Common use of Obligations and Activities of Business Associate Clause in Contracts

Obligations and Activities of Business Associate. a. Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicable. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accessed, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the Business Associate’s investigation. f. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that the Covered Entity shall be considered a direct third party beneficiary of all the Business Associate’s business associate agreements. h. Within ten (10) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. Business Associate shall document any disclosures of PHI and information related to any disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. Within thirty (30) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups of such PHI in any form or platform. I. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. The Business Associate shall implement appropriate safeguards to prevent unauthorized notify the Covered Entity’s Privacy Officer immediately after the Business Associate becomes aware of any use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicableprotected health information not provided for by the Agreement including breaches of unsecured protected health information and/or any security incident that may have an impact on the protected health information of the Covered Entity. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time assessment when it becomes aware of any known or suspected privacy or security breach as described of the above and communicate the risk assessment to the Covered Entitysituations. The risk assessment shall include, but not be limited to: I. : o The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. ; o The unauthorized person who accessed, used, disclosed, or received used the protected health information; III. information or to whom the disclosure was made; o Whether the protected health information was actually acquired or viewed; and IV. How viewed o The extent to which the risk of loss of confidentiality to the protected health information has been mitigated. e. . The Business Associate shall complete a the risk assessment within 48 hours of the breach and immediately report at the conclusion of its incident or breach investigation and provide the findings of the risk assessment in a written report writing to the Covered Entity as soon as practicable after the conclusion Entity. c. The Business Associate shall comply with all sections of the Business Associate’s investigationPrivacy, Security, and Breach Notification Rule. f. d. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. e. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA Agreement, to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that herein, including the duty to return or destroy the PHI as provided under Section 3 (l). The Covered Entity shall be considered a direct third party beneficiary of all the Business AssociateContractor’s business associate agreementsagreements with Contractor’s intended business associates, who will be receiving PHI Appendix A - Page 18 of 32 pursuant to this Agreement, with rights of enforcement and indemnification from such business associates who shall be governed by standard Paragraph #13 of the standard contract provisions (P-37) of this Agreement for the purpose of use and disclosure of protected health information. h. f. Within ten five (105) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. g. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. h. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. i. Business Associate shall document any such disclosures of PHI and information related to any such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. j. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. k. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five two (52) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. l. Within thirty ten (3010) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from from, or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups up tapes of such PHI in any form or platform. I. PHI. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible infeasible, for as so long as the Business Appendix A - Page 19 of 32 Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. The Business Associate shall implement appropriate safeguards to prevent unauthorized notify the Covered Entity’s Privacy Officer immediately after the Business Associate becomes aware of any use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicableprotected health information not provided for by the Agreement including breaches of unsecured protected health information and/or any security incident that may have an impact on the protected health information of the Covered Entity. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time assessment when it becomes aware of any known or suspected privacy or security breach as described of the above and communicate the risk assessment to the Covered Entitysituations. The risk assessment shall include, but not be limited to: I. : o The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. ; o The unauthorized person who accessed, used, disclosed, or received used the protected health information; III. information or to whom the disclosure was made; o Whether the protected health information was actually acquired or viewed; and IV. How viewed o The extent to which the risk of loss of confidentiality to the protected health information has been mitigated. e. . The Business Associate shall complete a the risk assessment within 48 hours of the breach and immediately report at the conclusion of its incident or breach investigation and provide the findings of the risk assessment in a written report writing to the Covered Entity as soon as practicable after the conclusion Entity. c. The Business Associate shall comply with all sections of the Business Associate’s investigationPrivacy, Security, and Breach Notification Rule. f. d. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. e. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA Agreement, to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that herein, including the duty to return or destroy the PHI as provided under Section 3 (l). The Covered Entity shall be considered a direct third party beneficiary of all the Business AssociateContractor’s business associate agreementsagreements with Contractor’s intended business associates, who will be receiving PHI pursuant to this Agreement, with rights of enforcement and indemnification from such business associates who shall be governed by standard Paragraph #13 of the standard contract provisions (P-37) of this Agreement for the purpose of use and disclosure of protected health information. h. f. Within ten five (105) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. g. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. h. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. i. Business Associate shall document any such disclosures of PHI and information related to any such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. j. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. k. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five two (52) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. l. Within thirty ten (3010) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from from, or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups up tapes of such PHI in any form or platform. I. PHI. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible infeasible, for as so long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicable. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accessed, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the Business Associate’s investigation. f. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that the Covered Entity shall be considered a direct third party beneficiary of all the Business Associate’s business associate agreements. h. Within ten (10) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. Business Associate shall document any disclosures of PHI and information related to any disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. Within thirty (30) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups of such PHI in any form or platform. I. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. a) Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement, any underlying agreement between the parties, or as Required By Law. b) Business Associate shall implement request, use, and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use, or disclosure. c) Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic protected health information, to prevent unauthorized the use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, Protected Health Information other than as applicableprovided for by this Agreement. b. The d) Business Associate shall immediately notify agrees to mitigate, to the Covered Entity’s Privacy Officer at the following email addressextent practicable, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the any harmful effect that is known to Business Associate has determined that of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. e) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising this Agreement of which it becomes aware. To the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the extent that Business Associate shall comply with the terms of this creates, receives, maintains or transmits Electronic Protected Health Information, Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment agrees to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accessed, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the to Covered Entity any Security Incident, as determined by Business Associate’s investigation. f. , involving Protected Health Information of which Business Associate shall make available all becomes aware. At the request of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that the Covered Entity shall be considered a direct third party beneficiary of all the Business Associate’s business associate agreements. h. Within ten (10) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all recordsidentify the date of the Security Incident, booksthe scope of the Security Incident, agreements, policies and procedures relating Business Associate’s response to the use Security Incident and disclosure the identification of PHI the party responsible for causing the Security Incident, if known. f) Business Associate shall notify Covered Entity without unreasonable delay, and in no event later than sixty (60) calendar days after, if it or any of its employees or agents discovers a Breach of Unsecured Protected Health Information. Such notification shall include, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach and any other information available to Business Associate about the Breach which Covered Entity is required to include in the notification of the Breach provided to the Individual in accordance with 45 C.F.R. §164.404(c). A Breach of Unsecured Protected Health Information shall be treated as discovered as of the first day on which such Breach is known or should have be known by Business Associate. g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate ensures that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. h) Business Associate agrees to provide access, at the request of Covered Entity, for purposes of enabling Covered Entity and in a time and manner mutually acceptable to determine Business Associate’s compliance with the terms of the BAA Associate and the Agreement. i. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI Protected Health Information in a Designated Record Set to the Covered Entity, or or, as directed by Covered Entity, to an individual Individual, in order to meet the requirements under 45 CFR Section C.F.R. § 164.524. j. Within ten (10i) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual Business Associate agrees to make any amendment(s) to Protected Health Information in its possession contained in a Designated Record SetSet that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, the and in a time and manner mutually acceptable to Business Associate shall make such PHI available to and Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526Entity. k. j) Business Associate shall agrees to document any disclosures of PHI Protected Health Information and information related to any such disclosures as would be required for Covered Entity to respond to a request by an individual Individual for an accounting Accounting of disclosures Disclosures of PHI Protected Health Information in accordance with 45 CFR Section C.F.R. § 164.528. l. k) Within ten (10) business days (or such other date that Business Associate and Covered Entity may reasonably agree upon) of receiving a written request notice from Covered Entity for that Covered Entity has received a request for an accounting Accounting of disclosures Disclosures of PHIProtected Health Information, Business Associate shall make available agrees to provide to Covered Entity such information as collected to permit Covered Entity may require to fulfill its obligations to provide an accounting make the Accounting of disclosures with respect to PHI Disclosures required in accordance with 45 CFR Section C.F.R. § 164.528. m. In l) Business Associate agrees to honor any restriction to the event any individual requests access touse or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, amendment of, or accounting of PHI directly from to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information, the upon written notice by Covered Entity to Business Associate. m) Business Associate shall within five (5) business days forward such request agrees to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. Howevermake its internal practices, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA books, and the Privacy records, including policies and Security Ruleprocedures, the Business Associate shall instead respond relating to the individual’s request as required by such law use and notify Covered Entity disclosure of such response as soon as practicable. n. Within thirty (30) business days of termination of the AgreementProtected Health Information received from, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity's compliance with the AgreementPrivacy Rule. Any release of information regarding Business Associate’s practices, books and records is proprietary to Business Associate and shall be treated as confidential and shall not retain any copies or back-ups be further disclosed without the written permission of such PHI in any form or platformBusiness Associate, except as necessary to comply with the HIPAA Rules. I. If return n) To the extent that Business Associate is to carry out one or destruction is not feasible, or the disposition more of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal lawCovered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall continue to extend comply with the protections requirements of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes Subpart E that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify apply to Covered Entity that in the PHI has been destroyedperformance of such obligation(s).

Obligations and Activities of Business Associate. a. Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicable. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accessed, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the Business Associate’s investigation. f. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that the Covered Entity shall be considered a direct third party beneficiary of all the Business Associate’s business associate agreements. h. Within ten (10) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure anddisclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. Business Associate shall document any disclosures of PHI and information related to any disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. Within thirty (30) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups of such PHI in any form or platform. I. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. 1. Business Associate shall implement appropriate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law. 2. Business Associate agrees to employ administrative, physical, and technical safeguards meeting required Security Standards for business associates as Required By Law to prevent unauthorized disclosure or use of PHI other than as allow by this Agreement. 3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of all PHI held by Business Associate in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicableviolation of the requirements of this Agreement. b. The 4. Business Associate shall immediately notify the agrees to report to Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that Entity any use or disclosure of the Protected Health Information not provided for by its contract, including any known or suspected privacy or security incident or this Agreement of which it becomes aware. 5. If a breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breachinformation occurs at or by Business Associate, the Business Associate must notify Covered Entity immediately following the discovery of the breach and, in all cases, no later than 5 days from the discovery of the breach. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by the Covered Entity in its notification to affected individuals. Business Associates shall comply with the terms of this all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entity. 6. Business Associate Agreement, all applicable state and federal laws and regulations and agrees to ensure that any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involvedagent, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accesseda subcontractor, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the Business Associate’s investigation. f. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI whom it provides Protected Health Information received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere agrees to the same restrictions and conditions on the use that apply through this Agreement to Business Associate with respect to PHI, including but not limited to implementing reasonable and disclosure of PHI contained herein and an agreement that the appropriate safeguards to protect Covered Entity shall be considered a direct third party beneficiary of all the Business AssociateEntity’s business associate agreementsPHI. h. Within ten (10) business days 7. Business Associate agrees that if it engages any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to will enter into a Business Associate Agreement with that agent or subcontractor in the use and disclosure of PHI to same manner as the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. Within ten (10) business days 8. Business Associate agrees, at the request of receiving a written request from Covered Entity, Business Associate shall to provide Covered Entity (or a designate of Covered Entity) access to PHI Protected Health Information in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in a prompt commercially reasonable manner in order to meet the requirements under 45 CFR Section §164.524. j. Within ten (109. Business Associate agrees to make any amendment(s) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained to Protected Health Information in a Designated Record SetSet that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, the in a prompt and commercially reasonable manner. 10. Business Associate shall agrees to make such PHI internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary (including official representatives of the Secretary), in a prompt commercially reasonable manner for purposes of determining Covered Entity's compliance with the Privacy Rule. 11. Business Associate shall, upon request with reasonable notice, provide Covered Entity access to its premises for amendment a review and incorporate any such amendment to enable Covered Entity to fulfill demonstration of its obligations under 45 CFR Section 164.526internal practices and procedures for safeguarding PHI. k. 12. Business Associate shall agrees to document any such disclosures of PHI Protected Health Information and information related to any such disclosures as would be required for Covered Entity to respond to a request by an individual Individual for an accounting of disclosures of PHI Protected Health Information in accordance with 45 CFR Section §164.528. l. Within ten (10) business days of receiving a written request from 13. Business Associate agrees to provide to Covered Entity for or an Individual, in a prompt commercially reasonable manner, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI Protected Health Information in accordance with 45 CFR Section §164.528. m. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. Within thirty (30) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups of such PHI in any form or platform. I. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.

Obligations and Activities of Business Associate. a. Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of all PHI in accordance with HIPAA Privacy Rule and Security Rule with regard to electronic PHI, and Part 2, as applicable. b. The Business Associate shall immediately notify the Covered Entity’s Privacy Officer at the following email address, XXXXXxxxxxxXxxxxxx@xxxx.xx.xxx after the Business Associate has determined that any use or disclosure not provided for by its contract, including any known or suspected privacy or security incident or breach has occurred potentially exposing or compromising the PHI. This includes inadvertent or accidental uses or disclosures or breaches of unsecured protected health information. c. In the event of a breach, the Business Associate shall comply with the terms of this Business Associate Agreement, all applicable state and federal laws and regulations and any additional requirements of the Agreement. d. The Business Associate shall perform a risk assessment, based on the information available at the time it becomes aware of any known or suspected privacy or security breach as described above and communicate the risk assessment to the Covered Entity. The risk assessment shall include, but not be limited to: I. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; II. The unauthorized person who accessed, used, disclosed, or received the protected health information; III. Whether the protected health information was actually acquired or viewed; and IV. How the risk of loss of confidentiality to the protected health information has been mitigated. e. The Business Associate shall complete a risk assessment report at the conclusion of its incident or breach investigation and provide the findings in a written report to the Covered Entity as soon as practicable after the conclusion of the Business Associate’s investigation. f. Business Associate shall make available all of its internal policies and procedures, books and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity to the US Secretary of Health and Human Services for purposes of determining the Business Associate’s and the Covered Entity’s compliance with HIPAA and the Privacy and Security Rule, and Part 2, if applicable. g. Business Associate shall require all of its business associates that receive, use or have access to PHI under the BAA to agree in writing to adhere to the same restrictions and conditions on the use and disclosure of PHI contained herein and an agreement that the Covered Entity shall be considered a direct third party beneficiary of all the Business Associate’s business associate agreements. h. Within ten (10) business days of receipt of a written request from Covered Entity, Business Associate shall make available during normal business hours at its offices all records, books, agreements, policies and procedures relating to the use and disclosure anddisclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of the BAA and the Agreement. i. Within ten (10) business days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR Section 164.524. j. Within ten (10) business days of receiving a written request from Covered Entity for an amendment of PHI or a record about an individual contained in a Designated Record Set, the Business Associate shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under 45 CFR Section 164.526. k. Business Associate shall document any disclosures of PHI and information related to any disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. l. Within ten (10) business days of receiving a written request from Covered Entity for a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill its obligations to provide an accounting of disclosures with respect to PHI in accordance with 45 CFR Section 164.528. m. In the event any individual requests access to, amendment of, or accounting of PHI directly from the Business Associate, the Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or the Business Associate to violate HIPAA and the Privacy and Security Rule, the Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. n. Within thirty (30) business days of termination of the Agreement, for any reason, the Business Associate shall return or destroy, as specified by Covered Entity, all PHI received from or created or received by the Business Associate in connection with the Agreement, and shall not retain any copies or back-ups of such PHI in any form or platform. I. If return or destruction is not feasible, or the disposition of the PHI has been otherwise agreed to in the Agreement, or if retention is governed by state or federal law, Business Associate shall continue to extend the protections of the Agreement, to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as the Business Associate maintains such PHI. If Covered Entity, in its sole discretion, requires that the Business Associate destroy any or all PHI, the Business Associate shall certify to Covered Entity that the PHI has been destroyed.