Business Associate agrees (g) Maintain and make available the information required to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for provide an accounting of Disclosures disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528 within ten (10) business days of PHI in accordance with Business Associate’s receipt of a written request from Covered Entity. If an Individual makes a request for accounting pursuant to 45 CFR § 164.528. C.F.R. 164.528 directly to Business Associate, Business Associate agrees will direct the Individual to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationCovered Entity. o. (h) To the extent the Business Associate agrees is to provide carry out one or more of Covered Entity's obligation(s) under the Privacy Rule pursuant to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) the terms of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM the Covered Entity in the performance of such obligationobligation(s). r. Business Associate agrees to make (i) Make its internal practices, books, and recordsrecords relating to Business Associate’s use and disclosure of Protected Health Information received from, including policies and proceduresor created or received by Business Associate on behalf of, Covered Entity available to the Secretary Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or their agents for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Provider represents and warrants to Business Associate that its Notice of Privacy (a) Business Associate agrees to not Use use or Disclose further disclose PHI other than as specifically Practices permits Provider to disclose PHI to Business Associate and that the Notice permitted or required by the Service this Agreement or as Required required by Law. b. law. of Privacy Practices used by Provider incorporates the terms and statements required (b) Business Associate shall agrees to use appropriate safeguards Administrative, Technical and comply with Subpart C of 45 C.F.R. Part 164 with respect Physical by the Privacy Rule. Safeguards to electronic PHI (ePHI1) to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. (b) Provider shall not request that Business Associate agrees to notify DOM without unreasonable delay use or disclose PHI in any manner Agreement; and no later than seventy-two (722) hours after discoveryreasonably and appropriately protect the Confidentiality, Integrity that would not be permissible under the Privacy Rule or Security Rule if done by Provider and Availability of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes awareElectronic PHI. except the uses specifically permitted under Section IV above, and any Security Incident of which it becomes aware. d. where Business Associate (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect may use or disclose PHI for data aggregation or management and administrative that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate activities of Business Associate. in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Agreement. VI. TERM AND TERMINATION (d) Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery report to Provider if it becomes aware of any actual (1) use (a) TERM The Term of this Agreement shall be effective as of the date set forth above, or suspected Breach disclosure of Unsecured PHI not provided for by this Agreement; (2) unauthorized access of and shall remain effective so long as a relationship between the Provider and the Business Electronic PHI; (3) unauthorized destruction or modification of Electronic PHI; or (4) Associate shall persist. This Agreement shall terminate when all of the PHI provided by unauthorized interference with the systems operations of Business Associate’s electronic Provider to Business Associate, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed or created or received by Business Associate on behalf information systems containing Electronic PHI. of Provider, is destroyed or returned to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, andProvider or, if the CAP it is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees infeasible to promptly notify DOM upon notification return or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions destroy (“Actions”e) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that createagent, receiveincluding a subcontractor, maintainto PHI, protections are extended to such information in accordance with the termination whom it provides PHI received from or transmit protected health information created or received by Business Associate on provisions in Section VI (c)(2). behalf of the Business Associate agree Provider, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through (b) TERMINATION FOR CAUSE Upon Provider’s knowledge of a material breach of this this Agreement to Business Associate with respect to such information, including, Agreement by Business Associate, Provider shall provide written notice to Business without limitation, implementation of appropriate safeguards to protect the security of Electronic PHI. Associate identifying the breach, and permit Business Associate agrees twenty (20) days to ensure that any Subcontractors that create(f) Upon the written request of Provider, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at access cure the request of XXX, and in breach; if Business Associate does not cure the time and manner designated by XXX, breach or end the violation to Provider to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. that Business Associate agrees to make any amendment(s) to PHI maintains in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and (if in within the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activitiesspecified, or services forif cure is not possible, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply Provider may immediately terminate fact its arrangements with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Provider require Business Associate to accessmaintain Designated this Agreement. Record Sets on behalf of Provider), store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond order for Provider to meet the boundaries Patient access and jurisdiction of the United States without express written authorization from DOM(c) EFFECT OF TERMINATION copying requirements under 45 CFR 164.524.

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use use or Disclose PHI disclose Protected Health Information other than as permitted or required by the Service this Agreement or as Required by By Law. b. Business Associate shall agrees use appropriate safeguards and comply comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) Electronic Protected Health Information, to prevent Use use or Disclosure disclosure of PHI the Protected Health Information other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, report to the Covered Entity any use or disclosure of any Use or Disclosure of PHI Protected Health Information not provided for by this Agreement Agreement, including, without limitation, Breaches of which it becomes awareUnsecured Protected Health Information as required at 45 C.F.R. 164.410, and any Security Incident of which it becomes aware. d. . The parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate agrees to mitigateCovered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent practicable, any harmful effect that is known to Business Associate is aware, in unauthorized access, use or disclosure of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsElectronic Protected Health Information. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. d. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that createif applicable, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) Protected Health Information on behalf of Business Associate will agree in writing to comply with the applicable same restrictions, conditions, and requirements of the Security Rule and Privacy Rule by entering into a that apply to Business Associate under this Agreement and Business Associate shall provide DOM with a copy of all respect to such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsProtected Health Information. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. e. Business Associate agrees to make any amendment(s) to PHI available Protected Health Information in a Designated Record Set that DOM directs or agrees to pursuant Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR C.F.R. § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX164.524. n. f. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528. Accounting. VeraMental Inc. acknowledges and agrees to document such Disclosures disclosures of PHI and information related to such Disclosures as would be required for DOM to Covered Entity To respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6C.F.R. §164.528 and, if required by and upon the effective date of, Section 13405(c) years after of the date of disclosure or provide a full accounting HITECH Act and relevant documentation to DOM at the time of termination. o. Business Associate agrees to related regulatory guidance; and provide to DOM or an Individual, in a time and manner designated by DOM, Customer information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a Section. In the event an individual delivers the initial request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528directly to Veramental Inc., VeraMental Inc. shall forward such request to Covered Entity. p. g. To the extent that Business Associate agrees that it shall only use is to carry out one or disclose the minimum PHI necessary to perform functionsmore of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule Subpart E that apply to DOM Covered Entity in the performance of such obligationobligations. r. h. Business Associate agrees to make internal practices, books, and recordsrecords relating to the use and disclosure of Protected Health Information received from, including policies and proceduresor created or received by Business Associate on behalf of, Covered Entity available to the Secretary Secretary, for purposes of the Secretary determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Rule. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. General Rule of PHI Use and Disclosure. The Business Associate agrees to not Use or Disclose PHI other than as permitted or required by the Service Agreement or as Required by Law. b. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only may use or disclose PHI it creates for, receives from or on behalf of, the minimum PHI necessary Department to perform functions, activities, activities or services for, or on behalf of, DOM the Department in accordance with the specifications set forth in this BAA, provided that such use or disclosure would not violate the HIPAA Standards if done by the Department; or as specified Required By Law. Any disclosures made by the Business Associate of PHI must be made in accordance with HIPAA Standards and other applicable laws. Notwithstanding any other provision herein to the contrary, the Business Associate shall limit uses and disclosures of PHI to the "minimum necessary," as set forth in the Service AgreementsHIPAA Standards. The Business Associate agrees to comply with any guidance issued use or disclose only a "limited data set" of PHI as defined in the HIPAA Standards while conducting the authorized activities herein and, except where a "limited data set" is not practicable in order to accomplish those activities. Except as otherwise limited by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rulethis BAA, Business Associate will comply with may use PHI for the requirements proper management and administration of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees or to make internal practicescarry out the legal responsibilities of the Business Associate. Except as otherwise limited by this BAA, booksBusiness Associate may disclose PHI for the proper management and administration of the Business Associate provided that the disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and recordsthe person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate may use PHI to report violations of law to appropriate federal and state authorities, including policies and procedures, available consistent with 45 CFR § 164.5020). Business Associate may use PHI to provide Data Aggregation services to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with Department as permitted by the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Standards. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (Privacy Rule) 2.1. Business Associate agrees to fully comply with the requirements under the Privacy Rule applicable to "business associates," as that term is defined in the Privacy Rule and not Use use or Disclose PHI further disclose Protected Health Information other than as permitted or required by the this Agreement, Service Agreement Contracts , or as Required required by Lawlaw. In case of any conflict between this Agreement and Service Contracts, this Agreement shall govern. b. 2.2. Business Associate shall use appropriate agrees to implement administrative, physical, and technical safeguards , including policies, that reasonably and comply with Subpart C appropriately protect the confidentiality, integrity, and availability of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) any PHI, including EPHI, that it creates, receives, maintains, or that it transmits on behalf of Covered Entity, to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Agreement. Said safeguards shall include, but are not limited to, requiring employees to agree to use or disclose PHI only as permitted or required by this Agreement and taking related disciplinary actions for inappropriate use or disclosure of PHI, as necessary. c. 2.3. Business Associate agrees shall, following a Breach of Unsecured Protected Health Information, as defined in the HITECH Act, immediately notify the Covered Entity pursuant to notify DOM the terms of 45 C.F.R. § 164.410 and cooperate in the Covered Entity's analysis procedures, including risk assessment, if requested. A Breach shall be treated as discovered by the Business Associate as of the first day on which such Breach is known, or should have been known, or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide notification to the Covered Entity without unreasonable delay and in no event later than seventy-two five (725) hours after discovery, business days of any Use suspected or Disclosure actual Breach of PHI security, intrusion, or unauthorized use or disclosure. Such notification will contain the elements required in 45 C.F.R. § 164.410. 2.4. Business Associate shall, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, includi ng those contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements become applicable to business associates. Business Associate will not provided accept payment in exchange for by PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable patient/Individual. Business Associate shall not engage in any communication which might be considered marketing under the HITECH Act. Further, Business Associate shall, pursuant to the HITECH Act and its implementing regulations, comply with applicable requirements of the Security Rule, contained in 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, at such time as the requirements are applicable to business associates. 2.5. Business Associate shall within ten (10) business days of a written request from the Covered Entity and its agents or subcontractors allow the Covered Entity to conduct a reasonable inspection of the facility, systems, books, records agreements, policies, and procedures relating to the use or disclosure of Protected Health Information pursuant to this Agreement for the purpose of which it becomes aware, and any Security Incident monitoring compliance with the terms of which it becomes awarethis Agreement. d. 2.6. Business Associate shall require any agent, including a subcontractor, to whom it provides PHI received from, created, or received by Business Associate on behalf of Covered Entity or that carries out any duties for the Business Associate involving the use, custody, disclosure, creation of, or access to PHI, to agree, by written contract with Business Associate, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. 2.7. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission agrees to require its employees, agents, and subcontractors to immediately report, to Business Associate, any use or disclosure of their Subcontractors’ Protected Health Information in violation of this Agreement, and to report to Covered Entity any use or disclosure of PHI not provided by or agreed upon in this Agreement. 2.8. If Business Associate Agreement(s) to DOM does not constitute DOM approval of any kindreceives PHI from Covered Entity in a Designated Reco rd Set, including of the use of such Subcontractors or of the adequacy of such agreements. l. then Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXXCovered Entity, to PHI in a Designated Record Set, Set to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual in order to meet the requirements under 45 CFR C.F.R. § 164.524, provided that Business Associate shall have at least thirty (30) days from Covered Entity's notice to provide access to or deliver such information. m. 2.9. If Business Associate receives Protected Health Information from Covered Entity in a Designated Record Se t, then Business Associate agrees to make any amendment(s) amendments to PHI Protected Health Information in a Designated Record Set that DOM the Covered Entity directs or agrees to pursuant to 45 CFR C.F.R. § 164.526 at the request of DOM Covered Entity or an Individual, and in the time and manner designated by XXXCovered Entity, provided that Business Associate shall have at least thirty (30) days from Covered Entity notice to make an amendment. n. 2.10. Business Associate agrees to make its internal practices, books, and records , including policies and procedures and Protected Health Information, relating to the use and disclosure of PHI received from, created by , or received by Business Associate on behalf of Covered Entity, available to the Covered Entity or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of determining Covered Entity's or Business Associate's compliance with the Privacy Rule. 2.11. Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosure of PHI in accordance with 45 CFR C.F.R. § 164.528. 2.12. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM Covered Entity or an Individual, in a time and manner designated by DOMCovered Entity, information collected in accordance with section (III)(h) of this Agreement, to permit XXX Covered Entity to respond to a request by an Individual for an and accounting of Disclosures disclosures of PHI Protected Health Information in accordance with 45 CFR C. F.R. § 164.528, provided that Business Associate shall have at least thirty (30) days from Covered Entity notice to provide access to, or deliver such information which shall include, at minimum, (a) date of the disclosure; (b) name of the third party to whom the Protected Health Information was disclosed and, if known, the address of the third party; (c) a brief description of the disclosed information; and (d) a brief explanation of the purpose and basis for such disclosure. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements2.13. Business Associate agrees it must use reasonable efforts to comply limit any use, disclosure, or request for use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes requirements of the Privacy Rule. 2.14. Covered Entity may, and pursuant to the Privacy Rule, reasonably rely on any requested disclosure as the minimum necessary policies and procedures communicated to for the stated purpose when the information is requested by Business Associate. 2.15. Business Associate by DOM. q. acknowledges that if Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under is also a covered entity, as defined by the Privacy Rule, Business Associate is required, independent of Business Associate's obligations under this Agreement, to comply with the Privacy Rule's minimum necessary requirements when making any request fo r PHI from Covered Entity. 2.16. Business Associate agrees to adequately and properly maintain all Protected Health Information received from, or created or received on behalf of, Covered Entity, document subsequent uses and disclosures of such information by Business Associate, and upon request, provide Covered Entity with reasonable access to examine and copy such records and documents during normal business hours of Business Associate. 2.17. Business Associate agrees that Covered Entity may at any time review Busi ness Associate's privacy policies and procedures to determine whether they are consistent with Covered Entity's policies, procedures, and privacy practices, and shall promptly notify Business Associate in writing regarding any modifications Covered Entity may reasonably believe are needed in order to meet Covered Entity’s requirements. 2.18. If Business Associate receives a request from an Individual for a copy of the Individual's Protected Health Information, and the Protected Health Information is in the sole possession of the Business Associate, Business Associate will comply provide the requested copies to the Individual and notify the Covered Entity of such action. If Business Associate receives a request for PHI in the possession of the Covered Entity, or receives a request to exercise other Individual rights as set forth in the Privacy Rule, Business Associate shall notify Covered Entity of such request and forward the request to Covered Entity. Business Associate shall then assist Covered Entity in responding to the request. 2.19. Business Associate agrees to fully cooperate in good faith with and to assist Covered Entity in complying with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.Rule

Obligations and Activities of Business Associate. a. 3.1 Business Associate acknowledges and agrees that all Protected Health Information that is created, received, stored or transmitted by the Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or created, received, stored or transmitted by Business Associate on Covered Entity’s behalf shall be subject to this Agreement. 3.2 Business Associate agrees to not Use use or Disclose PHI further disclose Protected Health Information other than as permitted or required by the Service Services Agreement or as Required required by Lawlaw. b. 3.3 Business Associate shall agrees to use appropriate safeguards to prevent any use or disclosure of Protected Health Information other than as provided by this Agreement, and to comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) and HITECH Standards to prevent Use use or Disclosure disclosure of PHI Protected Health Information other than as provided for by this Agreement. c. 3.4 Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, report to Covered Entity any use or disclosure of any Use or Disclosure of PHI Protected Health Information not provided for by this Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information as required by at 45 CFR § 164.410, and any Security Incident of which it becomes aware. Business Associate will make this report to the Covered Entity’s Privacy Officer and Security Officer within twenty-four (24) hours after discovery. This report will include at least the following information (a) nature of the non-permitted or violating use or disclosure or Security Incident; and (b) the PHI used or disclosed (c) the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, used, or disclosed during the breach (d) any other information requested by Covered Entity that must be included in the notification to the individual pursuant to at 45 CFR § 164.404. d. 3.5 In the event of a potential or actual Breach, Business Associate agrees shall cooperate with the Covered Entity to mitigateinvestigate, perform risk analyses, notify appropriate government , regulatory authorities, media, or individuals as required by law or generate statute and to the extent practicable, mitigate any harmful effect that is known to Business Associate and the Covered Entity as a result of a Use use or Disclosure disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Agreement. The Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery shall be responsible for the direct costs of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, implementing these efforts to the extent possible and subsequently as that the information becomes availableactual or potential Breach is caused by the willful neglect, material breach or violation of the identification of all Individuals whose Unsecured PHI is reasonably believed Agreement by the Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410Associate. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. 3.6 In accordance with 45 C.F.R. §CFR § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees may disclose protected health information to ensure a downstream business associate that any subcontractors that is an agent or subcontractor and may allow the agent or subcontractor to create, receive, maintain, or transmit protected health information Protected Health Information on its behalf of only if the Business Associate agree enters and maintains a written agreement with the agent or subcontractor pursuant to which the agent or subcontractor agrees to the same restrictions, conditions, and requirements that apply through this Agreement to Business Associate with respect to such information. This requirement applies to any person or entity who performs functions or activities that involve access to information created, received, maintained, or transmitted by the Business Associate. Nothing in this Section shall be deemed to permit a Business Associate to use an agent or subcontractor not approved by Covered Entity to perform work as may be provided in the Services Agreement. 3.7 Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree make available Protected Health Information in a designated record set to comply with the applicable requirements of Covered Entity to the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, extent and in the time and manner designated required by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. 3.8 Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM directs designated record set as directed or agrees agreed to by the Covered Entity pursuant to 45 CFR § 164.526 at the request of DOM 164.526; or an Individual, and in the time and manner designated by XXXtake other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526. n. 3.9 Business Associate agrees to document such Disclosures of PHI maintain and make available the information related required to such Disclosures as would be required for DOM to respond to a request by an Individual for provide an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees disclosures to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation Covered Entity as necessary to DOM at satisfy the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with Covered Entity’s obligations under 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. 3.10 Business Associate agrees to make internal practices, books, and recordsrecords relating to the use and disclosure of Protected Health Information created, including policies and proceduresreceived, maintained, or transmitted by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary of Health and Human Services. 3.11 Business Associate agrees to document any disclosures of and make Protected Health Information available for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to accounting of disclosures, as required under 45 C.F.R. CFR § 160.310164.528. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose further disclose PHI other than as required by law, the Agreement, or as permitted or required by the Service Agreement or as Required by Lawthis BAA. b. (b) Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) PHI, to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this AgreementBAA. c. (c) Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R § 164.410, and any Security Incident of which it becomes aware. d. . The Parties agree this section constitutes notice by Business Associate agrees to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.! (d) In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall provide notice of such Breach to Covered Entity immediately, but in any event not more than 7 business days after discovering the Breach or, by exercising reasonable diligence would have discovered the Breach. Notice of a Breach shall include, to the extent known to Business Associate: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) a description of the types of unsecured PHI that were involved in the Breach, (iv) the scope of the Breach, (v) a description of the Business Associate’s response to the Breach, and (vi) and steps Business Associate is taking to protect against any further breaches. In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAssociate. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72e) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. (f) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, records available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant HIPAA Regulations. (g) Business Associate agrees to maintain and make available to Covered Entity, within ten (10) business days following a written request, information necessary to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 160.310164.528. s. (h) If Business Associate maintains information in a Designated Record Set, it agrees that nothing to make available to Covered Entity, within ten (10) business days following a written request, PHI in this Agreement shall permit such Designated Record Set, in order for Covered Entity to respond to individuals’ requests for access to information about them in accordance with 45 C.F.R § 164.524. If Business Associate maintains, on behalf of Covered Entity, information in an electronic Designated Record Set, Business Associate shall provide such information in the electronic format to accessCovered Entity upon request, storeor, shareif directed by the Covered Entity, maintaindirectly to a requesting individual. (i) If Business Associate maintains information in a Designated Record Set, transmit it agrees to make any amendments or use or disclose corrections to PHI in any form via any medium such Designated Record Set within ten (10) business days following a written request by the Covered Entity in accordance with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM45 C.F.R. § 164.526.

Obligations and Activities of Business Associate. a. a) Business Associate agrees to not Use use or Disclose disclose PHI other than as permitted or required by this Agreement, any underlying agreement between the Service Agreement parties, or as Required by By Law. b. b) Business Associate shall will limit requests for and the use and disclosure of PHI to the minimum necessary PHI to accomplish the intended purpose of such use, disclosure or request, and as applicable, in accordance with the regulations and guidance issued by the Secretary on what constitutes the minimum necessary for Business Associate to perform its obligations to Covered Entity under this Agreement, any underlying agreement, or as Required By Law. c) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. d) Business Associate agrees to notify DOM without unreasonable delay implement administrative, physical and no later than seventy-two (72) hours after discoverytechnical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any Use Electronic PHI that it creates, receives, maintains or Disclosure transmits on behalf of PHI not provided for by this Agreement Covered Entity. Business Associate shall comply with all requirements of which it becomes aware, and any the Security Incident of which it becomes awareRule. d. e) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsAgreement. e. f) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware as soon as practicable, and in no event later than thirty (30) calendar days. To the extent that Business Associate creates, receives, maintains or transmits Electronic PHI, Business Associate agrees to report as soon as practicable, and in no event later than thirty (30) calendar days, to Covered Entity any Security Incident, as determined by Business Associate, involving PHI of which Business Associate becomes aware. Notwithstanding the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such unsuccessful Security Incidents is required. g) Following Business Associate’s discovery of a Breach of Unsecured PHI, Business Associate shall notify DOM Covered Entity of the Breach without unreasonable delay, and in no event later than seventy-two thirty (7230) hours calendar days after discovery Business Associate, or any of any actual its employees or suspected Breach of Unsecured PHIagents, all in accordance with 45 C.F.R. § 164.410discovered the Breach. The Such notification shall include, to the extent possible and subsequently as the information becomes availablepossible, the identification of all Individuals each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been Breached along with been, accessed, acquired, used, or disclosed during the Breach and any other information available information that to Business Associate about the Breach which is required to be included in the notification of the Breach provided to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all Individual in accordance with 45 C.F.R. § 164.410§164.404(c). g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15h) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii164.308(b)(2) and 164.308(b)(2164.502(e)(1)(ii), Business Associate agrees to ensure obtain satisfactory assurances that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information; such assurances shall be documented in a Business Associate Agreement entered into by Business Associate and each subcontractor that creates, receives, maintains, or transmits PHI of behalf of Business Associate. Moreover, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, such agent or transmit electronic PHI (ePHIsubcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s Electronic PHI. i) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXXCovered Entity, and in the a time and manner designated by XXXmutually acceptable to Business Associate and Covered Entity, to PHI in a Designated Record SetSet to Covered Entity, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR C.F.R. § 164.524, to the extent applicable to Business Associate. m. j) Business Associate agrees to make any amendment(s) to PHI in its possession contained in a Designated Record Set that DOM Covered Entity directs or agrees to pursuant to 45 CFR C.F.R. § 164.526 at the request of DOM or an IndividualCovered Entity, and in the a time and manner designated by XXXmutually acceptable to Business Associate and Covered Entity and to the extent applicable to Business Associate. n. k) Business Associate agrees to document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR C.F.R. § 164.528. Business Associate agrees , and shall provide such information to retain such documentation Covered Entity if needed to respond to an individual’s request for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individualaccounting, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated mutually acceptable to Business Associate by DOM. q. Business Associate agrees that and Covered Entity and to the extent that applicable to Business Associate. l) Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to shall make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s or Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Rule. s. m) To the extent Business Associate agrees that nothing in this Agreement shall permit is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium shall comply with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction requirements of the United States without express written authorization from DOMPrivacy Rule that apply to Covered Entity in the performance of such delegated obligation.

Obligations and Activities of Business Associate. a. A. Business Associate agrees to shall not Use use or Disclose disclose PHI other than as permitted or required by the Service Agreement this Addendum or as Required required by Lawlaw. b. B. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this Agreement. c. Addendum. Business Associate agrees to notify DOM without unreasonable delay implement administrative, physical and no later than seventy-two (72) hours after discoverytechnical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any Use EPHI that Business Associate creates, receives, maintains or Disclosure transmits on behalf of Covered Entity, as provided for in the Security Rule. C. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement Addendum of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any Security Incident security incident of which it becomes aware. Notice is hereby given that Business Associate may, from time to time, experience unsuccessful security incidents that do not result in unauthorized access to or use of PHI and are associated with ordinary network traffic, including broadcast attacks on firewalls or edge servers, port scans, unsuccessful log‐on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. Covered Entity acknowledges that Business Associate has satisfied its obligation to provide notice of the above-described unsuccessful security incidents to Covered Entity. d. D. Following the discovery of a Breach of unsecured PHI, Business Associate agrees to mitigate, to shall notify the extent practicable, any harmful effect that is known to Business Associate Covered Entity in writing of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM such Breach without unreasonable delay, delay and in no event later than seventy-two thirty (7230) hours calendar days after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410the discovery. The Such notification shall include, to the extent possible and subsequently as the information becomes available, include the identification of all Individuals each individual whose Unsecured unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed during the Breach. A Breach shall be treated as discovered as of the first day on which such Breach is known or reasonably should have been known by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410Associate. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. E. In accordance with 45 C.F.R. §§ CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to shall ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and . F. Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to make available PHI in a Designated Record Set, designated record set to DOM or, the Individual or the Individual’s designee as directed by XXX, necessary to an Individual in order to meet the requirements satisfy Covered Entity’s obligations under 45 CFR § 164.524. m. G. To the extent applicable, Business Associate agrees to shall make any amendment(s) to PHI in a Designated Record Set that DOM directs designated record set as directed or agrees agreed to by the Covered Entity pursuant to 45 CFR § 164.526 at the request of DOM 164.526, or an Individual, and in the time and manner designated by XXXtake other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. n. H. Business Associate agrees shall maintain and make available the information required to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for provide an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees disclosures to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI Covered Entity as necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOMsatisfy Covered Entity’s obligations under 45 CFR 164.528 I. To the Privacy Ruleextent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate will shall comply with the requirements of the Privacy Rule Subpart E that apply to DOM the Covered Entity in the performance of such obligation.obligation(s); r. J. Business Associate agrees to shall make its internal practices, books, and records, including policies and procedures, records available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use or Disclose PHI Protected Health Information other than as permitted or required by the Service Agreement or this BA Agreement, as Required by Law, or as contemplated by the Terms of Use. b. (b) Business Associate shall agrees to use appropriate safeguards and comply safeguards, including compliance with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) Protected Health Information, to prevent Use or Disclosure of PHI the electronic Protected Health Information other than as provided for permitted by this BA Agreement. c. (c) Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of report to Covered Entity's Privacy Official any Use or Disclosure of PHI Protected Health Information not provided for by this BA Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate. For reports of incidents constituting a Breach, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification report shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals each individual whose Unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate to have been Breached along been, accessed, acquired, or Disclosed during such Breach. Security Incidents that do not result in any unauthorized access, use, disclosure, modification, destruction of information or interference with any other available information that is required to system operations will be included reported in the notification aggregate upon written request of Covered Entity in a manner and frequency mutually acceptable to the Individualparties. Business Associate hereby reports to Covered Entity that incidents including, HHSbut not limited to, and/or the mediaping sweeps or other common network reconnaissance techniques, all attempts to log on to a system with an invalid password or username, and denial of service attacks that do not result in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410a server being taken off line, may occur from time to time. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10d) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ §164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, conditions and requirements that apply through this BA Agreement to Business Associate with respect to such information. . (e) To the extent Business Associate has Protected Health Information in a Designated Record Set, and only to the extent required by HIPAA, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI make available Protected Health Information in a Designated Record Set, to DOM or, Covered Entity as directed by XXX, necessary to an Individual in order to meet the requirements satisfy Covered Entity's obligations under 45 CFR § C.F.R. §164.524. The Parties agree and acknowledge that it is Covered Entity's responsibility to respond to all such requests. m. (f) Business Associate agrees to make Protected Health Information available for purposes of any amendment(s) to PHI Protected Health Information in its possession contained in a Designated Record Set that DOM directs or agrees as agreed to by Covered Entity pursuant to 45 CFR § C.F.R. §164.526 at the request of DOM or an Individual, take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.526. The Parties agree and in the time and manner designated by XXXacknowledge that it is Covered Entity's responsibility to respond to all such requests. n. (g) Business Associate agrees to document such Disclosures maintain and make available the information required to provide an accounting of PHI disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.528. The Parties agree and information related to such Disclosures as would be required for DOM acknowledge that it is Covered Entity's responsibility to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. all such requests. (h) To the extent Business Associate agrees is to retain such documentation for at least six (6) years after carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164 of the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an IndividualHIPAA Rules, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule Subpart E that apply to DOM Covered Entity in the performance of such obligationobligation(s). r. (i) Business Associate agrees to make its internal practices, books, and records, including policies records related to Business Associate's use and procedures, disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to will: a. not Use use or Disclose PHI disclose Protected Health Information that it receives from or on behalf of Athena or that it creates on behalf of Athena (collectively “PHI”) other than as permitted or required by the Service Agreement this Appendix, or as Required required by Law.law; b. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the Privacy Rule when done by Athena, except as permitted by Section 3, below; c. use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this Agreement. c. Business Associate agrees Appendix and shall, after the compliance date of the HIPAA Final Rule, comply with the Security Rule with respect to notify DOM without unreasonable delay and no later Electronic PHI, to prevent use or disclosure of such information other than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not as provided for by the Agreement and this Agreement of which it becomes awareAppendix; d. implement administrative, physical, and any Security Incident technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of which it becomes aware.PHI (including electronic PHI); d. Business Associate agrees to e. mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use use or Disclosure disclosure of PHI by Business Associate in Violation violation of the requirements of this Appendix; f. report to Athena as soon as practicable and as required by HIPAA and the HITECH Act, as implemented by the HIPAA Omnibus Final Rule (“HIPAA Final Rule”) and any subsequent amendment thereto, or any subsequent rule or regulation interpreting or modifying HIPAA or the HITECH Act, any use or disclosure of PHI by Business Associate other than as provided for by this Agreement and take prompt steps any Security Incident (as defined in the Security Rule) with respect to prevent the recurrence electronic PHI; g. upon discovery of any IncidentBreach involving Unsecured PHI, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM Athena of that Breach without unreasonable delay; provided, however, that the parties acknowledge and agree that this Section constitutes notice by Business Associate to Athena of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Athena by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no later than seventy-two such incident results in unauthorized access, use, or disclosure of PHI. Business Associate's notification to Athena shall include (72i) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall includeidentification, to the extent possible and subsequently as the information becomes availablepossible, the identification of all Individuals each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been Breached along with accessed, used, or disclosed through the Breach; (ii) any other available information known to Business Associate that Athena is required to include in its notice to affected individuals; and (iii) any other information that is required would need to be included in Athena's accounting of disclosures under HIPAA or the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business AssociateHITECH Act, as applicable, demonstrates there is a low probability implemented by the PHI has been compromised HIPAA Final Rule and any subsequent amendment thereto or one of any subsequent rule or regulation interpreting or modifying HIPAA or the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410.HITECH Act; g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to h. ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incidentagent, including costs associated with mitigation of the Incident and preparation and delivery of notices a subcontractor, to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate whom it provides PHI agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements.; l. Business Associate agrees to i. provide access, at the request of XXX, and in the time and manner designated by XXXAthena, to PHI in a Designated Record Set, to DOM Athena or, as directed by XXXAthena, to an Individual in order to meet the requirements under 45 CFR § 164.524.; m. Business Associate agrees to j. make any amendment(s) each amendment to PHI in a Designated Record Set that DOM Athena directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM Athena or an Individual; k. make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, in the a time and manner designated by XXX.the Secretary, for purposes of the Secretary determining Athena's compliance with the Privacy Rule; n. Business Associate agrees to l. document such Disclosures disclosures of PHI and information related to such Disclosures disclosures as would be required for DOM Athena to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination.; o. Business Associate agrees to m. provide to DOM Athena or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX Athena to respond to a request by an that Individual for an accounting of Disclosures disclosures of PHI in accordance with 45 CFR § 164.528.; n. establish and enforce appropriate clearance procedures and supervision to assure that its workforce follows requirements consistent with HIPAA; o. act immediately and effectively to terminate access to PHI of any of its staff upon such staff member's termination or reassignment; p. Business Associate agrees provide appropriate training for its staff to assure that it shall only use or disclose its staff complies with its obligations consistent with the minimum PHI necessary requirements of HIPAA; and q. implement appropriate (i) disposal and reuse procedures with respect to perform functionsdocuments and equipment, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule(ii) authentication and access controls, and any minimum necessary policies and procedures communicated (iii) appropriate encryption to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply protect PHI consistent with the requirements of the Privacy Rule that apply to DOM in the performance of such obligationSecurity Rule. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose further disclose PHI other than as required by law, or as permitted or required by the Service Agreement or as Required by Lawthis Agreement. b. (b) Business Associate shall agrees to use appropriate safeguards safeguards, and comply comply, where applicable with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) protected health information, to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this Agreement. c. (c) Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R § 164.410, and any Security Incident of which it becomes aware. The Parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. The Parties agree that this Section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of such attempted but Unsuccessful Security Incidents. d. (d) In the event of a Breach of any Unsecured PHI that Business Associate agrees accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall provide notice of such Breach to Covered Entity immediately, but in any event not more than ten (10) days after discovering the Breach. Notice of a Breach shall include, at a minimum: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) the scope of the Breach, and (iv) a description of the Business Associate’s response to the Breach. In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach that is known to Business Associate of a Use or Disclosure of PHI by Associate. In the event that Business Associate lacks any information required to be disclosed in Violation of the requirements of initial notice required under this Agreement and take prompt steps to prevent the recurrence of any IncidentSection, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, provide regular updates to the extent possible and subsequently notice as the such information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10e) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. (f) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM in the performance of such obligation. r. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, records available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Regulations. s. (g) Business Associate agrees that nothing in this Agreement shall permit Business Associate to accessmaintain and make available to Covered Entity, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.within thirty

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use use or Disclose further disclose PHI other than as permitted or required by this Agreement, the Service Agreement Services Agreement, or as Required permitted or required by Lawlaw. b. (b) Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this Agreement. c. (c) In accordance with the HIPAA Standards, Business Associate shall implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of ePHI that it creates, receives, maintains or transmits on behalf of the Covered Entity. Specifically, Business Associate shall comply with the Security Standards. (d) Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement of which it Business Associate becomes aware. Additionally, and Business Associate shall report to Covered Entity any Security Incident resulting in an unauthorized use or disclosure of ePHI of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two becomes aware within twenty (7220) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410business days. The notification shall include, to the extent possible parties acknowledge and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed agree that this Section 2(d) constitutes notice by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one Covered Entity of the exceptions ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to the definition of Breach appliesCovered Entity shall be required. “Unsuccessful Security Incidents” means, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperatewithout limitation, coordinate with, pings and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to other broadcast attacks on Business Associate’s conduct or status as a business associate for DOMfirewall, regardless port scans, unsuccessful log-on attempts, denial of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Ruleservice attacks, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements combination of the Privacy Rule that apply to DOM above, so long as no such incident results in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to unauthorized access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction disclosure of the United States without express written authorization from DOMPHI.

Obligations and Activities of Business Associate. a. A. Business Associate agrees not to not Use use or Disclose disclose PHI other than as permitted or required by the Service Agreement Agreement, this Agreement, or as Required required by Law. b. law. Business Associate shall use appropriate safeguards and will comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements provisions of this Agreement related to privacy and take prompt steps security of PHI and the Regulations, as they may be modified from time to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delaytime, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, that are applicable to the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM Covered Entity or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an Individual, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to To the extent that Business Associate carries out DOMperforms any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to DOM Covered Entity in the performance of such obligation. r. B. Business Associate agrees to use appropriate administrative, physical and technical safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent the use or disclosure of the PHI other than as provided for by this Agreement. Business Associate acknowledges and agrees that under the HITECH Act (i) the requirements of Sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements) of the Security Rule apply to Business Associate in the same manner that such sections apply to Covered Entity, and (ii) the additional requirements of the HITECH Act that relate to security and that are made applicable to Covered Entity shall also be applicable to Business Associate (with such security requirements in (i) and (ii) above collectively referred to as the “HITECH Act Security Requirements”). Business Associate shall comply with the HITECH Act Security Requirements which shall be, by this reference, incorporated into this BA Agreement. Unless Covered Entity agrees, in writing, that this requirement is infeasible with respect to particular data, Business Associate shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals consistent with guidance issued by the Secretary, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act. Business Associate shall ensure that any agents and subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree to comply with the same restrictions, conditions, and requirements that apply through this Agreement or otherwise to Business Associate with respect to such information. Business Associate shall enter into written agreements with any subcontractors, and the terms of such agreements shall incorporate the applicable requirements of, and otherwise comply with, the Regulations. Business Associate will make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining compliance with the Regulations, subject to attorney-client and other applicable legal privileges. Business Associate will provide documentation regarding any disclosures by Business Associate that would be required for an accounting of disclosures to an Individual under 45 CFR § 164.528 and the HITECH Act, within a reasonable amount of time of receipt of a request from Covered Entity. Any request under § 164.528 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make internal practicesPHI available for amendment and incorporate any amendments to PHI in accordance with the requirements of 45 C.F.R. § 164.526. Any request under § 164.526 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity. To the extent Business Associate maintains PHI in a Designated Record Set, books, and records, including policies and procedures, Business Associate agrees to make PHI available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with extent and in the Privacy Rule pursuant to manner required by 45 C.F.R. § 160.310. s. 164.524. Any request under § 164.524 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity. Business Associate agrees that nothing to comply with any requests for restrictions on certain disclosures of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and the Regulations and of which Business Associate has been notified by Covered Entity. Business Associate will mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement Agreement. Business Associate agrees to notify within five (5) business days the designated Privacy Official of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Agreement, any Security Incident, and any Breach of Unsecured Protected Health Information of which Business Associate becomes aware. Business Associate shall permit provide the following information to Covered Entity within ten (10) business days of discovery of a breach of unsecured PHI except when despite all reasonable efforts by Business Associate to accessobtain the information required, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, circumstances beyond the boundaries and jurisdiction control of the United States Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to Covered Entity the following information as soon as possible and without express written authorization unreasonable delay, but in no event later than thirty (30) calendar days from DOM.the date of discovery of a breach: the date of the breach; the date of the discovery of the breach;

Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or Disclose PHI Protected Health Information other than as permitted or required by the Service this Agreement or as Required by By Law. b. Business Associate shall agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) to prevent Use or Disclosure of PHI Protected Health Information other than as provided for by this Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act, as amended from time to time. c. Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI Protected Health Information by Business Associate in Violation violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulationsin a manner as prescribed herein. e. d. Business Associate agrees to notify DOM report to Covered Entity if it becomes aware of any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI as required by 45 CFR 164.410, and any Security Incident of which it becomes aware. Notwithstanding anything herein to the contrary, the parties acknowledge and agree that this Agreement shall constitute notice to Covered Entity that Business Associate may periodically experience broadcast attacks on its firewall, port scans, unsuccessful log-on attempts, denials of service and similar unsuccessful security incidents, and Business Associate need not further report such incidents to Covered Entity so long as such incidents do not result in unauthorized access, use or disclosure of PHI. e. If the Breach, as discussed in Part II(d), pertains to Unsecured Protected Health Information, then Business Associate agrees to report any such data Breach to Covered Entity without unreasonable delay, and but in no later event more than seventy-two sixty (7260) hours after days of discovery of said Breach; unless it receives a request to delay such notification from a law enforcement official pursuant to 45 CFR 164.412. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity with information necessary for Covered Entity to meet the requirements of said section, and in a manner and format to be specified by Covered Entity. f. If Business Associate is an Agent of Covered Entity, then Business Associate agrees that any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification Protected Health Information shall include, be reported to Covered Entity immediately after the extent possible and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with becomes aware of said Breach, and under no circumstances later than one (1) business days thereafter. Business Associate further agrees that any compromise of Protected Health Information, other available information that is required to than a Breach of Unsecured Protected Health Information as specified in Part II(e) of this Agreement, shall be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable Covered Entity within ten (10) working days. An impermissible Use or Disclosure business days of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410discovering said compromise. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident areSubcontractor, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. whom Business Associate provides Protected Health Information, agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to those contained herein shall be imposed on said Subcontractors via a written agreement that complies with all the requirements specified in §164.504(e)(2). Further, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI provide copies of said written agreements to Covered Entity within ten (ePHI10) on behalf business days of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business AssociateCovered Entity’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreementsrequest for same. l. h. Business Associate agrees to provide access, at the request of XXX, Covered Entity and in the time and manner designated by XXXduring normal business hours, to PHI Protected Health Information in a Designated Record Set, Set to DOM Covered Entity or, as directed by XXXCovered Entity, to an Individual Individual, in order to meet the Covered Entity’s requirements under 45 CFR § §164.524, provided that Covered Entity delivers to Business Associate a written notice at least three (3) business days in advance of requesting such access. Business Associate further agrees, in the case where Business Associate controls access to Protected Health Information in an Electronic Health Record, or controls access to Protected Health Information stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of Covered Entity. m. i. Business Associate agrees to make any amendment(s) to PHI Protected Health Information in a Designated Record Set that DOM Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 §164.526, at the request of DOM Covered Entity or an Individual, . This provision does not apply if Business Associate and in the time and manner designated by XXXits employees or Subcontractors have no Protected Health Information from a Designated Record Set of Covered Entity. n. j. Business Associate agrees to document make its internal practices, books and records relating to the use and disclosure of PHI available at the request of the Covered Entity to the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Rule, subject to attorney-client or other applicable legal privileges, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with demonstrable evidence that its Compliance Information ensures Business Associate’s compliance with this Agreement over time. Business Associate shall have a reasonable time within which to comply with requests for such access and/or demonstrable evidence, consistent with this Agreement. In no case shall access, or demonstrable evidence, be required in less than five (5) business days after Business Associate’s receipt of such request, unless otherwise designated by the Secretary. k. Business Associate agrees to maintain necessary and sufficient documentation of Disclosures of PHI and information related to such Disclosures Protected Health Information as would be required for DOM Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI such Disclosures, in accordance with 45 CFR § 164.528. Business Associate agrees §164.528 as may be amended from time to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of terminationtime. o. l. On request of Covered Entity, Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected Covered Entity documentation made in accordance with section (III)(h) of this Agreement, Agreement to permit XXX Covered Entity to respond to a request by an Individual for an accounting of Disclosures disclosures of PHI Protected Health Information in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary C.F.R. §164.528 as may be amended from time to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreementstime. Business Associate agrees shall provide said documentation in a manner and format to be specified by Covered Entity. Business Associate shall have a reasonable time within which to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, such a request from Covered Entity and any minimum necessary policies and procedures communicated to in no case shall Business Associate by DOMbe required to provide such documentation in less than three (3) business days after Business Associate's receipt of such request. q. m. Except as provided for in this Agreement, in the event Business Associate agrees that receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate shall redirect the Individual to the Covered Entity. n. To the extent that Business Associate carries out DOMone or more of Covered Entity’s obligations under the Privacy RuleHIPAA Rules, the Business Associate will must comply with the all requirements of the Privacy Rule HIPAA Rules that apply to DOM in the performance of such obligation. r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available would be applicable to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310Covered Entity. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not Use or Disclose PHI Protected Health Information other than as permitted or required by the Service Agreement or this BA Agreement, as Required by Law, or as contemplated by the Service Agreement. b. (b) Business Associate shall agrees to use appropriate safeguards and comply safeguards, including compliance with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI) Protected Health Information, to prevent Use or Disclosure of PHI the electronic Protected Health Information other than as provided for permitted by this BA Agreement. c. (c) Business Associate agrees to notify DOM without unreasonable delay and no later than seventy-two (72) hours after discovery, of report to Covered Entity's Privacy Official any Use or Disclosure of PHI Protected Health Information not provided for by this BA Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. d. Business Associate agrees to mitigate. For reports of incidents constituting a Breach, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delay, and no later than seventy-two (72) hours after discovery of any actual or suspected Breach of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification report shall include, to the extent possible and subsequently as the information becomes available, the identification of all Individuals each individual whose Unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate to have been Breached along been, accessed, acquired, or Disclosed during such Breach. Security Incidents that do not result in any unauthorized access, use, disclosure, modification, destruction of information or interference with any other available information that is required to system operations will be included reported in the notification aggregate upon written request of Covered Entity in a manner and frequency mutually acceptable to the Individualparties. Business Associate hereby reports to Covered Entity that incidents including, HHSbut not limited to, and/or the mediaping sweeps or other common network reconnaissance techniques, all attempts to log on to a system with an invalid password or username, and denial of service attacks that do not result in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410a server being taken off line, may occur from time to time. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10d) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describing, at a minimum, the measures Business Associate has taken and intends to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. In accordance with 45 C.F.R. §§ §164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit protected health information Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, conditions and requirements that apply through this BA Agreement to Business Associate with respect to such information. . (e) To the extent Business Associate has Protected Health Information in a Designated Record Set, and only to the extent required by HIPAA, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit electronic PHI (ePHI) on behalf of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI make available Protected Health Information in a Designated Record Set, to DOM or, Covered Entity as directed by XXX, necessary to an Individual in order to meet the requirements satisfy Covered Entity's obligations under 45 CFR § C.F.R. §164.524. The Parties agree and acknowledge that it is Covered Entity's responsibility to respond to all such requests. m. (f) Business Associate agrees to make Protected Health Information available for purposes of any amendment(s) to PHI Protected Health Information in its possession contained in a Designated Record Set that DOM directs or agrees as agreed to by Covered Entity pursuant to 45 CFR § C.F.R. §164.526 at the request of DOM or an Individual, take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.526. The Parties agree and in the time and manner designated by XXXacknowledge that it is Covered Entity's responsibility to respond to all such requests. n. (g) Business Associate agrees to document such Disclosures maintain and make available the information required to provide an accounting of PHI disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.528. The Parties agree and information related to such Disclosures as would be required for DOM acknowledge that it is Covered Entity's responsibility to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. all such requests. (h) To the extent Business Associate agrees is to retain such documentation for at least six (6) years after carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164 of the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an IndividualHIPAA Rules, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule Subpart E that apply to DOM Covered Entity in the performance of such obligationobligation(s). r. (i) Business Associate agrees to make its internal practices, books, and records, including policies records related to Business Associate's use and procedures, disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310HIPAA Rules. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.

Obligations and Activities of Business Associate. a. Business Associate agrees to agrees: To not Use use or Disclose disclose PHI other than as permitted or required by the Service Agreement this Agreement, applicable State Laws, or as Required by Law. b. Business Associate shall use . To implement appropriate safeguards administrative, physical and technical safeguards, and comply with Subpart C of 45 C.F.R. CFR Part 164 with respect to electronic PHI (ePHI) Electronic PHI, to prevent Use the use or Disclosure disclosure of PHI other than as provided for by this Agreement. c. Business Associate agrees . Pursuant to notify DOM the HITECH Act and its implementing regulations, to comply with all applicable requirements of the Privacy Rule. To not directly or indirectly receive remuneration in exchange for any PHI, nor engage in any communication involving PHI which might be deemed to be Marketing under the HIPAA Rules, without unreasonable delay and no later than seventy-two (72) hours after discoverythe express written consent of the Covered Entity. To report to Covered Entity any use or disclosure of PHI, of any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, which is not in compliance with the terms of this Agreement, including but not limited to Breaches of Unsecured PHI or personal information, and any Security Incident security incident of which it becomes aware. d. . Following the discovery of a Breach of PHI, to notify the Covered Entity of such Breach pursuant to the terms of 45 CFR §164.410, and cooperate in the Covered Entity’s Breach analysis procedures and risk assessment, if requested. A Breach shall be treated as discovered by Business Associate agrees as of the first day on which such Breach is known to Business Associate or its workforce or, by exercising reasonable diligence, would have been known to Business Associate or its workforce. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than five (5) calendar days after discovery of the Breach. Such notification shall contain the information required by 45 C.F.R. §164.410. To mitigate, to the extent practicable, any the harmful effect that caused by Business Associate’s use or disclosure of PHI which is known to Business Associate in violation of a Use this Agreement or Disclosure by any Breach of PHI by Business Associate in Violation of the requirements of this Agreement and take prompt steps to prevent the recurrence of any IncidentAssociate, including any action required by applicable federal and state laws and regulations. e. Business Associate agrees to notify DOM without unreasonable delayits employees, agents or subcontractors, and no later than seventy-two (72) hours after discovery to provide notice to Covered Entity of any actual or suspected Breach such mitigation efforts. To make its internal practices, books, and records relating to the use and disclosure of Unsecured PHI, all in accordance with 45 C.F.R. § 164.410. The notification shall include, available to the extent possible Secretary of Health and subsequently as the information becomes available, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been Breached along with any other available information that is required to be included in the notification to the Individual, HHS, and/or the media, all in accordance with the data Breach notification requirements set forth in 45 C.F.R.§ 164.410. f. Once an actual or suspected Breach is reported to DOM, Business Associate agrees to provide a written assessment to determine whether the incident is reportable within ten (10) working days. An impermissible Use or Disclosure of protected health information is presumed to be a Breach unless the DOM or Business Associate, as applicable, demonstrates there is a low probability the PHI has been compromised or one of the exceptions to the definition of Breach applies, all in accordance with 45 C.F.R. § 164.410. g. Business Associate agrees to fully cooperate, coordinate with, and assist XXX in gathering information necessary to notify the affected individuals and government agencies following an Incident to ensure that any notices sent in connection with the Incident are, subject to 45 C.F.R. §164.412, sent without unreasonable delay, and in no case more than 60 days after discovery of the Incident, and perform such notifications if so required by DOM in its sole discretion. h. Business Associate agrees to be solely responsible for all costs and expenses incurred as a result of an Incident, including costs associated with mitigation of the Incident and preparation and delivery of notices to affected individuals and government agencies. i. With respect to an Incident, deliver to DOM within fifteen (15) business days after discovery of an Incident a written corrective action plan (“CAP”) describingHuman Services, at a minimumreasonable time and in a reasonable manner or as designated by the Secretary, for purposes of the measures Secretary determining Covered Entity’s compliance with the HIPAA Rules. To ensure that its employees and agents are aware of and agree to the same restrictions and conditions which apply to Business Associate has taken and intends with respect to take to halt or contain the Incident and mitigate the effects of the Incident, and, if the CAP is approved by XXX, promptly and fully implement any remaining requirements of the CAP. j. Business Associate agrees to promptly notify DOM upon notification or receipt of any administrative, civil, or criminal claims, demands, causes of action, lawsuits, or governmental enforcement actions (“Actions”) arising out of or related to this Agreement or PHI, or relating to Business Associate’s conduct or status as a business associate for DOM, regardless of whether DOM and/or Business Associate are named as parties to such Actions. k. . In accordance with 45 C.F.R. §§ 164.502(e)(1)(iiCFR 164.502(e)1)(ii) and 164.308(b)(2), Business Associate agrees to if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. To the extent the Business Associate agrees is to ensure that any Subcontractors that create, receive, maintain, carry out one or transmit electronic PHI (ePHImore of Covered Entity’s obligation(s) on behalf under Subpart E of Business Associate will agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement and Business Associate shall provide DOM with a copy of all such executed agreements between Business Associate and Business Associate’s Subcontractors at least thirty (30) calendar days prior to disclosing any of DOM’s PHI pursuant to said agreements by submitting a written or an electronic copy to DOM’s Privacy Officer at the address included in Section VII(f) of this Agreement. Business Associate understands that submission of their Subcontractors’ Business Associate Agreement(s) to DOM does not constitute DOM approval of any kind, including of the use of such Subcontractors or of the adequacy of such agreements. l. Business Associate agrees to provide access, at the request of XXX, and in the time and manner designated by XXX, to PHI in a Designated Record Set, to DOM or, as directed by XXX, to an Individual in order to meet the requirements under 45 CFR § 164.524. m. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that DOM directs or agrees to pursuant to 45 CFR § 164.526 at the request of DOM or an IndividualPart 164, and in the time and manner designated by XXX. n. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for DOM to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of disclosure or provide a full accounting and relevant documentation to DOM at the time of termination. o. Business Associate agrees to provide to DOM or an Individual, in a time and manner designated by DOM, information collected in accordance with section (III)(h) of this Agreement, to permit XXX to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. p. Business Associate agrees that it shall only use or disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, DOM as specified in the Service Agreements. Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by DOM. q. Business Associate agrees that to the extent that Business Associate carries out DOM’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule Subpart E that apply to DOM the Covered Entity in the performance of such obligationobligation(s). r. Business Associate agrees to make internal practices, books, and records, including policies and procedures, available to the Secretary for purposes of determining Business Associate’s and/or DOM's compliance with the Privacy Rule pursuant to 45 C.F.R. § 160.310. s. Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or use or disclose PHI in any form via any medium with any third party, including Business Associate’s Subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from DOM.