Common use of Privacy Matters Clause in Contracts

Privacy Matters. The Company, CPS and certain of the Company Subsidiaries are considered to be “Covered Entities” and “Business Associates,” as such terms are defined in 45 C.F.R. § 160.103, and are covered by the Health Insurance Portability and Accountability Act of 1996 Administrative Requirements codified at 45 C.F.R. Parts 160 and 162 (the “Transactions Rule”) and the HIPAA Security and Privacy Requirements codified at 45 C.F.R. Parts 160 and 164 (the “Privacy and Security Rules”), each as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, “HIPAA”). Except as set forth in Section 3.7 of the Company Disclosure Schedule, each of the Company, CPS, and the Company Subsidiaries (i) is currently compliant in all material respects with any and all of the applicable requirements of HIPAA, including all requirements of the Transactions Rule and the Privacy and Security Rules, and (ii) is not subject to, and is not aware of any current or, since December 31, 2007, historic facts or circumstances that could reasonably be expected to give rise to, any material civil or criminal penalty or any investigation, claim or process by the Office of Civil Rights of the United States Department of Health and Human Services or any other governmental agency enforcing HIPAA, or any other third party, except in the case of (i) and (ii) above as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Except as set forth in Section 3.7 of the Company Disclosure Schedule or as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, (i) the operation of PathSite by the Company, any Company Subsidiary or CPS is and has at all times been in compliance with HIPAA and (ii) there has been no unauthorized use or disclosure of “Protected Health Information” or “Breach” of “Unsecured Protected Health Information” (as such terms are defined in HIPAA) by the Company, any Company Subsidiary or CPS.

Privacy Matters. The Company, CPS and certain of the Company Subsidiaries are considered to be “Covered Entities” and “Business Associates,” as such terms are defined in 45 C.F.R. § 160.103, and are covered by the Health Insurance Portability and Accountability Act of 1996 Administrative Requirements codified at 45 C.F.R. Parts 160 and 162 (the “Transactions Rule”a) and the HIPAA Security and Privacy Requirements codified at 45 C.F.R. Parts 160 and 164 (the “Privacy and Security Rules”), each as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, “HIPAA”). Except as set forth in Section 3.7 of the Company Disclosure Schedule, each of the Company, CPS, and the Company Subsidiaries (i) is currently compliant in all material respects with any and all of the applicable requirements of HIPAA, including all requirements of the Transactions Rule and the Privacy and Security Rules, and (ii) is not subject to, and is not aware of any current or, since December 31, 2007, historic facts or circumstances that could reasonably be expected to give rise to, any material civil or criminal penalty or any investigation, claim or process by the Office of Civil Rights of the United States Department of Health and Human Services or any other governmental agency enforcing HIPAA, or any other third party, except in the case of (i) and (ii) above as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Except as set forth in Section 3.7 of the Company Disclosure Schedule or as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, and subject to paragraph (c) below, the Company and each of its Subsidiaries complies with and has implemented all such measures required for it to comply with all applicable requirements as a “Covered Entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the privacy and security regulations (45 C.F.R. Parts 160 and 164) and the transactions and code sets regulations (45 C.F.R. Part 162) (collectively, “HIPAA”), and its obligations as a “Business Associate” of Covered Entity customers (as such capitalized terms are defined in or promulgated under HIPAA). (b) With respect to all requirements imposed on the Company and its Subsidiaries by HIPAA and all contractual commitments required by HIPAA to be imposed upon the Company and its Subsidiaries by Business Associate agreements, including all such requirements and commitments relating to the Company’s and its Subsidiaries’ activities as a “Clearinghouse” (as that term is defined by HIPAA) (collectively, the “HIPAA Commitments”): (i) the operation Company and each of PathSite its Subsidiaries are in compliance with the HIPAA Commitments; (ii) the Company and each of its Subsidiaries have been in material compliance with the applicable privacy standards, security standards, and transactions and code sets standards prescribed by HIPAA since the respective compliance dates, if any, upon which such standards become enforceable against the Company and its respective Subsidiaries as a Clearinghouse; (iii) the transactions contemplated by this Agreement will not violate any of the HIPAA Commitments; (iv) neither the Company nor any of its Subsidiaries has received any written inquiry from the U.S. Department of Health and Human Services or any other Governmental Entity alleging material non-compliance by the Company or a Subsidiary with the HIPAA Commitments; and (v) to the Knowledge of the Company, no complaint has been filed with the U.S. Department of Health and Human Services or any other Governmental Entity regarding the Company’s or a Subsidiary’s compliance with the HIPAA Commitments. (c) The Company Subsidiary and each of its Subsidiaries, to the extent each is a Covered Entity, has either entered into or CPS made reasonable and good faith efforts to enter into valid, written Business Associate agreements with all contractors, agents, vendors, suppliers, and service providers that are Business Associates of the Company or a Subsidiary, respectively. (d) The products offered for sale to customers in connection with the businesses of the Company and the Subsidiaries offer features and functionality that, when used as intended, reasonably supports the compliance of such customers with HIPAA. (e) Except as would not reasonably be expected to have a Company Material Adverse Effect, the Company is and has at all times been in compliance with HIPAA all Laws applicable to Personal Data (“Applicable Privacy Laws”). The Company has not received any written or other notice of, or been charged with, the violation of any Applicable Privacy Law, and (ii) there has been no unauthorized use or disclosure of “Protected Health Information” or “Breach” of “Unsecured Protected Health Information” (as such terms are defined in HIPAA) by to the Company’s Knowledge, no pending investigations of the Company by any Governmental Entity relating to Applicable Privacy Laws, or civil actions against the Company Subsidiary alleging any violation of Applicable Privacy Laws. As used herein “Personal Data” shall mean non-public information relating to an identified or CPSidentifiable natural or legal Person.

Privacy Matters. The Company, CPS and certain of the Company Subsidiaries are considered to be “Covered Entities” and “Business Associates,” as such terms are defined in 45 C.F.R. § 160.103, and are covered by the Health Insurance Portability and Accountability Act of 1996 Administrative Requirements codified at 45 C.F.R. Parts 160 and 162 (the “Transactions Rule”a) and the HIPAA Security and Privacy Requirements codified at 45 C.F.R. Parts 160 and 164 (the “Privacy and Security Rules”), each as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, “HIPAA”). Except as set forth on Schedule 3.14.11(a), the Acquired Companies have, at all times during the past five years, complied, in Section 3.7 all material respects, with all (i) Privacy Laws, (ii) terms of any Contract by which the Acquired Companies are bound relating to privacy, information security, or Processing of Sensitive Data (including without limitation, data processing agreements, information security schedules, and data transfer agreements), (iii) industry standards relating to privacy or security applicable to the Acquired Companies or with which the Acquired Companies have otherwise agreed to comply or represented their compliance, (iv) Privacy Policies, and (v) the privacy or security-related requirements of any self-regulatory organizations, certifications, or frameworks to which the Acquired Companies belong or with which the Acquired Companies have agreed to comply (collectively, (i)-(v) are the “Privacy Requirements”). (b) Except as set forth on Schedule 3.14.11(b), the Acquired Companies have, at all times during the past five years, provided notice of their privacy and security practices, including as and to the extent required by applicable Privacy Requirements. The Acquired Companies’ privacy and security practices and Processing of Personal Data conform, and at all times have conformed, to all Privacy Policies in all material respects. No disclosure made or contained in any Privacy Policy is, or has been, inaccurate, incomplete, misleading, or deceptive in any way (including by omission), or has violated Privacy Laws. The Acquired Companies have, at all times, posted, provided, or made available, Privacy Policies on the Acquired Companies’ websites, mobile applications, or where otherwise required under, and in a manner that complies with, applicable Privacy Requirements in all material respects. The Acquired Companies have made available to Parent true, correct and complete copies of all such Privacy Policies. (c) The Acquired Companies have contractually obligated all third parties that Process Sensitive Data on the Acquired Companies’ behalf, to (i) comply with Privacy Laws; (ii) Process Sensitive Data only in accordance with the instructions of the Company Disclosure ScheduleAcquired Companies; (iii) take reasonable and appropriate steps to protect and secure Sensitive Data from Security Incidents; and (iv) restrict access to and use of Sensitive Data to those authorized or required to under the servicing, each outsourcing, processing, or similar arrangement. To the Knowledge of the Company, CPS, and the no third parties with access to Sensitive Data or Company Subsidiaries (i) is currently compliant in all material respects IT Systems have failed to comply with any and all of the applicable requirements of HIPAA, including all requirements of the Transactions Rule and the Privacy and Security Rules, and (ii) is not subject to, and is not aware of any current or, since December 31, 2007, historic facts or circumstances that could reasonably be expected to give rise to, such obligations in any material civil or criminal penalty or any investigation, claim or process by the Office of Civil Rights of the United States Department of Health and Human Services or any other governmental agency enforcing HIPAA, or any other third party, except in the case of respect. (id) and (ii) above as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Except as set forth in Section 3.7 of on Schedule 3.14.11(d), the Company Disclosure Schedule or as would Acquired Companies do not, individually and do not permit any third parties that Process Personal Data on the Acquired Companies’ behalf to, sell, lease, or rent any Personal Data or to use such data for their own marketing or advertising purposes. (e) The Acquired Companies have sufficient rights and authority, including under applicable Privacy Requirements, to permit the use and other Processing of Personal Data by or for the Acquired Companies as currently conducted and as currently contemplated by the Acquired Companies to be conducted, including in connection with the aggregatedevelopment, reasonably be expected to have a Company Material Adverse Effectoffering, and provision of its services. (f) Except as set forth on Schedule 3.14.11(f), the Acquired Companies have: (i) provided adequate notice and obtained any necessary consents as and where required for their Processing of Personal Data under applicable Privacy Requirements, (ii) obtained all applicable permits and licenses, and made all filings with Governmental Authorities, required under Privacy Laws for the operation Processing of PathSite Personal Data as currently conducted and as currently contemplated by the CompanyAcquired Companies to be conducted, and (iii) abided by any Company Subsidiary applicable opt-outs and consents related to Personal Data where required by Privacy Requirements. (g) Neither the execution, delivery, or CPS is performance of this Agreement, the consummation of the Transactions, nor the disclosure or transfer of Sensitive Data to Parent in connection with the Transactions will violate any Privacy Requirements in any material respect, require notice to or consent from any Person, or result in any Order or Contract with any Governmental Authority becoming applicable to Parent. (h) The Acquired Companies are not subject to any Action or Order from any Governmental Authority which restricts, impairs, encumbers, hinders, or imposes requirements in connection with, their Processing of any Personal Data. (i) The Acquired Companies have not transferred any Personal Data across any national borders except in compliance with Privacy Requirements in all material respects. The Acquired Companies are not subject to any Privacy Requirements that require the Acquired Companies to store or maintain any Personal Data in a specific jurisdiction. The Acquired Companies have established, implemented and has at all times been in compliance complied with HIPAA a valid legal basis for the cross-border and onward transfers of Personal Data where required by Privacy Requirements. (iij) there There is not, and has been no unauthorized use or disclosure of “Protected Health Information” or “Breach” of “Unsecured Protected Health Information” (as such terms are defined in HIPAA) by the Companynot been, any Action by any Governmental Authority or other Person relating to the Acquired Companies’ privacy or data security practices, the security of any Company Subsidiary IT Systems or CPSthe Processing of Personal Data by or on behalf of the Acquired Companies.