Common use of Obligations of the Business Associate Clause in Contracts

Obligations of the Business Associate. (a) The Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) The Business Associate agrees to use appropriate safeguards to prevent disclosure of the PHI other than as provided for by this Agreement, and to implement administrative, physical, and technical safeguards as required by 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316, as applicable to business associates, in order to protect the confidentiality, integrity, and availability of PHI that the Business Associate receives, maintains or transmits. The Business Associate shall undertake such actions in a manner that is consistent with any guidance issued by the Secretary pursuant to the HITECH Act. (c) The Business Associate agrees to report to the Covered Entity within three (3) business days any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. In addition, the Business Associate shall notify the Covered Entity of any Security Incident or Security Breach involving Unsecured PHI within three (3) business days of becoming aware of the Security Incident or Security Breach. This notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during the Security Breach. The Business Associate agrees to cooperate with the Covered Entity in mitigating any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHI, such Security Incident, or Security Breach. The Business Associate further agrees to cooperate with the Covered Entity in complying with all state and federal public notification requirements arising therefrom. (d) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from or received by the Business Associate on behalf of the Covered Entity, agrees to the same restrictions and conditions that apply in this Agreement to the Business Associate with respect to such information, including but not limited to the requirement that such agent or subcontractor implement reasonable and appropriate safeguards to protect such information. (e) The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from or received by the Business Associate on behalf of the Covered Entity available to the Secretary, upon request, for purposes of determining the Covered Entity’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule. (f) The Business Associate shall maintain sufficient records of its disclosures of PHI to allow the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request to the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Act, the Business Associate shall, within thirty (30) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is required to permit the Covered Entity to properly respond to the request for accounting. In the event that an individual makes a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days of the request, refer the request to the Covered Entity. The Business Associate shall then promptly provide to Covered Entity any information it possesses that is responsive to the request for accounting so that the Covered Entity may provide the requested accounting on behalf of both itself and Business Associate. (h) In the event that an individual makes a request to the Business Associate for amendment of that individual’s PHI under 45 C.F.R. § 164.526, the Business Associate shall, within five (5) days of receiving the request, refer it to the Covered Entity so that the Covered Entity may make the requested amendment on behalf of both itself and the Business Associate. (i) In the event that an individual makes a request to the Business Associate for disclosure of that individual’s PHI under 45 C.F.R. § 164.524, the Business Associate shall, within five (5) days of receiving the request, transmit it to the Covered Entity for review so that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business Associate. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (k) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (l) If and to the extent that the Business Associate is carrying out an obligation of the Covered Entity under the Privacy Rule or Security Rule, the Business Associate shall comply with the requirements that apply to the Covered Entity in the performance of that obligation.

Obligations of the Business Associate. (a) The Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) The Business Associate agrees to use appropriate safeguards to prevent disclosure of the PHI other than as provided for by this Agreement, and to implement administrative, physical, and technical safeguards as required by 45 C.F.R. CFR §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316, as applicable to business associates, 164.316 in order to protect the confidentiality, integrity, and availability of PHI that the Business Associate receives, maintains maintains, or transmitstransmits to the same extent as if the Business Associate were a Covered Entity. The Business Associate shall undertake such actions in a manner that is consistent with any guidance issued by the Secretary pursuant to the HITECH Act. (c) The Business Associate agrees to report to the Covered Entity within three five (35) business days of becoming aware of any use or disclosure of PHI not provided for by this Agreement of which it becomes awareAgreement. In addition, the Business Associate shall notify the Covered Entity of any Security Incident or Security Breach involving Unsecured PHI within three (3) business days of becoming aware of the Security Incident or Security Breach. This notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, acquired or disclosed during the Security Breach, analysis of the storage mechanisms for the PHI, the data elements that have been compromised, and all details regarding the circumstances by which the PHI came to be compromised. The Business Associate agrees to cooperate with the Covered Entity in mitigating mitigating, to the extent practicable, any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHI, such Security Incident, or Security Breach. The Business Associate further agrees to cooperate with the Covered Entity in complying with all state and federal public notification requirements arising therefrom. (d) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from or received by the Business Associate on behalf of the Covered Entity, agrees to the same restrictions and conditions that apply in this the Agreement to the Business Associate with respect to such information, including but not limited to to, the requirement that such agent or subcontractor implement reasonable and appropriate safeguards to protect such information. (e) The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from or received by the Business Associate on behalf of the Covered Entity Entity, available to the Covered Entity, or at the request of the Covered Entity, to the Secretary, upon request, for purposes of determining the Covered Entity’s and/or the Business Associate’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule. (f) The Business Associate shall maintain sufficient records of its disclosures of PHI to allow the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request to the parties mutually agree that the PHI received from or received by the Business Associate on behalf of the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Actconstitutes a Designated Records Set, the Business Associate shall, within thirty (30) days agrees to refer any requests from an Individual for amendment of receiving a written request from the Covered Entity, provide that individual’s PHI pursuant to the Covered Entity such information as is required to permit the Covered Entity to properly respond to the request for accounting. In the event that an individual makes a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days of the request, refer the request 45 CFR § 164.526 to the Covered Entity. The Business Associate shall then promptly provide agrees to Covered Entity any information it possesses that is responsive to the request for accounting so that notify the Covered Entity may provide the requested accounting on behalf of both itself and Business Associate. (h) In the event that an individual makes a request to the Business Associate for amendment of that individual’s PHI under 45 C.F.R. § 164.526, the Business Associate shall, any such requests within five (5) business days of receiving them. Amendment of an Individual’s PHI is the request, refer it to sole responsibility of the Covered Entity so that the Covered Entity may make the requested amendment on behalf of both itself and the Business AssociateEntity. (i) In the event that an individual makes a request to the Business Associate for disclosure of that individual’s PHI under 45 C.F.R. § 164.524, the Business Associate shall, within five (5) days of receiving the request, transmit it to the Covered Entity for review so that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business Associate. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (kg) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessaryMinimum Necessary”.” (l) If and to the extent that the Business Associate is carrying out an obligation of the Covered Entity under the Privacy Rule or Security Rule, the Business Associate shall comply with the requirements that apply to the Covered Entity in the performance of that obligation.

Obligations of the Business Associate. (a) a. The Business Associate agrees shall not to use or disclose PHI other than as permitted or required by this Business Associate Agreement or as Required by By Law. (b) b. The Business Associate agrees to shall use appropriate safeguards safeguards, and comply with Subpart C of 45 CFR part 164 with respect to electronic PHI, to prevent the use or disclosure of the PHI other than as provided for by this Business Associate Agreement, and to implement administrative, physical, and technical safeguards . c. Upon “discovery,” as required by the term is defined in 45 C.F.R. §§ 164.306164.410, 164.308, 164.310, 164.312, 164.314, and 164.316, as applicable to business associates, in order to protect the confidentiality, integrity, and availability of PHI that the by Business Associate receivesof a Breach of unsecured PHI, maintains or transmits. The Business Associate shall undertake such actions in a manner that is consistent with any guidance issued by the Secretary pursuant to the HITECH Act. (c) The Business Associate agrees to report such Breach to the Covered Entity without unreasonable delay, and in any case within three (3) business days any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. In addition, the Business Associate shall notify the Covered Entity of any Security Incident or Security Breach involving Unsecured PHI within three (3) business 30 calendar days of becoming aware Business Associate’s “discovery” of the Security Incident or Security such Breach. This Such notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been been, accessed, acquired, or disclosed during in connection with such Breach, to the Security Breachextent Business Associate has access to such information without decryption of data. The In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the Individual under 45 C.F.R. §164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of the HIPAA Rules and the HITECH Act. d. Business Associate agrees to cooperate with the report to Covered Entity in mitigating any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHIPHI not provided for by this Business Associate Agreement of which it becomes aware, such Security Incidentas required under 45 C.F.R. § 164.410, and any security incident of which it becomes aware. e. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, the Business Associate shall ensure that any subcontractor that creates, receives, maintains, or Security Breach. The transmits PHI on behalf of the Business Associate further agrees in writing to cooperate the same restrictions, conditions and requirements that apply to the Business Associate under this Business Associate Agreement with the Covered Entity in complying with all state and federal public notification requirements arising therefromrespect to such PHI. (d) The f. Within 30 calendar days from the receipt of a request from Covered Entity, and in the manner agreed to between the parties, and to the extent Business Associate has access to Covered Entity’s data in an decrypted format, Business Associate agrees to ensure that any agent, including provide access to PHI in a subcontractor, Designated Record Set to whom it provides PHI received from or received by the Business Associate on behalf of Covered Entity as necessary to meet the Covered Entity, agrees to ’s obligations under 45 CFR §164.524. g. To the same restrictions and conditions that apply in this Agreement to the extent Business Associate with respect has access to such informationCovered Entity’s data in an decrypted format, including but not limited to the requirement that such agent or subcontractor implement reasonable and appropriate safeguards to protect such information. (e) The Business Associate agrees to make its any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526. Notwithstanding the foregoing, Business Associate need not make amendments to PHI in a Designated Record Set unless the Covered Entity is unable to make such amendments to such PHI. h. Business Associate agrees that when requesting, using or disclosing PHI, such request, use or disclosure shall be to the minimum extent necessary to accomplish the intended purpose of such request, use or disclosure. i. Business Associate agrees to make internal practices, books, books and records relating to the use and disclosure of PHI received from from, or created or received by the Business Associate on behalf of the of, Covered Entity available to the Secretary, upon requestin a time and manner designated by the Secretary, for purposes of the Secretary determining the Covered Entity’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security RuleHIPAA Rules. (f) The j. Business Associate shall agrees to maintain sufficient records of its disclosures of PHI and make available to allow the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request to the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Act, the Business Associate shall, within thirty (30) days of receiving a written request from the Covered Entity, provide within 30 calendar days of the receipt of a request from Covered Entity, any information required for Covered Entity to respond to a request by an Individual or the Secretary for an accounting of PHI disclosures as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. 164.528. k. To the extent Business Associate has access to Covered Entity’s data in an decrypted format, Business Associate agrees to account for any disclosure of PHI used or maintained as an electronic record of health-related information on an Individual that is created, gathered, managed and consulted by authorized health care clinicians and staff (“Electronic Health Record” or “EHR”) in a manner consistent with 45 C.F.R. §164.528; provided that an Individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity such information as is required to permit only during the Covered Entity to properly respond six years prior to the request for accounting. In date on which the event that an individual makes a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days of the request, refer the request to the is requested from Covered Entity. The Business Associate shall then promptly provide to Covered Entity any information it possesses that is responsive to the request for accounting so that the Covered Entity may provide the requested accounting on behalf of both itself and Business Associate. (h) In the event that an individual makes a request to the Business Associate for amendment of that individual’s PHI under 45 C.F.R. § 164.526, the Business Associate shall, within five (5) days of receiving the request, refer it to the Covered Entity so that the Covered Entity may make the requested amendment on behalf of both itself and the Business Associate. (i) In the event that an individual makes a request to the Business Associate for disclosure of that individual’s PHI under 45 C.F.R. § 164.524, the Business Associate shall, within five (5) days of receiving the request, transmit it to the Covered Entity for review so that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business Associate. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (k) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The l. Business Associate agrees to comply with the Secretary’s guidance issued pursuant to “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in section 13405(d) of Subtitle D (Privacy) of the HITECH Act Act, and the “Conditions on Certain Contacts as to what constitutes “minimum necessaryPart of Health Care Operations,” as provided in section 13406 of Subtitle D (Privacy) of the HITECH Act.” (l) If and to m. Business Associate shall comply with any required provisions of the HIPAA Rules. n. To the extent that the Business Associate is carrying to carry out an obligation of the Covered Entity under the Privacy Rule or Security RuleSubpart E of 45 CFR Part 164, the Business Associate shall comply with the requirements of that subpart that apply to the Covered Entity in the performance of that such obligation.

Obligations of the Business Associate. (a) The Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) The Business Associate agrees to use appropriate safeguards to prevent disclosure of the PHI other than as provided for by this Agreement, and to implement administrative, physical, and technical safeguards as required by 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316, as applicable to business associates, 164.316 in order to protect the confidentiality, integrity, and availability of PHI that the Business Associate receives, maintains or transmitstransmits to the same extent as if the Business Associate were a Covered Entity. The Business Associate shall undertake such actions in a manner that is consistent with any guidance issued by the Secretary pursuant to the HITECH Act. (c) The Business Associate agrees to report to the Covered Entity within three (3) business days of becoming aware of any use or disclosure of PHI not provided for by this Agreement of which it becomes awareAgreement. In addition, the Business Associate shall notify the Covered Entity of any Security Incident or Security Breach involving Unsecured PHI within three (3) business days of becoming aware of the Security Incident or Security Breach. This notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during the Security Breach. The Business Associate agrees to cooperate with the Covered Entity in mitigating mitigating, to the extent practicable, any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHI, such Security Incident, or Security Breach. The Business Associate further agrees to cooperate with the Covered Entity in complying with all state and federal public notification requirements arising therefrom. (d) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from or received by the Business Associate on behalf of the Covered Entity, agrees to the same restrictions and conditions that apply in this Agreement to the Business Associate with respect to such information, including but not limited to to, the requirement that such agent or subcontractor implement reasonable and appropriate safeguards to protect such information. (e) The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from or received by the Business Associate on behalf of the Covered Entity Entity, available to the Covered Entity, or at the request of the Covered Entity, to the Secretary, upon request, for purposes of determining the Covered Entity’s and/or the Business Associate’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule. (f) The Business Associate shall maintain sufficient records of its disclosures of PHI to allow the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request to the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Act, the Business Associate shall, within thirty (30) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is would be required to permit the Covered Entity to properly respond to the such a request for accounting. In the event that an individual makes a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days of the request, refer the request to the Covered Entity. The Business Associate Covered Entity shall then promptly provide to Covered Entity any information it possesses that is responsive respond to the request for accounting so that the Covered Entity may and provide the individual with the requested accounting on behalf of both itself and Business Associateinformation according to its usual procedure for handling such requests. (hg) In the event that an individual makes a request to the parties mutually agree that the PHI received from or received by the Business Associate for amendment on behalf of that individual’s PHI under 45 C.F.R. § 164.526the Covered Entity constitutes a Designated Record Set, the Business Associate shallagrees to provide access, within five (5) days of receiving a written request from the requestCovered Entity, refer it to the PHI to the Covered Entity so that the Covered Entity may make provide access to the PHI to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Any denial of access to the PHI requested amendment on behalf by an Individual shall be the responsibility of both itself and the Covered Entity. If the Covered Entity is required to provide access to the Individual in electronic format, the Business AssociateAssociate shall provide access to the Covered Entity in such electronic format. (ih) In the event that an individual makes a request to the parties mutually agree that the PHI received from or received by the Business Associate on behalf of the Covered Entity constitutes a Designated Record Set, the Business Associate agrees to refer any requests from an Individual for disclosure amendment of that individual’s PHI under pursuant to 45 C.F.R. § 164.524, 164.526 to the Covered Entity. The Business Associate shall, agrees to notify the Covered Entity of any such requests within five (5) days of receiving them. Amendment of an Individual’s PHI is the request, transmit it to sole responsibility of the Covered Entity. (i) The Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI unless the Covered Entity for review so obtains from the Individual a valid authorization pursuant to 45 C.F.R. § 164.508 which specifies that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business AssociatePHI can be exchanged for remuneration. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (k) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (l) If and to the extent that the Business Associate is carrying out an obligation of the Covered Entity under the Privacy Rule or Security Rule, the Business Associate shall comply with the requirements that apply to the Covered Entity in the performance of that obligation.

Obligations of the Business Associate. (a) The Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) The Business Associate agrees to use appropriate safeguards to prevent disclosure of the PHI other than as provided for by this Agreement, and to implement administrative, physical, and technical safeguards as required by 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316, as applicable to business associates, 164.316 in order to protect the confidentiality, integrity, and availability of PHI that the Business Associate receives, creates, maintains or transmitstransmits to the same extent as if the Business Associate were a Covered Entity. The Business Associate shall undertake such actions in a manner that is consistent with any guidance issued by the Secretary pursuant to the HITECH Act. (c) The Business Associate agrees to report to the Covered Entity within three (3) business days any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. In additionAgreement, the Business Associate shall notify the Covered Entity of including any Security Incident or Security Breach involving Unsecured PHI PHI, within three ten (310) business days of becoming aware of the unauthorized use or disclosure, Security Incident Incident, or Security Breach. This In the event of a Security Breach, this notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during the Security Breach. The Business Associate agrees to cooperate with the Covered Entity in mitigating mitigating, to the extent practicable, any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHI, such Security Incident, or Security Breach. The Business Associate further agrees to cooperate with the Covered Entity in complying with all state and federal public notification requirements arising therefrom. (d) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from from, or created or received by the Business Associate on behalf of the Covered Entity, agrees to the same restrictions and conditions that apply in this Agreement to the Business Associate with respect to such information, including but not limited to to, the requirement that such agent or subcontractor implement reasonable and appropriate safeguards to protect such information. (e) The Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from from, or created or received by the Business Associate on behalf of the Covered Entity Entity, available to the Covered Entity, or at the request of the Covered Entity, to the Secretary, upon request, for purposes of determining the Covered Entity’s and/or the Business Associate’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule. (f) The Covered Entity may elect to provide an Individual who requests an accounting of disclosures for his or her PHI such an accounting on behalf both it and the Business Associate, in which case the Business Associate shall maintain sufficient records of its disclosures of PHI agrees to allow the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request provide to the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Act, the Business Associate shallEntity, within thirty (30) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is would be required to permit the Covered Entity to properly respond to the request for accounting. In the event that an individual makes such a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days in accordance with 45 C.F.R. § 164.528 and Section 13405 of the requestHITECH Act. Alternatively, refer the request to the Covered Entity. The Business Associate shall then promptly provide to Covered Entity any information it possesses that is responsive to the request for accounting so that the Covered Entity may elect to provide the requested Individual who requests the accounting on behalf with a list of both itself and all or some of its Business Associate. Associates, in which case the listed Business Associate shall provide an accounting of disclosures made by it within thirty (h30) In the event that an individual makes days of receiving a request made by an Individual directly to the Business Associate for amendment of that individual’s PHI under 45 C.F.R. § 164.526, the Business Associate shall, within five (5) days of receiving the request, refer it to the Covered Entity so that the Covered Entity may make the requested amendment on behalf of both itself and the Business Associatesuch an accounting. (i) In the event that an individual makes a request to the Business Associate for disclosure of that individual’s PHI under 45 C.F.R. § 164.524, the Business Associate shall, within five (5) days of receiving the request, transmit it to the Covered Entity for review so that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business Associate. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (k) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (l) If and to the extent that the Business Associate is carrying out an obligation of the Covered Entity under the Privacy Rule or Security Rule, the Business Associate shall comply with the requirements that apply to the Covered Entity in the performance of that obligation.

Obligations of the Business Associate. (a) The Business Associate agrees not to shall: 4.1 Not use or disclose PHI other than as permitted or required by this Agreement BAA or as Required by Law. (b) The Business Associate agrees to 4.2 Establish and use appropriate safeguards to prevent the unauthorized use or disclosure of the PHI other than as provided for by this Agreement, and to implement PHI. 4.3 Implement administrative, physical, and technical safeguards as required by 45 C.F.R. §§ 164.306that reasonably and appropriately protect the Confidentiality, 164.308, 164.310, 164.312, 164.314Integrity, and 164.316, as applicable to business associates, in order to protect Availability of the confidentiality, integrity, and availability of Electronic PHI that the Business Associate it creates, receives, maintains maintains, or transmitstransmits on behalf of the Covered Entity. The Business Associate shall undertake such actions in a manner that is consistent shall, as of the Compliance Date, comply with any guidance issued by the Secretary pursuant to the HITECH Actapplicable standards at Subpart C of 45 CFR Part 164. (c) The Business Associate agrees to 4.4 Promptly report to the Covered Entity within three (3) business days any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. In addition, the Business Associate shall notify the Covered Entity of any Security Incident or Security Breach involving Unsecured PHI within three (3) business days of becoming aware of the Security Incident or Security Breach. This notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during the Security Breach. The Business Associate agrees to cooperate with the Covered Entity in mitigating any harmful effect that is known to exist as a result of such unauthorized use or disclosure of PHI, such or Security Incident, within no more than five (5) days, after Business Associate becomes aware of the unauthorized use or disclosure of PHI or Security BreachIncident. The Business Associate further agrees shall take all reasonable steps to cooperate with mitigate any harmful effects of such Breach or Security Incident. The Business Associate shall indemnify the Covered Entity in complying with all state and federal public notification requirements arising therefromagainst any losses, damages, expenses or other liabilities including reasonable attorney’s fees incurred as a result of the Business Associate’s or its agent’s or Subcontractor’s unauthorized use or disclosure of PHI or Breach of Unsecured PHI including, but not limited to, the costs of notifying individuals affected by a Breach of Unsecured PHI. Indemnification is subject to an ability to demonstrate that no agency relationship exists between the parties. (d) 4.5 The Business Associate agrees to ensure that any agentshall, including following discovery of a subcontractorBreach of Unsecured PHI, to whom it provides PHI received from or received notify the Covered Entity of such Breach as required at 45 CFR 164.410, without unreasonable delay, and in no event more than thirty (30) days after the discovery of the Breach. The notification by the Business Associate to the Covered Entity shall include: (1) the identification of each individual whose Unsecured PHI was accessed, acquired, used or disclosed during the Breach; and (2) any other available information that the Covered Entity is required to include in its notification to individuals affected by the Breach including, but not limited to, the following: a. a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; b. a description of the types of Unsecured PHI that were involved in the Breach; and c. a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches. 4.6 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of the Covered Entity, agrees Business Associate agree to the same restrictions restrictions, conditions, and conditions requirements that apply in this Agreement to the Business Associate with respect to such information. 4.7 Within ten (10) days of receiving a request, including but not limited make available PHI in a Designated Record Set to the requirement that such agent or subcontractor implement reasonable and appropriate safeguards Covered Entity as necessary to protect such informationsatisfy the Covered Entity’s obligations under 45 CFR 164.524. 4.8 Within fifteen (e15) The Business Associate agrees days of receiving a request, make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526. 4.9 Maintain and make available to the Covered Entity, within twenty (20) days of receiving a request, the information required to provide an accounting of disclosures to the individual as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528. 4.10 Make its internal practices, books, books and records relating to the use and or disclosure of PHI received from or received by the Business Associate on behalf of the Covered Entity available to the Secretary, upon request, Covered Entity or the U. S. Secretary of Health and Human Services for purposes of determining the Covered Entity’s compliance with HIPAA, the HITECH Act, the Privacy Rule, or the Security RuleHIPAA Rules. (f) The Business Associate shall maintain sufficient records of its disclosures of PHI to allow 4.11 To the Covered Entity to comply with any and all requests for accounting made pursuant to 45 C.F.R. § 164.528. (g) In the event that an individual makes a request to the Covered Entity for an accounting in accordance with 45 C.F.R. § 164.528 and Section 13405 of the HITECH Act, extent the Business Associate shall, within thirty conducts Standard Transaction(s) (30as defined in the HIPAA Rules) days on behalf of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is required to permit the Covered Entity to properly respond to the request for accounting. In the event that an individual makes a request for an accounting to the Business Associate, the Business Associate shall, within five (5) days of the request, refer the request to the Covered Entity. The Business Associate shall then promptly provide to Covered Entity any information it possesses that is responsive to the request for accounting so that the Covered Entity may provide the requested accounting on behalf of both itself and Business Associate. (h) In the event that an individual makes a request to the Business Associate for amendment of that individual’s PHI under 45 C.F.R. § 164.526, the Business Associate shall, within five (5) days of receiving the request, refer it to the Covered Entity so that the Covered Entity may make the requested amendment on behalf of both itself and the Business Associate. (i) In the event that an individual makes a request to the Business Associate for disclosure of that individual’s PHI under 45 C.F.R. § 164.524, the Business Associate shall, within five (5) days of receiving the request, transmit it to the Covered Entity for review so that the Covered Entity may provide access directly to the requesting Individual on behalf of both itself and the Business Associate. (j) Unless otherwise specifically authorized in writing by the Covered Entity, the Business Associate shall not sell any PHI. (k) The Business Associate shall only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use, or disclosure. The Business Associate agrees to comply with the Secretary’s guidance issued pursuant to the HITECH Act as to what constitutes “minimum necessary.” (l) If and to the extent that the Business Associate is carrying out an obligation of the Covered Entity under the Privacy Rule or Security Rule, the Business Associate shall comply with the HIPAA Rules, “Administrative Requirements,” 45 C.F.R. Part 162, by the applicable compliance date(s) and shall not: (a) change the definition, data condition or use of a data element or segment in a standard; (b) add any data elements or segments to the maximum defined data set; (c) use any code or data elements that are either marked “not used” in the standard’s implementation specification or are not in the standard’s implementation specification(s); or (d) change the meaning or intent of the standard’s implementation specifications. The Business Associate shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under subsection (h) of Title 42 U.S.C. Section 1320d-2. 4.12 To the extent the Business Associate is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of that obligationsuch obligation(s).