Common use of Obligations and Activities of Contractor as a Business Associate Clause in Contracts

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. Contractor agrees to use appropriate safeguards and other legally-required C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. a. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. b. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. c. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. d. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. e. Contractor shall agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report Breaches of Unsecured PHI in accordance with the HIPAA laws. f. Contractor agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. g. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. h. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. i. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA lawsPrivacy Rule. I. j. Contractor agrees to document any Disclosures of County PHI that or Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. k. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. l. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Privacy and/or Security rules Contractor will comply with the requirements of the HIPAA laws 45 CFR Part 164 that apply to County in the performance of such obligation. L. m. Contractor shall honor all restrictions consistent work with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the upon notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a properly determine if any Breach did not occurexclusions exist. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI.45 D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions.or N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000805-000781-0000 5500 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);, (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law.permitted B. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. X. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address:: HIPAA Privacy Officer (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;the (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. Contractor agrees to use appropriate safeguards and other legally-required C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a).Act M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:day (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law.or B. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. X. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000Xxx Xxxxx, Administrative Director of Behavioral Health. Written notification shall be sent to the following address:: Sierra County Behavioral Health Attention: Xxx Xxxxx, Administrative Director of Behavioral Health PO Box 265 Loyalton, CA 96118 (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:the (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.other V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI.Part D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA laws. I. Contractor agrees to document any Disclosures of County PHI that Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Contractor will comply with the requirements of the HIPAA laws that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000805-000-0000 781- 4788 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.CFR Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. Contractor agrees to use appropriate safeguards and other legally-requiredrequired safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. Contractor agrees to comply with the HIPAA Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA laws. E. Contractor shall agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report Breaches of Unsecured PHI in accordance with the HIPAA laws. F. Contractor agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. G. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA laws. G. H. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. I. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s compliance with the HIPAA lawsPrivacy Rule. I. J. Contractor agrees to document any Disclosures of County PHI that or Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. K. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA laws. K. L. Contractor agrees that to the extent Contractor carries out County’s obligation under the HIPAA laws Privacy and/or Security rules Contractor will comply with the requirements of the HIPAA laws 45 CFR Part 164 that apply to County in the performance of such obligation. L. Contractor shall honor all restrictions consistent with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance work with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the upon notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a properly determine if any Breach did not occurexclusions exist. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.

Obligations and Activities of Contractor as a Business Associate. A. a. Contractor agrees not to use or further disclose County PHI other than as permitted or required by this Business Associate Agreement or as required by law. B. b. Contractor agrees to use appropriate safeguards and other legally-requiredlegally­ required safeguards to prevent use or disclosure of County PHI other than as provided for by this Business Associate Agreement. C. c. Contractor agrees to comply with the HIPAA HIPM Security Rule at Subpart C of 45 CFR Part 164 with respect to electronic County PHI. D. d. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure .Disclosure of County PHI by Contractor in violation of the requirements of this Business Associate Agreement or HIPAA HIPM laws. E. e. Contractor shall agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report Breaches of Unsecured PHI in accordance with the HIPM laws. f. Contractor agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Contractor agree to the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such information. F. g. Contractor agrees to provide access, within ten (10) calendar days of receipt of a written request by County, to PHI in a Designated Record Set, to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524 or any other provision of the HIPAA HIPM laws. G. h. Contractor agrees to make any amendment(s) to PHI in a Designated Record Set that County directs or agrees to pursuant to 45 CFR § 164.526 at the request of County or an Individual, within fifteen (15) calendar days of receipt of said request by County. Contractor agrees to notify County in writing no later than ten (10) calendar days after said amendment is completed. H. i. Contractor agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of, County available to County and the Secretary in a time and manner as determined by County or as designated by the Secretary for purposes of the Secretary determining County’s 's compliance with the HIPAA lawsHIPM Privacy Rule. I. j. Contractor agrees to document any Disclosures of County PHI that or Contractor creates, receives, maintains, or transmits on behalf of County, and to make information related to such Disclosures available as would be required for County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. J. k. Contractor agrees to provide County or an Individual, as directed by County, in a time and manner to be determined by County, any information collected in accordance with the Agreement, in order to permit County to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with the HIPAA HIPM laws. K. I. Contractor agrees that to the extent Contractor carries out County’s 's obligation under the HIPAA laws HIPM Privacy and/or Security R ules Contractor will comply with the requirements of the HIPAA laws 45 CFR Part 164 that apply to County in the performance petformance of such obligation. L. m. Contractor shall honor all restrictions consistent work with 45 C.F.R. §164.522 that the County or the Individual makes the Contractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a). M. Contractor shall train and use reasonable measures to ensure compliance with the requirements of this Business Associate Agreement by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally violate any provisions. N. Contractor agrees to report to County immediately any Use or Disclosure of PHI not provided for by this Business Associate Agreement of which Contractor becomes aware. Contractor must report to County Breaches of County PHI in accordance with the HIPAA laws. O. Contractor shall notify County within twenty-four (24) hours of discovering any Security Incident, including all data Breaches or compromises of County PHI, however, both parties agree to a delay in the upon notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. (1) A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. (2) Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other Agent of Contractor, as determined by federal or state common law of agency. (3) Contractor’s initial notification shall be oral and followed by written notification within 24 hours of the oral notification. (4) Oral notification shall be made to the HIPAA Privacy Officer by calling 000-000-0000 and to the HIPAA Security Officer by calling 000-000-0000. Written notification shall be sent to the following address: (5) Contractor’s notification shall include, to the extent possible: (a) The identification of each Individual whose County PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; (b) Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) A description of the types of County PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (iv) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. P. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. Q. In the event that Contractor is responsible for a Breach of County PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with Paragraph O and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. R. Contractor shall maintain documentation of all required notifications to County of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a properly determine if any Breach did not occur. S. Contractor shall provide County all specific and pertinent information about the Breach, including the information listed above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than ten (10) calendar days after Contractor’s initial notice of the Breach to County. T. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to Countyexclusions exist. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. U. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach. V. Contractor shall train and use effective measures to ensure compliance with the requirements of this Exhibit by employees who assist in the performance of functions or activities on behalf of County under this Contract and use or disclose protected information; and discipline employees who intentionally or repeatedly violate any provisions.TMHA - 65Now Homeless Services Contract# C003 2020