Common use of Privacy; Confidentiality Clause in Contracts

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Subcontractor understands and shall require that Provider understands understand that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Subcontractor will require that Provider further acknowledge that, in some cases, Provider will have access to information on individuals with whom Provider has no treatment or other relationship. In such cases Provider will abide by all requirements under HIPAA and ensure that the confidentiality of such information is fully maintained. Access to member identifying information shall be limited by Subcontractor and/or Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreementthe Agreement and Subcontract, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Subcontractor and Provider is are responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Subcontractor shall, and shall require Provider shall to notify Subcontractor, Health Plan U nited and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Subcontractor and/or Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify SubcontractorHealth Plan, Health Plan Subcontractor and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide SubcontractorHealth Plan, Health Plan Subcontractor and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with SubcontractorHealth Plan, Health Plan Subcontractor and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Subcontractor understands and shall require that Provider understands understand that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Subcontractor will require that Provider further acknowledge that, in some cases, Provider will have access to information on individuals with whom Provider has no treatment or other relationship. In such cases Provider will abide by all requirements under HIPAA and ensure that the confidentiality of such information is fully maintained. Access to member identifying information shall be limited by Subcontractor and/or Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreementthe Agreement and Subcontract, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Subcontractor and Provider is are responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Subcontractor shall, and shall require Provider shall to notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Subcontractor and/or Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons Customers is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's Customer’s information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160C.F.R. §§ 160.101 et seq., 162162.100 et seq., 164and 164 et seq., as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons Customers in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR C.F.R. §438.224§ 2.1 et seq., 42 CFR Part 2431.300-307, 434.1 et seq., 438.224 and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons Customers within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member Covered Person identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state State and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with. Provider shall comply with the breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act including but not limited to 42 CFR §438.230 (c)(2); 45 CFR parts 160 and 164, subparts A and E; and State Contract Sections 5.2.B and 10.5. Provider agrees to ensure confidentiality of family planning services in accordance with the State Contract, except to the extent required by law, including, but not limited to, the Virginia Freedom of Information Act.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's ’s information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("“HIPAA"”), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160C.F.R. §§ 160.101 et seq., 162162.100 et seq., 164and 164 et seq., as applicable and as may be amended from time to timeapplicable, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR C.F.R. §438.224§ 2.1 et seq., 42 CFR Part 2431.300-307, 434.1 et seq., 438.224 and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department DCH and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department DOM of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department DOM with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department DOM to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-104- 191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Provider further acknowledges that, in some cases, it will have access to information on individuals with whom Provider has no treatment or other relationship. In such cases Provider will abide by all requirements under HIPAA and ensure that the confidentiality of such information is fully maintained. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons Customers is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's Customer’s information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160C.F.R. §§ 160.101 et seq., 162162.100 et seq., 164and 164 et seq., as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons Customers in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR C.F.R. §438.224§ 2.1 et seq., 42 CFR Part 2431.300-307, 434.1 et seq., 438.224 and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons Customers within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's Persons’ information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department HCA and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider P r o v i d e r is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal f e d e r a l and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify SubcontractorCarrier, Health Plan Subcontractor and the Department HCA of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide SubcontractorCarrier, Health Plan Subcontractor and the Department HCA with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with SubcontractorCarrier, Health Plan Subcontractor and the Department HCA to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department HCA and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider P r o v i d e r is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal f e d e r a l and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan Carrier and the Department HCA of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan Carrier and the Department HCA with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan Carrier and the Department HCA to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with. Provider shall comply with the breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act including but not limited to 42 CFR §438.230 (c)(2); 45 CFR parts 160 and 164; and State Contract Sections 2.7 and 7.1.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State District of Columbia Program and shall maintain the confidentiality of Covered Person's information and records as required by the State District of Columbia Contract and in federal and State District of Columbia law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR C.F.R. Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State District of Columbia privacy laws and rules including but not limited to 42 CFR §438.224, C.F.R. § 438.224 and 438.3 (if applicable) and 42 CFR Part C.F.R. Parts 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §C.F.R. § 431.300, et seq. and 45 CFR C.F.R. Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State District of Columbia Medicaid regulations, and some other federal and State District of Columbia laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan Subcontractor and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State District of Columbia laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan Subcontractor and the Department with an investigation report within the time period required by applicable federal and State District of Columbia laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan Subcontractor and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state State and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with. Provider shall comply with the breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act including but not limited to 42 CFR §438.230 (c)(2); 45 CFR parts 160 and 164; and State Contract Sections 2.7 and 7.1. Provider agrees to ensure confidentiality of family planning services in accordance with the State Contract, except to the extent required by law, including, but not limited to, the Virginia Freedom of Information Act.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan and/or Subcontractor and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan and/or Subcontractor and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan and/or Subcontractor and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Rule and 42 CFR 431, Subpart F. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify SubcontractorSubcontractor and/or Health Plan, Health Plan as applicable, and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide SubcontractorSubcontractor and/or Health Plan, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Subcontractor and/or Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- de-identification of protected health information is performed in compliance with the HIPAA Privacy RulePrivacyRule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify Subcontractor, Health Plan United and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide Subcontractor, Health Plan United and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Health Plan United and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.

Privacy; Confidentiality. Provider understands that the use and disclosure of information concerning Covered Persons is restricted to purposes directly connected with the administration of the State Program and shall maintain the confidentiality of Covered Person's information and records as required by the State Contract and in federal and State law including, but not limited to, all applicable privacy, security and Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, and associated implementing regulations, including but not limited to 45 CFR Parts 160, 162, 164, as applicable and as may be amended from time to time, and shall safeguard information about Covered Persons in accordance with applicable federal and State privacy laws and rules including but not limited to 42 CFR §438.224, 42 CFR Part 2, and 42 CFR Part 431, Subpart F; 42 CFR Part 434 and 42 CFR 438.3 438.6 (if applicable), as may be amended from time to time. Access to member identifying information shall be limited by Provider to persons or agencies that require the information in order to perform their duties in accordance with this Agreement, including the U.S. Department of Health and Human Services (HHS), the Department and other individuals or entities as may be required. (See 42 CFR §431.300, et seq. and 45 CFR Parts 160 and 164.) Any other party shall be granted access to confidential information only after complying with the requirements of state and federal laws, including but not limited to HIPAA, and regulations pertaining to such access. Provider is responsible for knowing and understanding the confidentiality laws listed above as well as any other applicable laws. Nothing herein shall prohibit the disclosure of information in summary, statistical or other form that does not identify particular individuals, provided that de- identification of protected health information is performed in compliance with the HIPAA Privacy Rule. Federal and State Medicaid regulations, and some other federal and State laws and regulations, including but not limited to those listed above, are often more stringent than the HIPAA regulations. Provider shall notify SubcontractorSubcontractor and/or Health Plan, Health Plan as applicable, and the Department of any breach of confidential information related to Covered Persons within the time period required by applicable federal and State laws and regulations following actual knowledge of a breach, including any use or disclosure of confidential information, any breach of unsecured PHI, and any Security Incident (as defined in HIPAA regulations) and provide SubcontractorSubcontractor and/or Health Plan, Health Plan and the Department with an investigation report within the time period required by applicable federal and State laws and regulations following the discovery. Provider shall work with Subcontractor, Subcontractor and/or Health Plan and the Department to ensure that the breach has been mitigated and reporting requirements, if any, complied with.