Common use of Permitted Uses and Disclosures of PHI Clause in Contracts

Permitted Uses and Disclosures of PHI. Business Associate may: 4.1 use and disclose PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 De-identify any PHI received or created by Business Associate under this BAA in accordance with the Privacy Rule. 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining documentation of individual authorizations, an Institutional Review Board, or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing Covered Entity with copies of such authorizations or waivers upon request. 4.6 make PHI available for reviews preparatory to Research in accordance with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii). 4.7 use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of the Covered Entity or for Research or Public Health purposes as provided in the Privacy Rule. 4.8 use and disclose PHI for Covered Entity’s health care operations purposes in accordance with the Privacy Rule.

Permitted Uses and Disclosures of PHI. Business Associate may: 4.1 use and disclose PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 De-identify any PHI received or created by Business Associate under this BAA in accordance with the Privacy Rule. 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining documentation of individual authorizations, an Institutional Review Board, or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing Covered Entity with copies of such authorizations or waivers upon request. 4.6 make PHI available for reviews preparatory to Research in accordance with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii). 4.7 use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of the Covered Entity or for Research or Public Health purposes as provided in the Privacy Rule. 4.8 use and disclose PHI for Covered Entity’s health care operations purposes in accordance with the Privacy Rule.

Permitted Uses and Disclosures of PHI. Business Associate may: 4.1 use and disclose PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 De-identify any PHI received or created by Business Associate under this BAA in accordance with the Privacy Rule. 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining documentation of individual authorizations, an Institutional Review Board, or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing Covered Entity with copies of such authorizations or waivers upon request. 4.6 make PHI available for reviews preparatory to Research in accordance with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii). 4.7 use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of the Covered Entity or for Research or Public Health purposes as provided in the Privacy Rule. 4.8 use and disclose PHI for Covered Entity’s health care operations purposes in accordance with the Privacy Rule.

Permitted Uses and Disclosures of PHI. Unless otherwise limited in this BAA, in addition to any other uses and/or disclosures permitted or required by this BAA, Business Associate may: 4.1 use 1. Make any and disclose all uses and disclosures of PHI as necessary to provide the Services services set forth in the Service Agreement to Covered Entity. 4.2 use 2. Use and disclose to subcontractors and agents the PHI in its possession for the its proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed . 3. Subject to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality provisions of the information has been breachedBAA, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 Dede-identify any and all PHI received or created by Business Associate under this BAA, which de-identified information shall not be subject to this BAA and may be used and disclosed on Business Associate’s own behalf, all in accordance with the de-identification requirements of the HIPAA Privacy Rule& Security Rules. 4.4 provide 4. Provide Data Aggregation services Services relating to the Health Care Operations of the Covered Entity in accordance with the HIPAA Privacy Rule& Security Rules. 4.5 use PHI for 5. Identify Research projects conducted by Business Associate, its Affiliates or third partiesparties for which PHI may be relevant, in a manner permitted by the Privacy Rule, by obtaining obtain on behalf of Covered Entity documentation of individual authorizations, an authorizations or any Institutional Review Board, Board or a privacy board Privacy Board waiver that meets the requirements of 45 C.F.R. § §164.512(i)(1)) (each an “Authorization” or “Waiver”) related to such projects, and providing provide Covered Entity with copies of such authorizations Authorizations or waivers upon requestWaivers, subject to confidentiality obligations (Required Documentation); and disclose PHI for such research. 4.6 make 6. Make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance with the Privacy Rule at 45 C.F.R. § §164.512(i)(1)(ii)) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review. 4.7 use 7. Use the PHI to create a Limited Data Set (“LDS”in compliance with 45 C.F.R. §164.514(e) and use or disclose the LDS for the health care operations of the Covered Entity or for Research Research, Health Care Operations or Public Health purposes as provided in the Privacy Rulepurposes. 4.8 use 8. Use PHI to report violations of law to appropriate federal and disclose PHI for Covered Entity’s health care operations purposes in accordance state authorities, consistent with the Privacy Rule45 C.F.R. §164.502(J)(1).

Permitted Uses and Disclosures of PHI. Unless otherwise limited in this BAA, in addition to any other uses and/or disclosures permitted or required by this BAA, Business Associate may: 4.1 use 1. Make any and disclose all uses and disclosures of PHI as necessary to provide the Services set forth in the Underlying Contract to Covered Entity. 4.2 use 2. Use and disclose to subcontractors and agents the PHI in its possession for the its proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate discloses PHI provides written assurances that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed . 3. Subject to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate confidentiality provisions of any instances of which it becomes aware in which the confidentiality of the information has been breachedthis Agreement, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 Dede-identify any and all PHI received or created by Business Associate under this BAA Agreement, which de- identified information shall not be subject to this Agreement and may be used an disclosed on Business Associate’s own behalf, all in accordance with the de- identification requirements of the HIPAA Privacy Rule& Security Rules. 4.4 provide 4. Provide Data Aggregation services Services relating to the Health Care Operations of the Covered Entity in accordance with the HIPAA Privacy Rule& Security Rules. 4.5 use PHI for 5. Identify Research projects conducted by Business Associate, its Affiliates or third partiesparties for which PHI may be relevant, in a manner permitted by the Privacy Rule, by obtaining obtain on behalf of Covered Entity documentation of individual authorizations, an authorizations or any Institutional Review Board, Board or a privacy board Privacy Board waiver that meets the requirements of 45 C.F.R. § §164.512(i)(1)) (each an “Authorization” or “Waiver”) related to such projects, and providing provide Covered Entity with copies of such authorizations Authorizations or waivers upon requestWaivers, subject to confidentiality obligations (Required Documentation); and disclose PHI for such research. 4.6 make 6. Make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance with the Privacy Rule at 45 C.F.R. § §164.512(i)(1)(ii)) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review. 4.7 use 7. Use the PHI to create a Limited Data Set (“LDS”in compliance with 45 C.F.R. §164.514(e) and use or disclose the LDS for the health care operations of the Covered Entity or for Research Research, Health Care Operations or Public Health purposes as provided in the Privacy Rulepurposes. 4.8 use 8. Use PHI to report violations of law to appropriate federal and disclose PHI for Covered Entity’s health care operations purposes in accordance state authorities, consistent with the Privacy Rule45 C.F.R. §164.502(J)(1).

Permitted Uses and Disclosures of PHI. Unless otherwise limited in this BAA, in addition to any other uses and/or disclosures permitted or required by this BAA or the Agreement, Business Associate may: 4.1 use make any and disclose all uses and disclosures of PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose PHI PHI, if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any the disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4). 4.3 De-identify any and all PHI received or created by Business Associate under this BAA, which De-identified information shall not be subject to this BAA and may be used and disclosed on Business Associate’s own behalf, all in accordance with the De- identification requirements of the Privacy Rule. 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for identify Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining parties for which PHI may be relevant; obtain on behalf of Covered Entity documentation of individual authorizations, authorizations or an Institutional Review Board, Board or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing ) (each an “Authorization” or “Waiver”) related to such projects; provide Covered Entity with copies of such authorizations Authorizations or waivers upon requestWaivers, subject to confidentiality obligations (“Required Documentation”); and disclose PHI for such Research provided that Business Associate does not receive Covered Entity's disapproval in writing within ten (10) days of Covered Entity's receipt of Required Documentation. 4.6 make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance accord with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii)) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review. 4.7 use the PHI to create a Limited Data Set (“LDS”) in compliance with 45 C.F.R. 164.514(e). 4.8 use and use or disclose the LDS for the health care operations of the Covered Entity or referenced in Section 4.7 solely for Research or Public Health purposes or for the Health Care Operations of the Covered Entity, provided that Business Associate shall: (i) not use or further disclose the information other than as permitted by this Section 4.8 or as otherwise Required by Law; (ii) use appropriate safeguards to prevent use or disclosure of the information other than as provided in for by this Section 4.8; (iii) report to Covered Entity any use or disclosure of the Privacy Ruleinformation not provided for by this Section 4.8 of which Business Associate becomes aware; (iv) ensure that any agents to whom Business Associate provides the LDS agree to the same restrictions and conditions that apply to Business Associate with respect to such information; and (v) not identify the information or contact the Individuals. 4.8 use and disclose PHI for Covered Entity’s health care operations purposes in accordance with the Privacy Rule.

Permitted Uses and Disclosures of PHI. Unless otherwise limited in this Addendum, in addition to any other uses and/or disclosures permitted or required by this Addendum, Business Associate may: 4.1 use make any and disclose all uses and disclosures of PHI as necessary to provide the Services to Covered Entity. 4.2 use and disclose to subcontractors and agents the PHI in its possession for the its proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosures are Required by Law or any third party to which Business Associate Associates discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as Required by Law; (ii) the information will be used only for the purpose for which it was disclosed to the third party or as Required by Lawparty; and (iiiii) the third party promptly will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached, in accordance with 45 C.F.R. § 164.504(e)(4).; 4.3 De-identify any and all PHI received or created by Business Associate under this BAA Addendum, which De-identified information shall not be subject to this Addendum and may be used and disclosed on Business Associate’s own behalf, all in accordance with the De-identification requirements of the Privacy Rule.; 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use PHI for identify Research projects conducted by Business Associate, its Affiliates or third parties, in a manner permitted by the Privacy Rule, by obtaining parties for which PHI may be relevant; obtain on behalf of Covered Entity documentation of individual authorizations, authorizations or an Institutional Review Board, Board or a privacy board waiver that meets the requirements of 45 C.F.R. § 164.512(i)(1), and providing ) (each an "Authorization" or "Waiver") related to such projects; provide Covered Entity with copies of such authorizations Authorizations or waivers upon requestWaivers, subject to confidentiality obligations ("Required Documentation"); and disclose PHI for such Research provided that Business Associate does not receive Covered Entity's disapproval in writing within ten (10) days of Covered Entity's receipt of Required Documentation. 4.6 make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance accord with the Privacy Rule at 45 C.F.R. § 164.512(i)(1)(ii)) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review. 4.7 use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of the Covered Entity or for Research or Public Health purposes as provided in the Privacy Rulecompliance with 45 C.F.R. 164.514(e). 4.8 use and disclose PHI the LDS referenced in Section 4.7 solely for Research or Public Health purposes; provided that, Business Associate shall (1) not use or further disclose the information other than as permitted by this Section 4.8 or as otherwise Required by Law; (2) use appropriate safeguards to prevent use or disclosure of the information other than as provided for by this Section 4.8; (3) report to Covered Entity’s health care operations purposes in accordance Entity any use or disclosure of the information not provided for by this Section 4.8 of which Business Associate becomes aware; (4) ensure that any agents, including a subcontractor, to whom Business Associate provides the LDS agrees to the same restrictions and conditions that apply to Business Associate with respect to such information; and (5) not identify the Privacy Ruleinformation or contact the Individuals.