Common use of Obligations of Business Associate Clause in Contracts

Obligations of Business Associate. As an express condition of performing Business Associate Functions, Business Associate agrees to: a. Not Use or Disclose PHI other than as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing Business Associate Functions, Business Associate agrees to: a. Not Use or Disclose PHI other than as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's Covered Entity’s designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan Covered Entity with additional information as it becomes available through prompt investigation. This Agreement BAA serves as Business Associate's notice to the Plan Covered Entity that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan Covered Entity in mitigating mitigating, at its sole expense, any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten five (105) business days of request by an Individual or notification by the PlanCovered Entity, make available to Covered Entity the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual Covered Entity with access to the PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate Covered Entity and the Individual. Business Associate shall provide Individual and within the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor technical capability of Business Associate. Business Associate may charge will report any request for access that it receives directly from an Individual to the Individual Covered Entity within five (5) business days of receipt. Covered Entity will determine any appropriate limitations on such access and the parties will determine a reasonable fees related to this method for providing such access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees Notify Covered Entity within five (5) business days of any request by an Individual to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed Associate in a Designated Record Set, direct the requesting Individual to Covered Entity for handling of such request, and promptly incorporate any amendment accepted by Covered Entity and communicated to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate is not authorized to independently agree to any amendment of PHI and shall notify the Plan within three (3) days of direct all Individuals to Covered Entity to make any such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to . g. Maintain a record of those Disclosures of PHI not in the possession of by Business Associate or its agents or Subcontractors which are subject to the Individual’s right to an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly and within five (5) business days of notification by Covered Entity report such Disclosures to the Covered Entity in a form permitting Covered Entity to respond to an Individual’s request for an accounting. Business Associate will provide such accounting according is not authorized to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by independently respond to an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished and shall direct all Individuals to the Plan and that the Plan may provide additional information Covered Entity to the Individual in response to the make any such a request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan Covered Entity for purposes of determining the PlanCovered Entity's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection Comply with the disclosure any voluntary restriction on Use or Disclosure of PHI under 45 CFR 164.522, Business Associate 164.522(a) of the HIPAA Rules when accepted by Covered Entity and the Plan agree that, communicated to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate shall direct Individuals to Covered Entity to make any such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation Comply with any reasonable requests by Individuals under 45 CFR 164.522(b) to evaluate complaints from Individuals regarding their privacy rights receive communications of PHI by alternative means or privacy practices of the Plan or at alternate locations when accepted by Covered Entity and communicated to Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints direct Individuals to the Plan within three (3) days of receipt by Business Associate. If the complaint appears Covered Entity to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaintmake any such request. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate FunctionsFunction. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the PlanCovered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan Covered Entity in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity. n. Business Associate shall not receive remuneration, either directly or indirectly in exchange for PHI, except as may be permitted by HIPAA. o. Where applicable, Business Associate acknowledges that in receiving, storing, processing, or otherwise using any information from the Planalcohol/drug programs about the clients of a federally assisted program that requires compliance with Part 2, it is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.

Obligations of Business Associate. As an express condition of performing Business Associate Functionsthe Services, Business Associate agrees to: a. Not Use or Disclose to and acknowledges the following: Business Associate is directly subject to HIPAA’s Privacy and Security Rule pursuant to the HITECH Act, the requirements of which are incorporated by references herein. Business Associate shall use and disclose PHI other than only as permitted or required by this Agreement Agreement, or as otherwise Required required by Law. b. Use law. Business Associate shall use appropriate safeguardstechnical, physical, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, administrative safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for in this Agreement. c. Report . Business Associate shall report to the Plan's Covered Entity’s designated privacy officialinformation security officer, without unreasonable delay but in no event more than three within one (31) business days after day of discovery by Business Associate, any Use security incident as defined by § 164.304 of the Regulations and any use or Disclosure disclosure of PHI not provided for by in this Agreement of which Business Associate becomes awareAgreement, including any Breach breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes awareunsecured PHI, together with all the information required by § 164.410(c) of the Regulations and any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan Covered Entity in mitigating any harmful effects of any impermissible Use or Disclosuresuch unauthorized disclosure. In the case Business Associate shall provide individuals with access to and copies of a Breach as determined their PHI maintained in designated record sets, and limit fees therefore, pursuant to exist in the sole discretion § 164.524 of the Plan which was due Regulations. Business Associate shall Notify Covered Entity within five (5) business days of any request by an individual to a violation of this Agreement amend PHI maintained by Business Associate, direct the requesting individual to Covered Entity for handling of such request, cooperate with Covered Entity in the handling of such request, and incorporate any amendment accepted by Covered Entity in accordance with § 164.526 of the Regulations. Business Associate is not authorized to independently agree to any amendment of PHI unless authorized in writing by Covered Entity on a case-by-case basis. Business Associate shall pay for the reasonable costs log or otherwise track those disclosures of investigation, mitigation and notification to affected Individuals. As an alternative to PHI by Business Associate reimbursing Company which are subject to the individual’s right to an accounting under § 164.528 of the Regulations, and report such disclosures to Covered Entity in form and manner specified by Covered Entity from time to time. Business Associate shall make its internal practices, books and records relating to the Plan use and/or disclosure of PHI and/or safeguards available to the Secretary of Health and Human Services or his or her designee for purposes of determining Covered Entity’s compliance with the costs Privacy Rule and/or the Security Rule. Business Associate shall return to Covered Entity or destroy (and not retain a copy) all PHI in its possession, upon the termination of notificationthe Agreement(s) or as soon as such PHI is no longer needed by Business Associate to perform its responsibilities thereunder, whichever comes first, and require its agents and contractors to do likewise. To the extent that return or destruction is not feasible, the Plan may elect to have protections of this Agreement shall remain in effect for so long as Business Associate directly provide the notifications or its agents or contractors have possession of or access to Individuals for breaches caused by such PHI, and Business Associate, provided that Company Associate agrees to limit further uses and the Plan shall have final approval disclosures of all content of notifications PHI to Individuals. d. those purposes which make return or destruction infeasible. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2)) of the Regulations, as applicable, Business Associate shall ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit PHI protected health information on behalf of Business Associate the business associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate the business associate with respect to such information. e. Within ten (10) business days . It is the direct responsibility of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. create a Business Associate will provide such access according to its own procedures for such access Agreement with all subcontractors as stated in accordance with § 164.314(a)(2)(iii) of the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the IndividualRegulations. Business Associate shall provide the requested information directly to the Individualexecute and deliver a chain of trust partner agreement, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan trading partner agreement, or business associate agreement as and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as when required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment Covered Entity in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate FunctionsHIPAA. Business Associate shall comply with any additional requirements for the determination voluntary restriction on use or disclosure of Minimum Necessary as are required from time to time PHI accepted by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated Covered Entity under the Services Agreements to carry out one or more § 164.522(a) of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply Regulations which is properly communicated to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, . Business Associate shall not Use comply with any reasonable requests by individuals under § 164.522(b) of the Regulations to receive communications of PHI by alternative means or Disclose PHI in a manner that would violate the HIPAA Rules if done at alternate locations, whether communicated to Business Associate or directly by the Planindividual. Establish, maintain and update, in accordance with the Identity Theft Rules promulgated by the Federal Trade Commission (16 C.F.R. Part 681), reasonable policies and procedures designed to: (1) detect and prevent identity theft and/or medical identity theft (“Red Flags”); (2) promptly report to Covered Entity the occurrence of any Red Flags; and (3) take appropriate steps to prevent or mitigate identity theft and/or medical identity theft. Disclose to its subcontractors, agents or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder. Implement administrative safeguards, physical safeguards, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by the Security Rule, and ensure that any agent and subcontractor to whom Business Associate provides ePHI agrees to implement reasonable and appropriate safeguards to protect ePHI.

Obligations of Business Associate. As an express condition of performing A. Business Associate Functions, Business Associate agrees to: a. Not Use shall comply with the use and disclosure provisions of the Privacy Rule in performing its obligations under any agreement for services with Covered Entity and to not use or Disclose disclose PHI other than as permitted or required by under this Agreement or as otherwise Required by Law. b. Use B. Business Associate shall implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for in by this Agreement. c. Report C. Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, and to otherwise comply with the Security Rule in performing Business Associate’s obligations under this Agreement. D. Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h). E. Business Associate shall mitigate, to the Plan's designated privacy officialextent practicable, without unreasonable delay but any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. F. Business Associate shall, as soon as reasonably practicable and in no event more later than three sixty (360) business days after of discovery by Business Associateof the same, report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with including, but not limited to, any remedial Security Incident and any unauthorized acquisition, access, use, or mitigating action taken or proposed to be taken with respect thereto. If disclosure of PHI. G. Business Associate does not have shall develop policies and procedures to both detect and report Breaches of PHI to the Covered Entity. Copies of such policies and procedures shall be made available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of to the Covered Entity upon the Covered Entity’s Request. H. Business Associate shall, following the discovery of the impermissible Use or Disclosurea Breach of PHI, notify Covered Entity of such Breach. 1. Business Associate shall provide all information it has at such time, initial notice of the Breach as soon as reasonably practicable and immediately update in no event later than sixty (60) days after the Plan with additional information discovery of the Breach. A Breach shall be treated as it becomes available through prompt investigation. This Agreement serves discovered as of the first day on which the Breach is known to the Business Associate's . 2. The initial notice shall include, to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate unless there has been a successful Security Incident to have been, accessed, acquired, or attempts or patterns of attempts that Business Associate determines to be suspiciousdisclosed during such Breach. Business Associate shall cooperate with make best efforts to collect and provide to Covered Entity as soon as possible any such information that Business Associate is unable to provide in the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case initial notice. I. Business Associate shall, following notification to Covered Entity of a Breach as determined of PHI, cooperate with Covered Entity in providing any and all information required for Covered Entity to exist in comply with the sole discretion breach notification provisions of section 13402 of the Plan HITECH Act and the implementing regulations set forth in Subpart D of the Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations of which was due Business Associate is informed of by Covered Entity. J. Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to a violation of this Agreement by ensure that any subcontractor agent to whom Business AssociateAssociate provides PHI received from, or created or received by, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. e. Within ten (10) business days K. For purposes of request by an Individual or notification by the PlanSecretary determining Covered Entity's compliance with the Privacy Rule and Security Rule, Business Associate shall make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if notSecretary, in a readable electronic form time and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted manner designated by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business AssociateSecretary, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books books, and records (including policies and procedures), relating to this Agreement available to the Secretary of HHS use and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522received from, or created or received by, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestCovered Entity. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing Business Associate Functions, (a) Business Associate agrees to: a. Not Use not to use or Disclose disclose PHI other than as permitted or required by this BA Agreement or as otherwise Required by Law. Business Associate will comply with the provisions of this BA Agreement related to the privacy, security and breach notification of PHI and all present and future provisions of the HIPAA Rules that are applicable to Covered Entity and/or Business Associate. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to such covered entity in the performance of such obligations. b. Use (b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of the PHI other than as provided for by this BA Agreement and comply with the Security Rule with respect to electronic PHI. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement. c. Report (d) Business Associate agrees to report promptly to Covered Entity any use or disclosure of the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this BA Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any or Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves provision applies to Breaches of Unsecured PHI, as those terms are defined at 45 C.F.R. § 164.402. Business Associate's ’s notice to shall include the Plan that attempted but unsuccessful applicable elements as set forth at 45 C.F.R. § 164.410(c). Notwithstanding the foregoing, notice is hereby deemed given for Unsuccessful Security Incidents regularly occur and that no further notice will of such Unsuccessful Security Incidents shall be made by required or given. For purposes of this section, “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks of Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating Associate’s firewall, port scans, unsuccessful logon attempts, and any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion combination of the Plan which was due to a violation above, as long as no incident results in unauthorized access, acquisition, use or disclosure of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to IndividualsPHI. d. (e) In accordance with 45 CFR C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure if applicable, Business Associate agrees to enter into written agreements with any agent, including a subcontractor, that any Subcontractors that createcreates, receivereceives, maintainmaintains, or transmit transmits PHI on behalf of Business Associate agree in writing to the same restrictions, conditionsAssociate, and requirements the terms of such agreements shall incorporate restrictions and conditions that are no less restrictive than those that apply through this BA Agreement to Business Associate with respect to such information. e. Within ten (10f) business days Business Associate agrees to provide access, at the request of request Covered Entity, and in a timely manner, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual or notification by in order to meet the Plan, make available to the Individual such Individual's PHI maintained by requirements under 45 C.F.R. § 164.524. (g) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees in order to meet the requirements pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in a timely manner. (h) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a timely manner, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. (i) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by Covered Entity or, as directed by Covered Entity, by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any recordsC.F.R. § 164.528. f. (j) Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such provide Covered Entity, in a timely manner, information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment collected in accordance with the requirements Section 3(i) of 45 CFR 164.526. If the Individual's this BA Agreement, to permit Covered Entity to respond to a request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to an accounting of disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestC.F.R. § 164.528. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition 2.1 Permitted Uses and Disclosures of performing Health Information. Business Associate Functions, Business Associate agrees toAssociate: a. Not (a) shall Use or and Disclose PHI other than as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial necessary or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate Services, and as provided in Article II of this Addendum; (b) shall comply with any additional requirements Disclose Health Information to Covered Entity upon request; (c) may, as necessary for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own proper management and administration of its business or to carry out its legal responsibilities: (i) Use Health Information; and (ii) Disclose Health Information if (A) the legal responsibilities Disclosure is required by law, or (B) Business Associate obtains reasonable assurance from the person to whom the information is Disclosed that the Health Information will be held confidentially and Used or further Disclosed only as required by law or for the purpose for which it was Disclosed to the person, and the person agrees to notify Business Associate of Business Associate, any instances of which the person is aware in which the confidentiality of the Health Information has been breached. Business Associate shall not Use or Disclose PHI Health Information for any other purpose. 2.2 Adequate Safeguards for Health Information. Business Associate warrants that it shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of Health Information in any manner other than as permitted by this Addendum. 2.3 Reporting Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors but is not specifically permitted by this Addendum. The initial report shall be made by telephone call to the Covered Entity's Chief Financial Officer, Xxxxxxx Xxxxxxxx at (000) 000-0000 within forty-eight (48) hours from the time the Business Associate becomes aware of the non-permitted Use or Disclosure, followed by a manner that would violate full written report to the HIPAA Rules if done by Privacy Officer no later than ten (10) business days from the Plandate the Business Associate becomes aware of the non-permitted Use or Disclosure.

Obligations of Business Associate. As an express condition In connection with its use and disclosure of performing Business Associate FunctionsPHI, the Business Associate agrees tothat it will: a. Not Implement provisions to maintain the currency and accuracy of the Department’s Medicaid Agency Designated Record Set (DRS) components. b. Provide a list of subcontractors, data interfaces and steps taken to ensure the proper handling of PHI within 30 days of execution of this Contract. c. Implement and satisfy HIPAA’s minimal necessary (use and disclosure) requirements; to include the identification and documentation of functional/operational roles/job functions and provide that information to the Department. d. Implement necessary HIPAA Privacy training for the entire staff, both awareness and detailed instructions for the handling of PHI. e. Establish and receive approval of a HIPAA violation identification, reporting and resolution process from the Department. f. Implement and promote a responsible and diligent “whistle blower” policy. g. Assign and appoint a Privacy Officer/Representative with predefined HIPAA training and experience; additionally, the specific responsibilities of the Privacy Officer/Representative must be documented. h. Provide a Quarterly HIPAA Compliance Report (using the Medicaid Agency approved format) i. Use or Disclose further disclose PHI other than only as permitted or required by this Agreement Contract or as otherwise Required required by Lawlaw. b. j. Use reasonable and appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for by this Contract; k. To the extent practicable, mitigate any harmful effect that is known to the Business Associate of a use or disclosure of PHI in violation of this AgreementAttachment. c. l. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, Department any Use use or Disclosure disclosure of PHI not provided for by this Agreement Attachment of which the Business Associate becomes aware, including any Breach aware within 2 days of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial discovery. m. Require contractors or mitigating action taken or proposed agents to be taken with respect thereto. If whom the Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice provides PHI to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, restrictions and requirements conditions that apply to the Business Associate with respect pursuant to such informationthis Contract. e. Within ten (10) business days of request by an Individual or notification by the Plan, make n. Make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with Secretary of Health and Human Services the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its ’s internal practices, books and records relating to this Agreement available to the Secretary use and disclosure of HHS and to the Plan PHI for purposes of determining the Plan's and Business Associate's compliance with the HIPAA RulesPrivacy Rule, subject to any applicable legal privileges. i. So that o. Obtain consents, authorizations and other permissions from all individuals necessary or required by laws applicable to the Plan may meet Business Associate to fulfill its obligations under the Contract. p. Promptly comply with any changes in, or revocation of, permission by an Individual for the Business Associate or the Department to evaluate requests for use or disclose PHI, after receiving written notice by the Department. q. Promptly comply with any restrictions on the use and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522about Individuals that the Department has agreed to, Business Associate and after written notice by the Plan agree thatDepartment. r. Make available the information necessary for the Department to make an accounting of disclosures of PHI about an individual within (15) days of receiving a request from the Department. s. Make available PHI, to that is in the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf ’s possession and which constitutes part of the Plan. Business Associate will evaluate such requests according Department’s Designated Record Set, necessary to its own procedures respond to an individual’s request for such requestsaccess to their PHI, within ten (10) days of receiving a written notice from the Department. t. Amend or correct an Individual’s PHI, in accordance with the requirements of 45 CFR 164.522Privacy Rule, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve when the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without is the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices primary source of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer PHI constituting part of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan Department’s Designated Record Set, within three fifteen (315) days of receipt by Business Associate. If receiving a written notice from the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, Department that an amendment or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaintcorrection is necessary. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing Business Associate Functions, Business Associate agrees to: a. Not Use or Disclose PHI other than as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's Covered Entity’s designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan Covered Entity with additional information as it becomes available through prompt investigation. This Agreement BAA serves as Business Associate's notice to the Plan Covered Entity that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan Covered Entity in mitigating mitigating, at its sole expense, any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten five (105) business days of request by an Individual or notification by the PlanCovered Entity, make available to Covered Entity the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual Covered Entity with access to the PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate Covered Entity and the Individual. Business Associate shall provide Individual and within the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor technical capability of Business Associate. Business Associate may charge the Individual reasonable fees related is not authorized to this access, as determined by Business Associate, but only in independently respond to an Individual's request and shall refer all Individuals to Covered Entity to make any such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any recordsrequest. f. Business Associate agrees Notify Covered Entity within five (5) business days of any request by an Individual to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed Associate in a Designated Record Set, direct the requesting Individual to Covered Entity for handling of such request, and promptly incorporate any amendment accepted by Covered Entity and communicated to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate is not authorized to independently agree to any amendment of PHI and shall notify the Plan within three (3) days of direct all Individuals to Covered Entity to make any such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to . g. Maintain a record of those Disclosures of PHI not in the possession of by Business Associate or its agents or Subcontractors which are subject to the Individual’s right to an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly and within five (5) business days of notification by Covered Entity report such Disclosures to the Covered Entity in a form permitting Covered Entity to respond to an Individual’s request for an accounting. Business Associate will provide such accounting according is not authorized to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by independently respond to an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished and shall direct all Individuals to the Plan and that the Plan may provide additional information Covered Entity to the Individual in response to the make any such a request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan Covered Entity for purposes of determining the PlanCovered Entity's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection Comply with the disclosure any voluntary restriction on Use or Disclosure of PHI under 45 CFR 164.522, Business Associate 164.522(a) of the HIPAA Rules when accepted by Covered Entity and the Plan agree that, communicated to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate shall direct Individuals to Covered Entity to make any such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation Comply with any reasonable requests by Individuals under 45 CFR 164.522(b) to evaluate complaints from Individuals regarding their privacy rights receive communications of PHI by alternative means or privacy practices of the Plan or at alternate locations when accepted by Covered Entity and communicated to Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints direct Individuals to the Plan within three (3) days of receipt by Business Associate. If the complaint appears Covered Entity to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaintmake any such request. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate FunctionsFunction. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the PlanCovered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan Covered Entity in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity. n. Business Associate shall not receive remuneration, either directly or indirectly in exchange for PHI, except as may be permitted by HIPAA. o. Where applicable, Business Associate acknowledges that in receiving, storing, processing, or otherwise using any information from the Planalcohol/drug programs about the clients of a federally assisted program that requires compliance with Part 2, it is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.

Obligations of Business Associate. As an express condition In connection with any Use or Disclosure of performing Business Associate FunctionsPHI, Business Associate agrees tomust: a. Not A. Consult with Covered Entity before using or disclosing PHI whenever Business Associate is uncertain whether the Use or Disclose PHI other than as permitted or required by Disclosure is authorized under this Agreement or as otherwise Required by LawAgreement. b. Use B. Implement appropriate safeguardsadministrative, physical, and comply with Subpart C of 45 CFR Part 164 with respect technical safeguards and controls to Electronic Protected Health Information, protect PHI and document applicable policies and procedures to prevent any Use or Disclosure of PHI other than as provided for in by this Agreement. c. Report C. Provide satisfactory assurances that PHI created or received by Business Associate under this Agreement is protected to the Plan's designated privacy official, without unreasonable delay but in no event more than three greatest extent feasible. D. Notify Covered Entity within twenty-four (324) business days after discovery by hours of Business Associate’s discovery of any potential access, any Use acquisition, use, disclosure, modification, or Disclosure destruction of either secured or unsecured PHI not provided for by in violation of this Agreement of which Business Associate becomes awareAgreement, including any Breach of Unsecured Protected PHI. (1) Any incident as described above will be treated as discovered as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. (2) Notification shall be sent to and and to the VHA Health Information as required at 45 CFR 164.410Access Office, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three Program Manager by email at XXXXXXXxxxxx@xx.xxx. (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, not notify individuals or the Department of Health and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Human Services directly unless Business Associate unless there has been is not acting as an agent of Covered Entity but in its capacity as a successful Security Incident or attempts or patterns of attempts that Business Associate determines Covered Entity itself. E. Provide a written report to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects Covered Entity of any impermissible Use potential access, acquisition, use, disclosure, modification, or Disclosure. In the case destruction of a Breach as determined to exist either secured or unsecured PHI in the sole discretion of the Plan which was due to a violation of this Agreement by Business AssociateAgreement, Business Associate shall pay for the reasonable costs including any Breach of investigationPHI, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within within ten (10) business days of request the initial notification. (1) The written report of an incident as described above will document the following: (a) The identity of each Individual whose PHI has been, or is reasonably believed by an Individual Business Associate to have been, accessed, acquired, used, disclosed, modified, or notification destroyed; (b) A description of what occurred, including the date of the incident and the date of the discovery of the incident (if known); (c) A description of the types of secured or unsecured PHI that was involved; (d) A description of what is being done to investigate the incident, to mitigate further harm to Individuals, and to protect against future incidents; and (e) Any other information as required by the Plan, make available 45 C.F.R. §§ 164.404(c) and 164.410. (2) The written report shall be addressed to: and submitted by email to and to the Individual such Individual's VHA Health Information Access Office, Business Associate Program Manager at XXXXXXXxxxxx@xx.xxx F. To the greatest extent feasible, mitigate any harm due to a Use or Disclosure of PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree violation of this Agreement that Individuals will be directed is known or, by exercising reasonable diligence, should have been known to Business Associate. G. Use only contractors and Subcontractors that are physically located within a jurisdiction subject to the laws of the United States, and ensure that no contractor or Subcontractor maintains, processes, uses, or discloses PHI in any way that will remove the information from such jurisdiction. Any modification to this provision must be approved by Covered Entity in advance and in writing. H. Enter into Business Associate to make all requests for access to PHIAgreements with contractors and Subcontractors as appropriate under the HIPAA Rules and this Agreement. Business Associate will provide such access according to its own procedures for such access in accordance with Associate: (1) Must ensure that the requirements terms of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to any Agreement between Business Associate and the Individual. a contractor or Subcontractor are at least as restrictive as Business Associate shall provide the requested information directly Agreement between Business Associate and Covered Entity. (2) Must ensure that contractors and Subcontractors agree to the Individual, along with a notice same restrictions and conditions that apply to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three and obtain satisfactory written assurances from them that they agree to those restrictions and conditions. (3) May not amend any terms of such Agreement without Covered Entity’s prior written approval. I. Within five (5) business days of the request. The Plan will be responsible a written request from Covered Entity: (1) Make available information for providing Covered Entity to respond to an Individual’s request for access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession about him/her. (2) Make available information for Covered Entity to respond to an Individual’s request for amendment of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this accessPHI about him/her and, as determined by Business Associateand under the direction of Covered Entity, but only in such amounts as permitted by incorporate any amendment to the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any recordsPHI. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days Make available PHI for Covered Entity to respond to an Individual’s request for an accounting of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to Disclosures of PHI not in the possession of about him/her. J. Business Associate may not take any action concerning an individual’s request for access, amendment, or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHIaccounting other than as instructed by Covered Entity. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. K. To the extent Business Associate is expressly obligated under the Services Agreements required to carry out one or more of the PlanCovered Entity's obligation(s) obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E provisions that apply to the Plan Covered Entity in the performance of such obligation(s)obligations. m. Except L. Provide to the Secretary of Health and Human Services and to Covered Entity records related to Use or Disclosure of PHI, including its policies, procedures, and practices, for the specific Uses and Disclosures for the purpose of determining Covered Entity’s, Business Associate's own management ’s, or a Subcontractor’s compliance with the HIPAA Rules. M. Upon completion or termination of the applicable contract(s) or agreement(s), return or destroy, as determined by and administration under the direction of Covered Entity, all PHI and other VA data created or to carry out received by Business Associate during the legal responsibilities performance of the contract(s) or agreement(s). No such information will be retained by Business AssociateAssociate unless retention is required by law or specifically permitted by Covered Entity. If return or destruction is not feasible, Business Associate shall not Use or Disclose continue to protect the PHI in a manner accordance with the Agreement and use or disclose the information only for the purpose of making the return or destruction feasible, or as required by law or specifically permitted by Covered Entity. Business Associate shall provide written assurance that would violate either all PHI has been returned or destroyed, or any information retained will be safeguarded and used and disclosed only as permitted under this paragraph. N. Be liable to Covered Entity for civil or criminal penalties imposed on Covered Entity, in accordance with 45 C.F.R. §§ 164.402 and 164.410, and with the HITECH Act, 42 U.S.C. §§ 17931(b), 17934(c), for any violation of the HIPAA Rules if done or this Agreement by the PlanBusiness Associate.

Obligations of Business Associate. As an express condition of performing A. Business Associate Functions, acknowledges that Business Associate agrees to: a. Not Use or Disclose PHI is subject to those provisions of the Privacy and Security Regulations that are applicable to ADAMH, and those provisions of the Privacy and Security Regulations that are directly applicable to business associates, and Business Associate certifies that Business Associate has implemented policies and procedures and taken such other than action as permitted or required is necessary to comply with those provisions of the Privacy and Security Regulations by the effective date provided in this Agreement or as otherwise Required by Lawlaw. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. B. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist ADAMH in the sole discretion administration of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditionsIndividual Rights, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of shall provide ADAMH promptly upon request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business AssociateAssociate which ADAMH deems necessary for ADAMH to respond to a request from an individual to exercise one or more Individual Rights. Upon the instruction of ADAMH, Business Associate shall provide directly to will amend any Protected Health Information in the Individual the requested accounting possession of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with and will implement restrictions on the Use and Disclosure of Protected Health Information in the possession of Business Associate or a notice subcontractor or agent of Business Associate, and will employ procedures to assure confidential communications of Protected Health Information in the possession of Business Associate or a subcontractor or agent of Business Associate as directed by ADAMH. Business Associate will notify, and will require its subcontractors and agents to notify ADAMH promptly, but in no event later than five (5) days after receipt of a request from an Individual to exercise one or more Individual Rights. All requests from an Individual to exercise an Individual Right will be processed and handled by ADAMH. C. Business Associate shall maintain a record of all Disclosures of Protected Health Information as necessary to provide an Accounting of such Disclosures upon request. All Disclosures except the following shall be recorded for purposes of providing information for an Accounting; i. Disclosures made pursuant to an authorization signed by the Individual that a copy of or the Individual's request has been furnished personal representative; ii. Disclosures made directly to the Plan and that requesting Individual or the Plan may provide additional Individual's personal representative; iii. Disclosures for national security or intelligence purposes; iv. Disclosures in the form of de-identified information or information contained in a Limited Data Set; v. Disclosures to the Individual correctional institutions or law enforcement officials about inmates or others in response to the requestcustody. h. Make vi. Disclosures for treatment, payment for treatment and the health care operations of ADAMH. D. Business Associate shall make its internal practices, books and records relating to this Agreement Uses and Disclosures of Protected Health Information available to ADAMH, to the Secretary of HHS the U.S. Department of Health and Human Services or designee, or to the Plan any other official or agency with enforcement authority under HIPAA, for purposes of determining the Plan's ADAMH’s and Business Associate's ’s compliance with the HIPAA RulesHIPAA. i. So E. Upon the termination of the Underlying Agreement, Business Associate shall return or destroy all Protected Health Information and will retain no copies of such information. If such return or destruction of Protected Health Information is not feasible, as approved by ADAMH, Business Associate agrees that the Plan may meet provisions of this Agreement are extended beyond termination of the Underlying Agreement to the Protected Health Information still in the possession of Business Associate or a subcontractor or agent of Business Associate, and Business Associate shall limit all further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible. If Business Associate elects to destroy the Protected Health Information, it shall certify to ADAMH that the information has been destroyed. If the Business Associate is to destroy the Protected Health Information as provided by this Agreement, then Business Associate shall (1) destroy Protected Health Information on paper, film, or other hard copy media by shredding or destroying such media so that the Protected Health Information cannot be read or otherwise cannot be reconstructed and (2) destroy electronic Protected Health Information by clearing, purging, or destroying electronic media consistent with “NIST Special Publication 800-88, Guidelines for Media Sanitization,” such that the electronic Protected Health Information cannot be retrieved. F. Business Associate shall, within one (1) day of discovery, report to ADAMH any Security Incident relating to Electronic Protected Health Information of which it becomes aware. G. Business Associate shall require all employees, officers, and subcontractors or agents working for Business Associate to report immediately to Business Associate, no later than 24 hours after discovery, any occurrence, event, or fact that could reasonably be considered an indication that a Breach of an Individual’s Protected Health Information has occurred. Upon receipt of a report, Business Associate shall immediately i) notify ADAMH of the occurrence, event, or fact, including the date and time of the discovery and as much information regarding the suspected Breach as is available; and ii) undertake an investigation of whether a Breach did occur, and apprise ADAMH of the results of the investigation on an ongoing and current basis. Notification shall be provided by Business Associate to ADAMH. Business Associate shall, and shall require its obligations to evaluate requests for restrictions employees, officers, and confidential communications contractors to, cooperate fully with ADAMH in providing any additional information requested by ADAMH in connection with the disclosure of PHI under 45 CFR 164.522Breach. If ADAMH determines that a Breach has occurred, Business Associate shall take all action which is reasonably requested by ADAMH to mitigate the Breach and the Plan agree that, to the extent that communications are within the control of Business Associate, prevent further Breaches. H. If Business Associate will perform these evaluations on behalf becomes aware of the Planany Use or Disclosure of Protected Health Information not permitted under this Agreement, it shall report such Use or Disclosure to ADAMH within one (1) business day of gaining such knowledge. Business Associate will evaluate shall also use its best efforts to mitigate the effect of such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522unauthorized Use or Disclosure, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations or modify practices or take other reasonable action to evaluate restrictions prevent further unauthorized Uses or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestDisclosures. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. I. Business Associate shall provide a copy implement and use reasonable and appropriate administrative, technical and physical safeguards which will protect the confidentiality, integrity, and availability, and prevent uses or disclosures of all complaints to the Plan within three (3) days of receipt Protected Health Information other than as provided for by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other this Agreement. J. Business Associate acknowledges and agrees that the Protected Health Information of the Plan, Business Associate shall notify the Plan ADAMH will be subject to and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Security Requirements. Business Associate is expressly obligated under certifies that Business Associate has adopted written policies and procedures consistent with the Services Agreements Security Requirements, and taken such other action as appropriate to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s)Security Requirements. m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, K. Business Associate shall not Use directly or Disclose PHI indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless a manner that would violate valid authorization from each Individual whose information is the HIPAA Rules if done by subject of the Planremuneration transaction has been obtained, and unless ADAMH has approved such remuneration transaction in writing. Approval of ADAMH must be obtained before Business Associate solicits Individuals for authorization.

Obligations of Business Associate. As an express condition of performing (a) Business Associate Functions, Business Associate agrees to: a. Not Use will not use or Disclose PHI disclose Facility Data other than as permitted or required by the Agreement, this Agreement Exhibit or as otherwise Required required by Lawlaw. b. Use (b) Business Associate will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use further use or Disclosure disclosure of PHI Facility Data other than as provided for by the Agreement and this Exhibit and will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, security, integrity and availability of Facility Data that it receives, maintains, transmits or creates on behalf of Covered Entity, which in this Agreementany event shall be no less than the HIPAA-related implementation recommendations of the NIST/URAC/WEDI Health Care Security Workgroup (see xxx.xxxx.xxx; keyword search “NTST” or “URAC”). c. Report (c) Business Associate will promptly mitigate, to the Plan's designated privacy officialextent practicable, without unreasonable delay but in no event more than three (3) business days after discovery any harmful effect of a use or disclosure of Facility Data by Business Associate, Associate in violation of the Agreement and this Exhibit. (d) Business Associate will promptly report to Covered Entity any Use use or Disclosure disclosure of PHI Facility Data not provided for by the Agreement and/or this Agreement of which Business Associate becomes awareExhibit, including any Breach requests for inspection, copying or amendment of Unsecured Protected Health Information as required at 45 CFR 164.410such information. Business Associate will maintain a record of all such requests for inspection, copying and amendment(s) of Facility Data not provided for by the Agreement, including those initiated by Patient, Covered Entity, or third parties, and will promptly provide such documentation to Covered Entity upon request. Business Associate will use “best efforts” to promptly report to Covered Entity any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If the Business Associate does not have available complete information becomes aware in satisfaction of 45 CFR 164.410(c) a manner and time to permit Covered Entity to timely determine if Covered Entity must report the Security Incident to the individual as required by law, and to permit Covered Entity to do so within three (3) business days of discovery of the impermissible Use or Disclosuretime required by law, Business Associate shall provide all information it has at such time, will follow the incident reporting classification and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful manner prescribed in CHW’s Investigations and Notification of Privacy and Data Security Incidents regularly occur and that no further notice will Policy (9.828), a copy of which shall be made by available to Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspiciousupon its request. Business Associate shall cooperate in good faith with Covered Entity in the Plan in mitigating any harmful effects investigation of any impermissible Use privacy or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, data security incident. (e) Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), will ensure in writing that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit PHI on behalf of Business Associate agree in writing to whom it provides Facility Data agrees to the same restrictions, conditions, restrictions and requirements conditions that apply to Business Associate with respect to such information and that such agent or subcontractor will implement reasonable and appropriate safeguards, which shall be no less than the HIPAA-related implementation recommendations of the NIST/URAC/WEDI Health Care Security Workgroup (see xxx.xxxx.xxx; keyword search “NIST” or “URAC”), to protect it. Notwithstanding the foregoing or anything to the contrary in the Agreement or this Exhibit, Business Associate will not use any agent or subcontractor to perform any service under the Agreement without the express written consent of an authorized representative of Covered Entity and in which event, it will use agents, employees or subcontractors that reside only within the United States of America and only after such agent or subcontractor has. agreed in writing to comply with the same restrictions and conditions that apply to Business Associate under the Agreement and this Exhibit with respect to such information. e. Within ten (10f) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such prompt access according to its own procedures for such access Facility Data in accordance with designated record sets to Covered Entity whenever so requested by Covered Entity, or, if directed by Covered Entity, to a Patient in order to meet the requirements of 45 CFR 164.524HIPAA. If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI, or (ii) requests its disclosure to a third party, the Business Associate will promptly notify Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request. (g) Business Associate will promptly make amendment(s) to Facility Data requested PHI is maintained by Covered Entity and will do so in one or more Designated Record Sets electronically the time and if the Individual manner requested by Covered Entity to enable it to comply with HIPAA. If Patient requests an electronic copy of such amendment to his or her PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by from Business Associate, the Business Associate shall will promptly notify the Plan within three (3) days Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. (h) Business Associate will amend such PHI according to promptly make its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associateinternal practices, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly books, records, relating to the Individual pursuant use or disclosure of Facility Data and the policies, procedures, and documentation for Covered Entity to implement the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is security measures required under 45 CFR 164.528 164.316 for the protection of PHI that the Business Associate received from, maintained or created for or on behalf of Covered Entity, available to Covered Entity or the Plan's behalf directly Secretary, in a time and manner designated by Covered Entity or the Secretary, to enable the Individual. Secretary to determine compliance with HIPAA. (i) Business Associate will document and provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to Covered Entity all disclosures of PHI Facility Data and information related to such disclosures, and will do so in the time and manner designated by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly Covered Entity, to the Individual the requested enable it to meet security and privacy law requirements and for an accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the requestsuch disclosures. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, (j) Business Associate will perform these evaluations on behalf cooperate with Covered Entity and its medical staff to preserve and protect the confidentiality of Facility Data accessed or used pursuant to the Agreement and will not disclose or testify about such information during or after the termination of the Plan. Business Associate will evaluate such requests according to its own procedures for such requestsAgreement, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps except as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestlaw. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing A. Business Associate Functions, Business Associate agrees to: a. Not Use shall comply with the use and disclosure provisions of the Privacy Rule in performing its obligations under any agreement for services with Covered Entity and to not use or Disclose disclose PHI other than as permitted or required by under this Agreement or as otherwise Required by Law. b. Use B. Business Associate shall implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for in by this Agreement. c. Report C. Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, and to otherwise comply with the Security Rule in performing Business Associate’s obligations under this Agreement. D. Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h). E. Business Associate shall mitigate, to the Plan's designated privacy officialextent practicable, without unreasonable delay but any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. F. Business Associate shall, as soon as reasonably practicable and in no event more later than three sixty (360) business days after of discovery by Business Associateof the same, report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with including, but not limited to, any remedial Security Incident and any unauthorized acquisition, access, use, or mitigating action taken or proposed to be taken with respect thereto. If disclosure of PHI. G. Business Associate does not have shall develop policies and procedures to both detect and report Breaches of PHI to the Covered Entity. Copies of such policies and procedures shall be made available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of to the Covered Entity upon the Covered Entity’s Request. H. Business Associate shall, following the discovery of the impermissible Use or Disclosurea Breach of PHI, notify Covered Entity of such Breach. 1. Business Associate shall provide all information it has at such time, initial notice of the Breach as soon as reasonably practicable and immediately update in no event later than sixty (60) days after the Plan with additional information discovery of the Breach. A Breach shall be treated as it becomes available through prompt investigation. This Agreement serves discovered as of the first day on which the Breach is known to the Business Associate's . 2. The initial notice shall include, to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate unless there has been a successful Security Incident to have been, accessed, acquired, or attempts or patterns of attempts that Business Associate determines to be suspiciousdisclosed during such Breach. Business Associate shall cooperate with make best efforts to collect and provide to Covered Entity as soon as possible any such information that Business Associate is unable to provide in the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case initial notice. I. Business Associate shall, following notification to Covered Entity of a Breach as determined of PHI, cooperate with Covered Entity in providing any and all information required for Covered Entity to exist in comply with the sole discretion breach notification provisions of section 13402 of the Plan HITECH Act and the implementing regulations set forth in Subpart D of the Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations of which was due Business Associate is informed of by Covered Entity. J. Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to a violation of this Agreement by ensure that any subcontractor agent to whom Business AssociateAssociate provides PHI received from, or created or received by, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. e. Within ten (10) business days X. Xxx purposes of request by an Individual or notification by the PlanSecretary determining Covered Entity's compliance with the Privacy Rule and Security Rule, Business Associate shall make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if notSecretary, in a readable electronic form time and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted manner designated by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business AssociateSecretary, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books books, and records (including policies and procedures), relating to this Agreement available to the Secretary of HHS use and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522received from, or created or received by, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestCovered Entity. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition Permitted Uses and Disclosures of performing PHI and ePHI. Business Associate Functionsmay Use and Disclose PHI and ePHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement provided that such use or disclosure would not violate the Privacy Regulations if done by the Covered Entity. Business Associate agrees to: a. Not Use not to use or Disclose further disclose PHI other than as permitted or required by the Agreement, this Agreement Amendment, or as otherwise Required required by Law. b. Use law. Adequate Safeguards for PHI and ePHI. Business Associate warrants that it shall implement and maintain appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent the Use or Disclosure of PHI and ePHI in any manner other than as provided for in permitted by the Agreement and this Agreement. c. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Amendment. Reporting Non-Permitted Use or Disclosure of PHI not provided for by this Agreement of which Disclosure. Business Associate becomes awareshall immediately in writing notify Covered Entity of each Use or Disclosure, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be is made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigationits employees, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notificationrepresentatives, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided agents or subcontractors that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as specifically permitted by the HIPAA Rulesthis Amendment. The Plan authorizes Business Associate Availability of Internal Practices, Books and Records to require payment of such fees from the Individual prior to releasing any records. f. Government Agencies. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement the Use and Disclosure of PHI available to the Secretary of HHS the federal Department of Health and to the Plan Human Services for purposes of determining the Plan's and Business Associate's Covered Entity’s compliance with the HIPAA Rules. i. So that Privacy Regulations. Business Associate shall immediately notify Covered Entity of any requests made by the Plan may meet its obligations Secretary and provide Covered Entity with copies of any documents produced in response to evaluate requests for restrictions such request. Access to and confidential communications in connection with the disclosure Amendment of PHI under 45 CFR 164.522and ePHI. Within ten (10) days of receiving a request from the Covered Entity, Business Associate and shall: (a) make the Plan agree that, PHI or ePHI specified by Covered Entity available to the extent individual(s) identified by Covered Entity as being entitled to access and copy that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522PHI or ePHI, and shall implement (b) make PHI or ePHI available to Covered Entity for the purpose of amendment and incorporating such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve amendments into the Plan of any additional and independent obligations to evaluate restrictions PHI or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaintePHI. Business Associate shall provide a copy of all complaints to such access and incorporate such amendments within the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan time and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s)manner specified by Covered Entity. m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing A. Business Associate Functions, acknowledges that Business Associate agrees to: a. Not Use or Disclose PHI is subject to those provisions of HIPAA made directly applicable to business associates by the Stimulus Act, and Business Associate certifies that Business Associate has implemented policies and procedures and take such other than action as permitted or required is necessary to comply with those provisions of HIPAA which are directly applicable to the Business Associate by the effective date provided in this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect theretolaw. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate shall provide all information it has at such timecomply with the requirements of HIPAA adopted under the Stimulus Act, and immediately update the Plan with if necessary shall execute additional information amendments to this Agreement as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice required to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. maintain compliance. B. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist DCP in the sole discretion administration of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditionsIndividual Rights, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of shall provide DCP promptly upon request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business AssociateAssociate which DCP deems necessary for DCP to respond to a request from an individual to exercise one or more Individual Rights. Upon the instruction of DCP, Business Associate shall provide directly to will amend any Protected Health Information in the Individual the requested accounting possession of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with and will implement restrictions on the Use and Disclosure of Protected Health Information in the possession of Business Associate or a notice subcontractor or agent of Business Associate, will disclose Protected Health Information to DCP to allow DCP to meet its requirement to satisfy an individual’s request for an electronic copy of Protected Health Information, and will employ procedures to assure confidential communications of Protected Health Information in the possession of Business Associate or a subcontractor or agent of Business Associate as directed by DCP. Business Associate will notify, and will require its subcontractors and agents to notify DCP promptly, but in no event later than five (5) days after receipt of a request from an Individual to exercise one or more Individual Rights. All requests from an Individual to exercise an Individual Right will be processed and handled by DCP. C. Business Associate shall maintain a record of all Disclosures of Protected Health Information as necessary to provide an Accounting of such Disclosures upon request. All Disclosures except the following shall be recorded for purposes of providing information for an Accounting; i. Disclosures made pursuant to a authorization signed by the Individual that a copy of or the Individual's request has been furnished personal representative; ii. Disclosures made directly to the Plan and that requesting Individual or the Plan may provide additional Individual's personal representative; iii. Disclosures for national security or intelligence purposes; iv. Disclosures in the form of de-identified information or information contained in a Limited Data Set; v. Disclosures to the Individual correctional institutions or law enforcement officials about inmates or others in response to the requestcustody. h. Make vi. Disclosures for treatment, payment for treatment and the health care operations of a Plan. D. Business Associate shall make its internal practices, books and records relating to this Agreement Uses and Disclosures of Protected Health Information available to DCP, to the Secretary of HHS the U.S. Department of Health and Human Services or designee, or to the Plan any other official or agency with enforcement authority under HIPAA, for purposes of determining the Plan's DCP’s and Business Associate's ’s compliance with the HIPAA RulesHIPAA. i. So E. Upon the termination of the Underlying Agreement, Business Associate shall return or destroy all Protected Health Information and will retain no copies of such information. If such return or destruction of Protected Health Information is not feasible, as approved by DCP, Business Associate agrees that the Plan may meet provisions of this Agreement are extended beyond termination of the Underlying Agreement to the Protected Health Information still in the possession of Business Associate or a subcontractor or agent of Business Associate, and Business Associate shall limit all further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible. If Business Associate elects to destroy the Protected Health Information, it shall certify to DCP that the information has been destroyed. If the Business Associate is to destroy the Protected Health Information as provided by this Agreement, then Business Associate shall (1) destroy Protected Health Information on paper, film, or other hard copy media by shredding or destroying such media so that the Protected Health Information cannot be read or otherwise cannot be reconstructed and (2) destroy electronic Protected Health Information by clearing, purging, or destroying electronic media consistent with “NIST Special Publication 800-88, Guidelines for Media Sanitization,” such that the electronic Protected Health Information cannot be retrieved. F. Business Associate shall, within one (1) day of discovery, report to DCP any Security Incident relating to Electronic Protected Health Information of which it becomes aware. G. Business Associate shall require all employees, officers, and contractors working for Business Associate to report immediately to Business Associate, no later than 24 hours after discovery, any occurrence, event, or fact that could reasonably be considered an indication that a Breach of an Individual’s Protected Health Information has occurred. Upon receipt of a report, Business Associate shall immediately i) notify DCP of the occurrence, event, or fact, including the date and time of the discovery and as much information regarding the suspected Breach as is available; and ii) undertake an investigation of whether a Breach did occur, and apprise DCP of the results of the investigation on an ongoing and current basis. Notification shall be provided by Business Associate to DCP. Business Associate shall, and shall require its obligations to evaluate requests for restrictions employees, officers, and confidential communications contractors to, cooperate fully with DCP in providing any additional information requested by DCP in connection with the disclosure of PHI under 45 CFR 164.522Breach. If DCP determines that a Breach has occurred, which shall be determined in DCP’s sole discretion, Business Associate and the Plan agree thatshall, to the extent that communications are within the control of at Business Associate’s cost, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requeststake all action, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where which is reasonably requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions DCP to mitigate the Breach and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaintprevent further Breaches. Business Associate shall provide a copy bear all costs incurred by DCP to investigate and make required notifications of all complaints to the Plan within three (3) days of receipt any Breach by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other . H. Business Associate acknowledges and agrees that the Protected Health Information of the Plan, Business Associate shall notify the Plan DCP will be subject to and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Security Requirements. Business Associate is expressly obligated under certifies that Business Associate has adopted written policies and procedures consistent with the Services Agreements Security Requirements, and take such other action as appropriate to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s)Security Requirements. m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, I. Business Associate shall not Use directly or Disclose PHI indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless a manner that would violate valid authorization from each Individual whose information is the HIPAA Rules if done by subject of the Planremuneration transaction has been obtained, and unless DCP has approved such remuneration transaction in writing. Approval of DCP must be obtained before Business Associate solicits Individuals for authorization.

Obligations of Business Associate. As an express condition of performing Subcontractor Business Associate Functions, Business Associate Independent Contractor agrees to: a. Not Use or Disclose PHI other than as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for in this Agreement. c. Report to the PlanPPIC's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business AssociateIndependent Contractor, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate Independent Contractor becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If Business Associate Independent Contractor does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of the impermissible Use or Disclosure, Business Associate Independent Contractor shall provide all information it has at such time, and immediately update the Plan PPIC with additional information as it becomes available through prompt investigation. This Agreement serves as Business AssociateIndependent Contractor's notice to the Plan PPIC that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate Independent Contractor unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate Independent Contractor determines to be suspicious. Business Associate Independent Contractor shall cooperate with the Plan PPIC in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan PPIC which was due to a violation of this Agreement by Business AssociateIndependent Contractor, Business Associate Independent Contractor shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate Independent Contractor agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate Independent Contractor with respect to such information. e. Within ten five (105) business days of request by an Individual or notification by the PlanPPIC, make available to PPIC the Individual such Individual's PHI maintained by Business Associate Independent Contractor in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate Independent Contractor must provide the Individual PPIC with access to the PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate PPIC (or the Covered Entity) and the IndividualIndividual and within the technical capability of Independent Contractor. Business Associate shall provide the requested information directly Independent Contractor is not authorized to the Individual, along with a notice independently respond to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the an Individual's request covers records not maintained by Business Associate, Business Associate and shall notify the Plan within three (3) days of the refer all Individuals to PPIC to make any such request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees Notify PPIC within five (5) business days of any request by an Individual to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed Independent Contractor in a Designated Record Set, direct the requesting Individual to Business Associate PPIC for handling of such request, and promptly incorporate any amendment accepted by PPIC and communicated to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment Independent Contractor in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records Independent Contractor is not maintained by Business Associate, Business Associate authorized to independently agree to any amendment of PHI and shall notify the Plan within three (3) days of direct all Individuals to PPIC to make any such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees Maintain a record of those Disclosures of PHI by Independent Contractor or its agents or Subcontractors which are subject to process all requests for disclosure the Individual’s right to an accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan and within three five (35) business days of any notification by PPIC report such Disclosures to PPIC in a form permitting PPIC to respond to an Individual’s request made by for an Individual for a disclosure accounting. The Plan will be responsible for responding directly Independent Contractor is not authorized to the Individual (or the Individual's personal representative) pursuant independently respond to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the an Individual's request has been furnished and shall direct all Individuals to the Plan and that the Plan may provide additional information PPIC to the Individual in response to the make any such a request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan PPIC for purposes of determining the PlanPPIC's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection Comply with the disclosure any restriction on Use or Disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf 164.522(a) of the PlanHIPAA Rules when accepted by PPIC or Covered Entity and communicated to Independent Contractor. Business Associate will evaluate Independent Contractor shall direct Individuals to PPIC to make any such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation Comply with any reasonable requests by Individuals under 45 CFR 164.522(b) to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling receive communications of PHI by the Plan, Plan Sponsor, alternative means or other Business Associate of the Plan, Business Associate at alternate locations when accepted by PPIC or Covered Entity and communicated to Independent Contractor. Independent Contractor shall notify the Plan and it shall be the Plan's responsibility direct Individuals to review and evaluate the complaintPPIC to make any such request. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate FunctionsIndependent Contractor Function. Business Associate Independent Contractor shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate Independent Contractor is expressly obligated under the Services Agreements to carry out one or more of the PlanPPIC's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan PPIC in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business AssociateIndependent Contractor's own management and administration or to carry out the legal responsibilities of Business AssociateIndependent Contractor or for any permitted data aggregation services, Business Associate Independent Contractor shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by PPIC or the PlanCovered Entity.

Obligations of Business Associate. As an express condition of performing Business Associate Functions, Business Associate agrees toshall: a. 1. Not Use use or Disclose disclose PHI other than as thanas permitted or required by this Agreement or the Underlying Contract or as otherwise Required required by Law.law; b. 2. Not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule and this Agreement, provided that if Business Associate carries out one or more of Covered Entity's obligations under the Privacy Rule pursuant to the Underlying Contract, Business Associate shall fully comply with the Privacy Rule requirements that would apply to Covered Entity in the performing those obligations; 3. Use appropriate safeguards, and comply with the Security Rule at Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health InformationEPHI, to prevent Use use or Disclosure disclosure of PHI other than as provided for in this by the Agreement.; c. 4. Report to the Plan's designated privacy officialCovered Entity promptly, without unreasonable delay but and in no event more case later than three thirty (330) business calendar days after discovery by of Business Associate's discovery, any Use use or Disclosure disclosure of PHI not provided for by this the Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial Breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, any security incident of which it becomes aware, or mitigating action taken any breach as such may be defined under relevant state data breach laws ("State Law Breach"). Any notice of a Breach or proposed State Law Breach referenced in this Section II.A.4 will include the results of the risk assessment in which Business Associate determined that there is more than a low probability that the PHI has been compromised based on the required factors set forth in 45 C.F.R. § 164.402 if the Breach is discovered on or after September 23, 2013, and to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during such Breach. Notwithstanding anything set forth in this Agreement or the Underlying Contract, Business Associate shall be taken with respect theretoresponsible for the cost of the risk assessment and any reasonable breach mitigation expenses and shall indemnify, defend and hold Covered Entity and its officers, directors, affiliates, employees, agents, successors and assigns harmless, from and against any and all losses, claims, actions, demands, liabilities, damages, costs and expenses (including costs, expenses incurred in notifying individuals, the media or government agencies in connection therewith) and any judgments, settlements, court costs and reasonable attorneys' fees actually incurred (collectively, "Breach Claims") arising from or related to: (i) the Business Associate’ s or any of i ts subcontractors’ use or disclosure of PHI in violation of the terms of this Agreement or applicable law, and (ii) whether in oral, paper or electronic media, any HIPAA Breach of unsecured PHI and/or State Law Breach caused by Business Associate or any of its subcontractors. If Business Associate does assumes the defense of a Breach Claim, Covered Entity shall have the right, at its expense, to participate in the defense of such Breach Claim. Business Associate shall not have available complete information in satisfaction take any final action with respect to any Breach Claim without the prior written consent of 45 CFR 164.410(c) within three (3) business days of discovery of Covered Entity. To the impermissible Use or Disclosureextent permitted by law, Business Associate shall provide all information it has at such timebe fully liable to Covered Entity for any acts, failures or omissions of its agents and immediately update subcontractors in furnishing the Plan with additional information services as it becomes available through prompt investigation. This Agreement serves as if they were the Business Associate's own acts, failures or omissions. Notwithstanding the preceding, the parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the Plan that ongoing existence and occurance of attempted but unsuccessful Security Incidents regularly occur (as defined below) for which no additional notice to Covered Entity shall be required. ”Unsuccessful Security Incidents” shall include, but not be limited to, pings (i.e., a request- response utility used to determine whether a specific Internet Protocol [IP] address or host exists or is accessible) and that other broadcast attacks on Business Associates’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no further notice will be made by Business Associate unless there has been such incident results in unauthorized acquisition, access, use or disclosure of Protected Healh Information; 5. Make available PHI in a successful Security Incident or attempts or patterns of attempts that Business Associate determines designated record set to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist Covered Entity in the sole discretion of the Plan which was due form and format as necessary to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with satisfy Covered Entity's obligations under 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within C.F.R. § 164.524 within ten (10) business days of receiving a request by an Individual or notification by from Covered Entity; 6. Provide access, at the Planrequest of Covered Entity, make available and in no case later than ten (10) business days after such request, to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be Set, to Covered Entity or, as directed by Covered Entity, to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one an Individual or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested third party designated by the Individual, in the form or format requested if it is readily producible in such form and format; or, if not, or format in order for the Covered Entity to meet the requirements under the Privacy Rule; 7. Make any PHI contained in a readable electronic form and format Designated Record Set available to Covered Entity (or an Individual as agreed to between directed by Covered Entity) within ten (10) business days of a request for purposes of amendment per 45 C.F.R. §164.526. If an Individual requests an amendment of PHI directly from Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associateor its Subcontractors, Business Associate shall notify forward the Plan request to Covered Entity as soon as possible and within three ten (310) days of business days; 8. Maintain and make available the request. The Plan will be responsible for providing access or otherwise responding directly information required to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or provide an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the IndividualCovered Entity as necessary to satisfy Covered Entity's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control C.F.R. § 164.528. If an accounting of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where disclosures is requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond individual directly to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the request. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according forward the request to its own procedures for complaints, Covered Entity as soon as possible and shall implement appropriate operation steps as are required by its own procedureswithin ten (10) business days; 9. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent the Business Associate is expressly obligated under the Services Agreements to carry out one or more of the PlanCovered Entity's obligation(s) under Subpart E of 45 CFR C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Plan Covered Entity in the performance of such obligation(s).) and to the extent any such obligations involve disclosures of PHI to health plans, comply with the requirements of 45 C.F.R. § 164.522 regarding requested restrictions on health plan disclosures; m. Except 10. Make its internal practices, books and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary of HHS and to Covered Entity for purposes of determining Covered Entity's compliance with the specific Uses HIPAA Rules; 11. Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Implement administrative, physical, and Disclosures for technical safeguards that reasonably and appropriately protect the Business Associate's own management confidentiality, integrity, and administration or availability of EPHI as required by the Security Rule. With respect to carry out the legal responsibilities of Business AssociateEPHI, Business Associate shall not Use comply with all applicable state laws governing information security breaches; 12. Ensure that any agents and Subcontractors that create, receive, maintain or Disclose transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate shall ensure that any agent or Subcontractor to whom Business Associate provides EPHI agrees to implement reasonable and appropriate safeguards to protect EPHI. 13. To the extent permitted by law, cooperate with Covered Entity to ensure that legal process conforms with the applicable requirements of the HIPAA Rules, or, if necessary in Covered Entity's opinion, t a k e a p p r o p r i a t e m e a s u r e s t o t r y t o obtain a qualified protective order to limit or prevent the disclosure of PHI in the event of the receipt of a manner that would violate the HIPAA Rules if done by the Plansubpoena, court or administrative order or other discovery request.

Obligations of Business Associate. As an express condition of performing Business Associate Functions, Business Associate agrees to: a. Not and promises in good faith to do all of the following: Comply with all Business Associate obligations and requirements under HIPAA Rules and, if uncertainty exists as to how to achieve compliance, request direction from Covered Entity. Comply with other requirements under HIPAA Rules that may apply to the Covered Entity, such as when Business Associate carries out one or more of the Covered Entity’s obligations under HIPAA Rules. Use and disclose PHI only: (i) when required by law; ii) as set forth in this BA Agreement; or Disclose PHI other than (iii) as set forth in the Service Agreement or, if the Service Agreement is ambiguous or incomplete, then only as permitted or required by this Agreement or as otherwise Required by Law. b. Use appropriate safeguardsthe Covered Entity’s Notice of Privacy Practices that was in effect when the information was collected from the individual. MINIMUM NECESSARY. Limit its use, disclosure, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use requests for use or Disclosure of PHI other than as provided for in this Agreement. c. Report disclosure to the Plan's designated privacy official, without unreasonable delay but in no event more than three (3) business days after discovery by Business Associate, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed minimum amount necessary to be taken with respect thereto. If Business Associate does not have available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of discovery of accomplish the impermissible Use or Disclosure, Business Associate shall provide all information it has at such time, and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made by Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspicious. Business Associate shall cooperate with the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. e. Within ten (10) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access intended purpose in accordance with the requirements of the HIPAA Rules. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Manage Security Incidents in compliance with 45 CFR 164.524C.F.R. Part 164 Subpart C, including immediate notification to the Covered Entity of a Security Incident upon discovery. If Upon discovery of a Breach as defined at 45 C.F.R. § 164.402, which is recognized by HIPAA Rules as a type of Security Incident, comply with 45 C.F.R. Part 164 Subpart D, which includes immediate notification to Covered Entity in a prescribed form and providing prescribed information. In addition to the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy requirements of such PHIHIPAA Rules, Business Associate must shall: Identify all known individuals or entities that caused or contributed to the occurrence of a Breach at Business Associate’s expense; and Cooperate with Covered Entity to notify, at Business Associate’s expense, all Individuals and media required to be notified under the HIPAA Rules; and Indemnify Covered Entity for any reasonable expenses Covered Entity may incur in connection with such Breach, including notification. The parties acknowledge that the definition of Breach as set forth in the HIPAA Rules at 45 C.F.R. Part 164.402 excludes the following circumstances and therefore Breach notice requirements do not apply: Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity or a Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under 45 C.F.R. Part 164, Subpart E. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under 45 C.F.R. Part 164, Subpart E. A disclosure of PHI where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. In accordance with 45 C.F.R. § 164.524, provide the Individual with access to PHI in a Designated Record Set to an Individual at the electronic form request of Covered Entity and format requested in the time and manner designated by Covered Entity. Provide immediate notice to Covered Entity when Business Associate receives a request for access from an Individual. In accordance with 45 C.F.R. § 164.526, make amendments to PHI in a Designated Record Set as directed by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format Covered Entity or take other measures as agreed necessary to between satisfy Covered Entity’s obligations regarding amendments. Provide immediate notice to Covered Entity when Business Associate and the receives a request for an amendment from an Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books and records records, including policies, procedures and PHI, relating to this Agreement the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of HHS and Covered Entity or to the Plan Secretary or the Secretary’s designee, in a time and manner designated by the requestor, for purposes of audit or determining the Plan's and Business AssociateCovered Entity's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection . In accordance with the disclosure 45 C.F.R. § 164.528, document disclosures of PHI under 45 CFR 164.522and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI. Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information required to provide an individual with an accounting of disclosures of PHI. Implement written policies and procedures, conduct periodic security risk assessments and evaluations, and train employees who have access to PHI about the standards, obligations, policies and procedures required by HIPAA Rules. Enter into a written agreement with each agent and subcontractor who has access to the PHI created, received, maintained, or transmitted by Business Associate in relation to Covered Entity and include in such agreement the Plan agree thatsame or parallel restrictions, requirements, and conditions that apply through this BA Agreement to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according including provisions with respect to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, reasonable and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations safeguards to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestprotect electronic PHI. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing A. Business Associate Functions, Business Associate agrees to: a. Not Use shall comply with the use and disclosure provisions of the Privacy Rule in performing its obligations under any agreement for services with Covered Entity and to not use or Disclose disclose PHI other than as permitted or required by under this Agreement BAA or as otherwise Required by Law. b. Use B. Business Associate shall implement and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use use or Disclosure disclosure of PHI other than as provided for in by this AgreementBAA. c. Report C. Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, and to otherwise comply with the Security Rule in performing Business Associate’s obligations under this BAA. D. Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h). E. Business Associate shall mitigate, to the Plan's designated privacy officialextent practicable, without unreasonable delay but any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. F. Business Associate shall, as soon as reasonably practicable and in no event more later than three fifteen (315) business days after of discovery by Business Associateof the same, report to Covered Entity any Use use or Disclosure disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident BAA of which it becomes aware, together with including, but not limited to, any remedial Security Incident and any unauthorized acquisition, access, use, or mitigating action taken or proposed to be taken with respect thereto. If disclosure of PHI. G. Business Associate does not have shall develop policies and procedures to both detect and report Breaches of PHI to the Covered Entity. Copies of such policies and procedures shall be made available complete information in satisfaction of 45 CFR 164.410(c) within three (3) business days of to the Covered Entity upon the Covered Entity’s Request. H. Business Associate shall, following the discovery of the impermissible Use or Disclosurea Breach of PHI, notify Covered Entity of such Breach. 1. Business Associate shall provide all information it has at such time, initial notice of the Breach as soon as reasonably practicable and immediately update in no event later than fifteen (15) days after the Plan with additional information discovery of the Breach. A Breach shall be treated as it becomes available through prompt investigation. This Agreement serves discovered as of the first day on which the Breach is known to the Business Associate's . 2. The initial notice shall include, to the Plan that attempted but unsuccessful Security Incidents regularly occur and that no further notice will be made extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate unless there has been a successful Security Incident to have been, accessed, acquired, or attempts or patterns of attempts that Business Associate determines to be suspiciousdisclosed during such Breach. Business Associate shall cooperate with make best efforts to collect and provide to Covered Entity as soon as possible any such information that Business Associate is unable to provide in the Plan in mitigating any harmful effects of any impermissible Use or Disclosure. In the case initial notice. I. Business Associate shall, following notification to Covered Entity of a Breach as determined of PHI, cooperate with Covered Entity in providing any and all information required for Covered Entity to exist in comply with the sole discretion breach notification provisions of section 13402 of the Plan HITECH Act and the implementing regulations set forth in Subpart D of the Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations of which was due Business Associate is informed of by Covered Entity. J. Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to a violation of this Agreement by ensure that any subcontractor agent to whom Business AssociateAssociate provides PHI received from, or created or received by, Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such information. e. Within ten (10) business days K. For purposes of request by an Individual or notification by the PlanSecretary determining Covered Entity's compliance with the Privacy Rule and Security Rule, Business Associate shall make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such access according to its own procedures for such access in accordance with the requirements of 45 CFR 164.524. If the requested PHI is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if notSecretary, in a readable electronic form time and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by Business Associate, Business Associate shall notify the Plan within three (3) days of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted manner designated by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. Business Associate will amend such PHI according to its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business AssociateSecretary, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is required under 45 CFR 164.528 on the Plan's behalf directly to the Individual. Business Associate will provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to disclosures of PHI by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly to the Individual the requested accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. h. Make its internal practices, books books, and records (including policies and procedures), relating to this Agreement available to the Secretary of HHS use and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522received from, or created or received by, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, Business Associate will perform these evaluations on behalf of the Plan. Business Associate will evaluate such requests according to its own procedures for such requests, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestCovered Entity. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.

Obligations of Business Associate. As an express condition of performing (a) Business Associate Functions, Business Associate agrees to: a. Not Use will not use or Disclose PHI disclose Facility Data other than as permitted or required by the Agreement, this Agreement Exhibit or as otherwise Required required by Lawlaw. b. Use (b) Business Associate will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, safeguards to prevent Use further use or Disclosure disclosure of PHI Facility Data other than as provided for by the Agreement and this Exhibit and will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, security, integrity and availability of Facility Data that it receives, maintains, transmits or creates on behalf of Covered Entity, which in this Agreementany event shall be no less than the HIPAA-related implementation recommendations of the NIST/URAC/WEDI Health Care Security Workgroup (see xxx.xxxx.xxx; keyword search “NIST” or “URAC”). c. Report (c) Business Associate will promptly mitigate, to the Plan's designated privacy officialextent practicable, without unreasonable delay but in no event more than three (3) business days after discovery any harmful effect of a use or disclosure of Facility Data by Business Associate, Associate in violation of the Agreement and this Exhibit. (d) Business Associate will promptly report to Covered Entity any Use use or Disclosure disclosure of PHI Facility Data not provided for by the Agreement and/or this Agreement of which Business Associate becomes awareExhibit, including any Breach requests for inspection, copying or amendment of Unsecured Protected Health Information as required at 45 CFR 164.410such information. Business Associate will maintain a record of all such requests for inspection, copying and amendment(s) of Facility Data not provided for by the Agreement, including those initiated by Patient, Covered Entity, or third parties, and will promptly provide such documentation to Covered Entity upon request. Business Associate will use “best efforts” to promptly report to Covered Entity any Security Incident of which it becomes aware, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. If the Business Associate does not have available complete information becomes aware in satisfaction of 45 CFR 164.410(c) a manner and time to permit Covered Entity to timely determine if Covered Entity must report the Security Incident to the individual as required by law, and to permit Covered Entity to do so within three (3) business days of discovery of the impermissible Use or Disclosure, time required by law. Business Associate shall provide all information it has at such time, will follow the incident reporting classification and immediately update the Plan with additional information as it becomes available through prompt investigation. This Agreement serves as Business Associate's notice to the Plan that attempted but unsuccessful manner prescribed in CHW’s Investigations and Notification of Privacy and Data Security Incidents regularly occur and that no further notice will Policy (9.828), a copy of which shall be made by available to Business Associate unless there has been a successful Security Incident or attempts or patterns of attempts that Business Associate determines to be suspiciousupon its request. Business Associate shall cooperate in good faith with Covered Entity in the Plan in mitigating any harmful effects investigation of any impermissible Use privacy or Disclosure. In the case of a Breach as determined to exist in the sole discretion of the Plan which was due to a violation of this Agreement by Business Associate, data security incident. (e) Business Associate shall pay for the reasonable costs of investigation, mitigation and notification to affected Individuals. As an alternative to Business Associate reimbursing Company and the Plan for the costs of notification, the Plan may elect to have Business Associate directly provide the notifications to Individuals for breaches caused by Business Associate, provided that Company and the Plan shall have final approval of all content of notifications to Individuals. d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), will ensure in writing that any Subcontractors that createagent, receiveincluding a subcontractor, maintain, or transmit PHI on behalf of Business Associate agree in writing to whom it provides Facility Data agrees to the same restrictions, conditions, restrictions and requirements conditions that apply to Business Associate with respect to such information and that such agent or subcontractor will implement reasonable and appropriate safeguards, which shall be no less than the HIPAA-related implementation recommendations of the NIST/URAC/WEDI Health Care Security Workgroup (see xxx.xxxx.xxx; keyword search “NIST” or “URAC”), to protect it. Notwithstanding the foregoing or anything to the contrary in the Agreement or this Exhibit, Business Associate will not use any agent or subcontractor to perform any service under the Agreement without the express written consent of an authorized representative of Covered Entity and in which event, it will use agents, employees or subcontractors that reside only within the United States of America and only after such agent or subcontractor has agreed in writing to comply with the same restrictions and conditions that apply to Business Associate under the Agreement and this Exhibit with respect to such information. e. Within ten (10f) business days of request by an Individual or notification by the Plan, make available to the Individual such Individual's PHI maintained by Business Associate in a Designated Record Set in accordance with 45 CFR 164.524. The parties agree that Individuals will be directed to Business Associate to make all requests for access to PHI. Business Associate will provide such prompt access according to its own procedures for such access Facility Data in accordance with designated record sets to Covered Entity whenever so requested by Covered Entity, or, if directed by Covered Entity, to a Patient in order to meet the requirements of 45 CFR 164.524HIPAA. If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI, or (ii) requests its disclosure to a third party, the Business Associate will promptly notify Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request. (g) Business Associate will promptly make amendment(s) to Facility Data requested PHI is maintained by Covered Entity and will do so in one or more Designated Record Sets electronically the time and if the Individual manner requested by Covered Entity to enable it to comply with HIPAA. If Patient requests an electronic copy of such amendment to his or her PHI, Business Associate must provide the Individual with access to PHI in the electronic form and format requested by the Individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to between Business Associate and the Individual. Business Associate shall provide the requested information directly to the Individual, along with a notice to the Individual that a copy of the individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the request. If the Individual's request covers records not maintained by from Business Associate, the Business Associate shall will promptly notify the Plan within three (3) days Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request. The Plan will be responsible for providing access or otherwise responding directly to the Individual pursuant to the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or subcontractor of Business Associate. Business Associate may charge the Individual reasonable fees related to this access, as determined by Business Associate, but only in such amounts as permitted by the HIPAA Rules. The Plan authorizes Business Associate to require payment of such fees from the Individual prior to releasing any records. f. Business Associate agrees to receive requests for amendment and amend PHI as required by 45 CFR 164.526 on the Plan's behalf for as long as such information is maintained by Business Associate. The parties agree that Individuals will be directed to Business Associate to make all such requests for amendment of PHI. (h) Business Associate will amend such PHI according to promptly make its own procedures for such amendment in accordance with the requirements of 45 CFR 164.526. If the Individual's request covers records not maintained by Business Associateinternal practices, Business Associate shall notify the Plan within three (3) days of such request. The Plan will be responsible for amending or otherwise responding directly books, records, relating to the Individual pursuant use or disclosure of Facility Data and the policies, procedures, and documentation for Covered Entity to implement the HIPAA Rules with respect to PHI not in the possession of Business Associate or an agent or contractor of Business Associate. Business Associate shall notify the Plan of any amendments made to PHI. g. Business Associate agrees to process all requests for disclosure accounting by Individuals for as long as such information is maintained by Business Associate. Individuals will be directed to Business Associate to make all such requests. Business Associate will provide the accounting that is security measures required under 45 CFR 164.528 164.316 for the protection of PHI that the Business Associate received from, maintained or created for or on behalf of Covered Entity, available to Covered Entity or the Plan's behalf directly Secretary, in a time and manner designated by Covered Entity or the Secretary, to enable the Individual. Secretary to determine compliance with HIPAA. (i) Business Associate will document and provide such accounting according to its own procedures for such accounting in accordance with the requirements of 45 CFR 164.528. Business Associate shall notify the Plan within three (3) days of any request made by an Individual for a disclosure accounting. The Plan will be responsible for responding directly to the Individual (or the Individual's personal representative) pursuant to 45 CFR 164.528 with respect to Covered Entity all disclosures of PHI Facility Data and information related to such disclosures, and will do so in the time and manner designated by persons or entities other than Business Associate or a subcontractor or agent of Business Associate. Business Associate shall provide directly Covered Entity, to the Individual the requested enable it to meet security and privacy law requirements and for an accounting of disclosures made by Business Associate or a subcontractor or agent of Business Associate, along with a notice to the Individual that a copy of the Individual's request has been furnished to the Plan and that the Plan may provide additional information to the Individual in response to the requestsuch disclosures. h. Make its internal practices, books and records relating to this Agreement available to the Secretary of HHS and to the Plan for purposes of determining the Plan's and Business Associate's compliance with the HIPAA Rules. i. So that the Plan may meet its obligations to evaluate requests for restrictions and confidential communications in connection with the disclosure of PHI under 45 CFR 164.522, Business Associate and the Plan agree that, to the extent that communications are within the control of Business Associate, (j) Business Associate will perform these evaluations on behalf cooperate with Covered Entity and its medical staff to preserve and protect the confidentiality of Facility Data accessed or used pursuant to the Agreement and will not disclose or testify about such information during or after the termination of the Plan. Business Associate will evaluate such requests according to its own procedures for such requestsAgreement, in accordance with the requirements of 45 CFR 164.522, and shall implement such appropriate operational steps except as are required by its own procedures. Such evaluation will not relieve the Plan of any additional and independent obligations to evaluate restrictions or implement confidential communications where requested by an Individual. Accordingly, Business Associate will evaluate requests for restrictions and requests for confidential communications, and will respond to these requests as appropriate under Business Associate's procedures. The Plan agrees that it will not agree to such restriction or request that would affect Business Associate without the approval of Business Associate, so that Business Associate can determine whether it can reasonably administer the requestlaw. j. So that the Plan may meet its obligation to evaluate complaints from Individuals regarding their privacy rights or privacy practices of the Plan or Business Associate, the parties agree that Individuals shall be directed to submit any such complaint to Business Associate for review and evaluation. Business Associate will evaluate such complaints according to its own procedures for complaints, and shall implement appropriate operation steps as are required by its own procedures. The Privacy Officer of the Plan shall cooperate with Business Associate in the evaluation of any such complaint. Business Associate shall provide a copy of all complaints to the Plan within three (3) days of receipt by Business Associate. If the complaint appears to involve handling of PHI by the Plan, Plan Sponsor, or other Business Associate of the Plan, Business Associate shall notify the Plan and it shall be the Plan's responsibility to review and evaluate the complaint. k. Limit the Uses and Disclosures of, or requests for, PHI for purposes described in this Agreement to the Minimum Necessary to perform the required Business Associate Functions. Business Associate shall comply with any additional requirements for the determination of Minimum Necessary as are required from time to time by the HIPAA Rules, as amended, or through additional guidance published by the Secretary. l. To the extent Business Associate is expressly obligated under the Services Agreements to carry out one or more of the Plan's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s). m. Except for the specific Uses and Disclosures for the Business Associate's own management and administration or to carry out the legal responsibilities of Business Associate, Business Associate shall not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan.