Common use of Obligations of Business Associate Clause in Contracts

Obligations of Business Associate. Business Associate agrees: A. Not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAA. C. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a “Successful Security Incident” is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508.

Obligations of Business Associate. (a) Business Associate agrees: A. Not agrees not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) Business Associate Agreement or as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by By Law. B. To (b) Business Associate agrees to use appropriate safeguards, and to comply with Subpart C of 45 CFR Part 164 the Security Rule with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI Protected Health Information other than as provided for by this BAABusiness Associate Agreement. C. To (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI Protected Health Information by the Business Associate in violation of the requirements of this BAABusiness Associate Agreement. D. To (d) Business Associate agrees to report to the appropriate Covered Entity any use or disclosure of PHI Protected Health Information not provided for by this BAA Business Associate Agreement of which it becomes aware aware, including breaches of unsecured Protected Health Information and any Successful Security Incident of which it becomes aware. Notwithstanding the foregoing, Covered Entity acknowledges that this Business Associate becomes awareAgreement constitutes notice of all Unsuccessful Security Incidents. For purposes of this BAABusiness Associate Agreement, “Unsuccessful Security Incidents” include without limitation: (i) “pings” (a “Successful Security Incident” request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible); (ii) port scans; (iii) malware (such as viruses and worms) that is detected and eradicated prior to having any Security Incident effect on the relevant information system; (iv) attempts to log on to the information system or enter a database containing Protected Health Information with an invalid password or username; and (v) denial-of-service attacks that do not result in an information system server being taken off-line; so long as no such incident results in a potential unauthorized access, useUse, disclosureDisclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of interference with an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508information system.

Obligations of Business Associate. Business Associate agrees: A. Not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To use implement and maintain appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAA. C. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware aware, and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a “Successful Security Incident” is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore therefore, this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any necessary amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508.

Obligations of Business Associate. (a) Business Associate agrees: A. Not to will not use or disclose Protected Health Information PHI other than (i) as permitted or required by this BAA, (ii) as permitted BAA or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To (b) Business Associate will use appropriate safeguards, including without limitation, administrative, physical and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Informationtechnical safeguards, to prevent the use or disclosure Disclosure of PHI other than as provided for by this BAABAA and to reasonably and appropriately employ the same standards as Required by Law, to, protect the confidentiality, integrity and availability of any E-PHI that it may receive, maintain or transmit on behalf of the Covered Entity. C. To mitigate, to the extent practicable, any harmful effect that is known to (c) Business Associate agrees, following the discovery of a any breach, use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of unsecured PHI not provided for by authorized under this BAA of which it becomes aware and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a “Successful Security Incident” is or any Security Incident that results in involving successful unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information PHI (“Successful Security Incident”), to notify Covered Entity of Covered Entitysuch breach, use or disclosure of unsecured PHI not authorized under this BAA or any Successful Security Incident without unreasonable delay and at least within 10 business days of discovery. The parties further stipulate and agree that For purposes of this paragraph constitutes notice paragraph, a breach or unauthorized use or Disclosure of PHI shall be treated as discovered by Business Associate as of the first day on which such breach or unauthorized use or disclosure is known to Covered Entity with respect Business Associate or, by exercising reasonable diligence, should have been known to any “Unsuccessful Security Incident,” which Business Associate. Notice is defined hereby deemed provided, and no further notice will be required, for purposes unsuccessful attempts at such unauthorized access, use, disclosure, modification or destruction, such as pings and other broadcast attacks on a firewall, denial of this BAA as any Security Incident that service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting compromised, or any combination of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA constitutes the report from Business Associate that these incidents occurabove. E. (d) In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to Business Associate shall ensure that any subcontractor subcontractors that createscreate, receivesreceive, maintains maintain, or transmits Protected Health Information transmit PHI on behalf of Business Associate agrees agree to the same restrictions restrictions, conditions, and conditions requirements that apply through this BAA to the Business Associate with respect to such PHI. If information. (e) To the extent (if any) that Business Associate becomes aware of maintains a pattern or practice by the subcontractor that violates such agreementDesignated Record Set for Covered Entity, Business Associate shall take steps agrees to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make availableprovide access, at the written request of Covered Entity, and in the form time and format manner designated by such Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary in order to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent . (f) Business Associate is required agrees to maintain a Designated Record Set for the particular make Covered Entity’s PHI available to Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI pursuant to 45 CFR § 164.526, . The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Covered Entity. (g) Business Associate shall maintain or make available the information required to take other measures provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60h) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent the Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); (i) Business Associate will make books and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (“Secretary”) or his designee, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with Privacy Standards; provided, however, that nothing in this BAA waives or limits the attorney/client privilege, the attorney work product doctrine, or other applicable privileges or protections. M. In its performance of the functions, activities, services, and operations for Covered Entity, (j) Business Associate agrees to make only will not sell PHI without appropriate authorization unless an exemption under the minimum necessary uses and disclosures and requests for Protected Health InformationHITECH Act Section 13405(d) applies. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508.

Obligations of Business Associate. (a) Business Associate agrees: A. Not to will not use or disclose Protected Health Information PHI other than (i) as permitted or required by this BAAAgreement or as required by law. (b) Business Associate will implement administrative, (ii) as permitted or required to perform its obligations pursuant to physical, and technical safeguards that reasonably and appropriately protect the Agreementsconfidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or (iii) transmits on behalf of Covered Entity as Required required by Law. B. To use appropriate safeguardsthe HIPAA Standards, and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAAelectronic PHI. C. To (c) Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAAAgreement. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a “Successful Security Incident” is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii(d) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) ’s obligations under Subpart E of 45 CFR Part 164, Business Associate shall will comply with the requirements of 45 CFR Part 164, Subpart E that apply to Covered Entity in the performance of such obligation(s)obligations. M. In its performance (e) Business Associate will report to Covered Entity (i) any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, and (ii) any security incident (as defined in 45 CFR § 164.304) of which it becomes aware. Business Associate will notify Covered Entity of any breach of unsecured PHI, as defined in 45 CFR § 164.402, without unreasonable delay and in no case later than 10 calendar days after Business Associate discovers the breach. 1 This document is provided for discussion purposes only and does not constitute legal advice from Xxxxx & Xxxxxxxxx, P.C. The reader is instructed not to use this document until this document is reviewed, revised as necessary, and approved by the reader’s attorney. (f) Business Associate will ensure that any agent, including a subcontractor, that receives PHI from Business Associate, or creates, receives, maintains, or transmits PHI on behalf of Business Associate, agrees to the same restrictions, conditions and requirements that apply to Business Associate with respect to such PHI, and agrees to implement reasonable and appropriate safeguards to protect the security and privacy of such PHI, by entering into an agreement with Business Associate that meets the applicable requirements of the functionsHIPAA Standards. (g) Business Associate will make books and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (“Secretary”) or the Secretary’s designee, activitiesin a time and manner designated by the Secretary, services, and operations for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Standards. (h) At Covered Entity’s request, Business Associate agrees will make available PHI in Business Associate’s possession to make only the minimum necessary uses and disclosures and requests enable Covered Entity to respond to a request by an individual for Protected Health Informationaccess to PHI in accordance with 45 CFR § 164.524. N. (i) At Covered Entity’s request, Business Associate shall not engage will make available PHI in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration Business Associate’s possession for amendment, and will incorporate any amendments to PHI, in exchange for the disclosure of Protected Health Information of an Individual, unless accordance with 42 CFR § 164.526. (j) Business Associate will maintain and will provide to Covered Entity or on request such documentation of disclosures of PHI as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Upon receipt of a request for an accounting directly from an individual, Business Associate has obtained a valid authorization from will provide to the Individual, consistent with individual an accounting of disclosures made by Business Associate containing the requirements under 45 information described in 42 CFR §164.508§ 164.528.

Obligations of Business Associate. Business Associate agrees: A. Not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To use appropriate safeguards, safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAA. C. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware aware, and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a “Successful Security Incident” is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains maintains, or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508.

Obligations of Business Associate. Business Associate agrees: A. Not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAA. C. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAABusiness Associate Agreement, a “Successful Security Incident” is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any “Unsuccessful Security Incident,” which is defined for purposes of this BAA Business Associate Agreement as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and therefore this BAA Agreement constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual’s designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526; provided, however, that this Section II.G II.H is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate’s compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. J. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR §164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information. Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR §164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR §164.508.