Common use of Responsibilities of the Business Associate Clause in Contracts

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law; b. Use and maintain appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement. Such safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entity, Business Associate will provide evidence of all such safeguards utilized by Business Associate to safeguard Electronic PHI; c. Report to Covered Entity the following occurrences relating to PHI (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i) any access, acquisition, use or disclosure of PHI not provided for by this Agreement, (ii) any breach of unsecured PHI (actual or suspected), and (iii) any security incident of which it becomes aware. Business Associate shall notify Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers or by exercising reasonable diligence would have known of or discovered the PHI Incident. Within forty-eight (48) hours of verbal notice, the Business Associate shall provide a full written report of the PHI Incident to the Covered Entity, including, without limitation, (i) the names and contact information of each Individual whose PHI has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during the PHI Incident, (ii) a brief description of what happened, including the date of the PHI Incident and the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved in the PHI Incident, (iv) any steps Individuals should take to protect themselves from potential harm resulting from the PHI Incident, (v) a brief description of what Business Associate is doing to investigate the PHI Incident, to mitigate harm to Individuals and to protect against any further PHI Incidents,

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. F.3.1.1. Not use or disclose PHI other than as permitted or required by this Attachment F or the Agreement Purchase Order or as Required required by Lawlaw; b. Use and maintain F.3.1.2. Implement appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, including, without limitation, implementing administrative, physical physical, and technical safeguards that reasonably to prevent the unauthorized Use and appropriately Disclosure of Protected Health Information, and to protect the confidentiality, integrity integrity, and availability of Electronic PHI to prevent use or disclosure of PHI other than Protected Health Information, as provided for required by the AgreementHIPAA Regulations. Such safeguards must meet Without limiting the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entityforegoing, Business Associate will provide evidence agrees to comply with the requirements of all such safeguards utilized by Business Associate to safeguard Electronic PHIthe HIPAA Rules; c. Report F.3.1.3. Report, in writing, to Covered Entity the following occurrences relating to PHI within five (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i5) business days any access, acquisition, use or disclosure of PHI not provided for by this AgreementAttachment F or the Purchase Order of which it becomes aware, (ii) any breach including breaches of unsecured PHI (actual or suspected)as required at 45 CFR §164.410, and (iii) any security incident of which it becomes aware. Business Associate shall notify , and cooperate with the Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers in any mitigation or by exercising reasonable diligence would have known of or discovered the PHI Incidentbreach reporting efforts. Within forty-eight (48) hours of verbal notice, the Business Associate Such notification shall provide a full written report of the PHI Incident to the Covered Entity, including, without limitation, include: (i) the names and contact information identification of each Individual whose PHI individual who may be, has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during affected by the PHI Incident, Breach; (ii) a brief description of what happened, including the date of the PHI Incident and Breach; (iii) the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved in the PHI Incident, Breach; (iv) any steps Individuals should take to protect themselves from potential harm resulting from the PHI Incident, scope and nature of the Breach; and (v) a brief description of what any steps Business Associate is doing to investigate the PHI Incident, has taken to mitigate harm to Individuals any harmful effects of the Breach and to protect against further Breaches. In all cases, the information included in Business Associate’s notification shall be in accordance with any regulations and guidance provided by the Secretary of the United States Department of Health and Human Services (“Secretary”); 3.1.3.1. Notwithstanding the above, the Parties recognize and agree that there are and will be a significant number of attempts to, without authorization, access use, disclose, modify or destroy e-PHI through activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above (collectively “Unsuccessful Security Incidents”). As long as no such Unsuccessful Security Incident results in unauthorized access, use, disclosure, modification or destruction of electronic PHI or interference with information system operations related to the ePHI, Parties further agree that this subsection 3.1.3.1 satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents except on request of Covered Entity. Upon written request from Covered Entity, Business Associate will provide (a) a log or similar documentation of Unsuccessful Security Incidents for the period of time reasonably specified in Covered Entity’s request and (b) a report that: (i) identifies the categories of Unsuccessful Security Incidents; (ii) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iii) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies. F.3.1.4. In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI Incidents,on behalf of the Business Associate agree pursuant to a written agreement to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; F.3.1.5. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America without explicit written permission from Covered Entity; F.3.1.6. Within five (5) business days of a request by Covered Entity, make available PHI in a designated record set, if applicable, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524; F.3.1.7. Within five (5) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR F.3.1.8. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528. F.3.1.9. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). F.3.1.10. Make its internal practices, books, and records available to the Secretary and to the Covered Entity for purposes of determining compliance with the HIPAA Rules. F.3.1.11. Comply with minimum necessary requirements under the HIPAA Rules. F.3.1.12. Shall not directly or indirectly receive remuneration in exchange for any PHI, except as permitted under the Privacy Rule. F.3.1.13. Communicate with an Individual by alternative means or at alternative locations F.3.1.14. Maintain sufficient insurance coverage as shall be necessary to insure Business F.3.1.15. Conduct annual penetration tests using an independent assessor and complete annual SOC 2 Type 2 assessments covering security controls that Business Associate is responsible for and security controls maintained by Business Associate, on Services provided to Covered Entity. Business Associate shall ensure that third parties who have access to any of Covered Entity’s data and information received under this Attachment F or the Purchase Order, including PHI and ePHI, are included under Business Associate’s annual SOC 2 Type 2 assessment or independently assessed. Business Associate shall ensure that findings from each annual SOC 2 Type 2 assessment and each annual penetration test are addressed within a reasonable timeframe. Upon Covered Entity's request, Business Associate shall provide the results from the assessments referenced above and information security policies and procedures that are relevant to the Services provided to Covered Entity.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. F.3.1.1. Not use or disclose PHI other than as permitted or required by this Attachment F or the Agreement Purchase Order or as Required required by Lawlaw; b. Use and maintain F.3.1.2. Implement appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, including, without limitation, implementing administrative, physical physical, and technical safeguards that reasonably to prevent the unauthorized Use and appropriately Disclosure of Protected Health Information, and to protect the confidentiality, integrity integrity, and availability of Electronic PHI to prevent use or disclosure of PHI other than Protected Health Information, as provided for required by the AgreementHIPAA Regulations. Such safeguards must meet Without limiting the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entityforegoing, Business Associate will provide evidence agrees to comply with the requirements of all such safeguards utilized by Business Associate to safeguard Electronic PHIthe HIPAA Rules; c. Report F.3.1.3. Report, in writing, to Covered Entity the following occurrences relating to PHI within five (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i5) business days any access, acquisition, use or disclosure of PHI not provided for by this AgreementAttachment F or the Purchase Order of which it becomes aware, (ii) any breach including breaches of unsecured PHI (actual or suspected)as required at 45 CFR §164.410, and (iii) any security incident of which it becomes aware. Business Associate shall notify , and cooperate with the Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers in any mitigation or by exercising reasonable diligence would have known of or discovered the PHI Incidentbreach reporting efforts. Within forty-eight (48) hours of verbal notice, the Business Associate Such notification shall provide a full written report of the PHI Incident to the Covered Entity, including, without limitation, include: (i) the names and contact information identification of each Individual whose PHI individual who may be, has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during affected by the PHI Incident, Breach; (ii) a brief description of what happened, including the date of the PHI Incident and Breach; (iii) the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved in the PHI Incident, Breach; (iv) any steps Individuals should take to protect themselves from potential harm resulting from the PHI Incident, scope and nature of the Breach; and (v) a brief description of what any steps Business Associate is doing to investigate the PHI Incident, has taken to mitigate harm to Individuals any harmful effects of the Breach and to protect against further Breaches. In all cases, the information included in Business Associate’s notification shall be in accordance with any regulations and guidance provided by the Secretary of the United States Department of Health and Human Services (“Secretary”); 3.1.3.1. Notwithstanding the above, the Parties recognize and agree that there are and will be a significant number of attempts to, without authorization, access use, disclose, modify or destroy e-PHI through activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above (collectively “Unsuccessful Security Incidents”). As long as no such Unsuccessful Security Incident results in unauthorized access, use, disclosure, modification or destruction of electronic PHI or interference with information system operations related to the ePHI, Parties further agree that this subsection 3.1.3.1 satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents except on request of Covered Entity. Upon written request from Covered Entity, Business Associate will provide (a) a log or similar documentation of Unsuccessful Security Incidents for the period of time reasonably specified in Covered Entity’s request and (b) a report that: (i) identifies the categories of Unsuccessful Security Incidents; (ii) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iii) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies. F.3.1.4. In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI Incidents,on behalf of the Business Associate agree pursuant to a written agreement to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; F.3.1.5. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America without explicit written permission from Covered Entity; F.3.1.6. Within five (5) business days of a request by Covered Entity, make available PHI in a designated record set, if applicable, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.524; F.3.1.7. Within five (5) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR F.3.1.8. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528. F.3.1.9. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). F.3.1.10. Make its internal practices, books, and records available to the Secretary and to the Covered Entity for purposes of determining compliance with the HIPAA Rules. F.3.1.11. Comply with minimum necessary requirements under the HIPAA Rules. F.3.1.12. Shall not directly or indirectly receive remuneration in exchange for any PHI, except as permitted under the Privacy Rule. F.3.1.13. Communicate with an Individual by alternative means or at alternative locations (e.g. address other than the Individual’s) if so directed by Covered Entity. F.3.1.14. Maintain sufficient insurance coverage as shall be necessary to insure Business F.3.1.15. Conduct annual penetration tests using an independent assessor and complete annual SOC 2 Type 2 assessments covering security controls that Business Associate is responsible for and security controls maintained by Business Associate, on Services provided to Covered Entity. Business Associate shall ensure that third parties who have access to any of Covered Entity’s data and information received under this Attachment F or the Purchase Order, including PHI and ePHI, are included under Business Associate’s annual SOC 2 Type 2 assessment or independently assessed. Business Associate shall ensure that findings from each annual SOC 2 Type 2 assessment and each annual penetration test are addressed within a reasonable timeframe. Upon Covered Entity's request, Business Associate shall provide the results from the assessments referenced above and information security policies and procedures that are relevant to the Services provided to Covered Entity.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law; b. Use and maintain appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement. Such safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entity, Business Associate will provide evidence of all such safeguards utilized by Business Associate to safeguard Electronic PHI; c. Report to Covered Entity the following occurrences relating to PHI (“PHI Incident”)of PHI, including those PHI Incidents occurrences by the Business Associate’s employees, representatives, agents or subcontractors: (i) any access, acquisition, use or disclosure of PHI not provided for by this Agreement, (ii) any breach of unsecured PHI (actual or suspected), and (iii) any security incident of which it becomes aware. Business Associate shall notify Covered Entity Entity’s Privacy Officer by telephone call within twenty-four (24) hours from immediately following the first day on which the Business Associate knows, discovers knows or by exercising reasonable diligence would have known of or discovered the PHI Incidentoccurrence. Within forty-eight five (485) hours days of verbal notice, the Business Associate shall provide a full written report of the PHI Incident occurrence to the Covered Entity’s Privacy Officer, including, without limitation, (i) the names and contact information of each Individual whose PHI has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during the PHI Incidentoccurrence, (ii) a brief description of what happened, including the date of the PHI Incident occurrence and the date of discovery of the PHI Incidentoccurrence, if known, (iii) a description of the types of unsecured PHI involved in the PHI Incidentoccurrence, (iv) any steps Individuals should take to protect themselves from potential harm resulting from the PHI Incidentoccurrence, (v) a brief description of what Business Associate is doing to investigate the PHI Incidentoccurrence, to mitigate harm to Individuals and to protect against any further occurrences, (vi) any other information requested by Covered Entity or deemed relevant by Business Associate. Business Associate shall promptly supplement such notice with additional information as it becomes available. Notwithstanding the foregoing, the Parties understand that pings and other broadcast scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above shall not be considered a security Incident, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of PHI Incidents,provided by Covered Entity. Business Associate shall provide specific details on any such unsuccessful security incident upon Covered Entity’s request.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. (a) Not use or disclose PHI other than as permitted or required by the Agreement or as Required required by Lawlaw; b. (b) Use and maintain appropriate safeguards safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement. Such safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entity, Business Associate will provide evidence of all such safeguards utilized by Business Associate to safeguard Electronic PHI; c. Report (c) Report, in writing, to Covered Entity the following occurrences relating to PHI (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (iwi thin f i ve ( 5) bus iness days any access, acquisition, use or disclosure of PHI not provided for by this Agreementthe Agreement of which it becomes aware, (ii) any breach including breaches of unsecured PHI (actual or suspected)as required at 45 CFR 164.410, and (iii) any security incident of which it becomes aware. , and cooperate with the Covered Entity in any mitigation or breach reporting efforts; this notice shall be deemed sufficient if it is delivered to the Parties at their respective addresses listed above and the Privacy Officer using the following contact information: (d) In accordan ce with 4 5 CF R 164.502(e)( 1)(ii) and 164.308 (b) (2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate shall notify Covered Entity by telephone call within twenty-four (24) hours from which agree to the same restrictions, conditions, and requirements that apply to the Business Associate knowswith respect to such information; (e) Except as provided in this subsection, discovers ensure that any agent or by exercising reasonable diligence would have known subcontractor to whom the Business Associate provides PHI, as well as Business Associate, shall not export PHI beyond the borders of the United States of America. If the Business Associate or discovered its agent or subcontractor exports PHI beyond the PHI Incident. Within forty-eight (48) hours borders of verbal noticethe United States of America, then, subject to the United States and New York State export control and foreign outsourcing laws, rules and regulations, the Business Associate shall will provide to Covered Entity prior to such export, a full written report reasonable assurance, evidenced in writing, that the Business Associate, subcontractor, or agent will comply with the privacy and security obligations of Business Associate the PHI Incident set forth either in this Agreement or in applicable law, rules and regulations with respect to such PHI. (f) Agrees to provide the Covered Entity, includingat the Covered Entity’s request, without limitationa list of all agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate. (g) Within five (5) business days of a request from Covered Entity, make available PHI in a designated record set, i f a ppl ic a ble , to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524. (h) Within five (5) business days of a request from Covered Entity, make any amendment(s) to PHI, i f appl i c abl e, in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. (i) As applicable, maintain and make available the names and contact information required to provide an accounting of each Individual whose PHI has been or is reasonably believed by disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. (j) To the Business Associate to have been accessed, acquired, used or disclosed during the PHI Incident, (ii) a brief description of what happened, including the date of the PHI Incident and the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved in the PHI Incident, (iv) any steps Individuals should take to protect themselves from potential harm resulting from the PHI Incident, (v) a brief description of what extent Business Associate is doing to investigate carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the PHI Incidentrequirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). (k) Upon request, may make its internal practices, books, and records available to mitigate harm to Individuals the Secretary and to protect against any further PHI Incidents,the Covered Entity for purposes of determining compliance with the HIPAA Rules. (l) Comply with minimum necessary requirements under the HIPAA Rules.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. 1. Not use or further disclose PHI other than as permitted or required by this Addendum, or the Agreement or as Required by LawUnderlying Agreement; b. 2. Not, without the prior written consent of Covered Entity, disclose any PHI on the basis that such disclosure is required by law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with Section II.B.2 hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law; 3. Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted; 4. Use reasonable and maintain appropriate safeguards to prevent the unauthorized use or disclosure of PHI other than pursuant to the terms and conditions of this Addendum, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to Electronic electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreementthis Addendum; 5. Such Use appropriate administrative, physical and technical safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with the HIPAA Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of any guidance issued by Electronic PHI in accordance with the Secretary commencing on HIPAA Security Rule and the effective date of such guidanceHITECH Standards; 6. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Report promptly, in writing, to Covered Entity, Business Associate will provide evidence but in no event later than within two (2) calendar days of all such safeguards utilized by Business Associate to safeguard Electronic PHI; c. Report to Covered Entity the following occurrences relating to PHI (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i) which it becomes aware any access, acquisition, use or disclosure of PHI not provided for by this the Agreement, (ii) any breach including breaches of unsecured PHI (actual or suspected)as required at 45 C.F.R.§164.410, and (iii) any security incident Security Incident of which it becomes aware, and cooperate with the Covered Entity in any mitigation or breach reporting efforts; 7. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any agents, including subcontractors, that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; provided, however, that Business Associate shall notify not disclose or provide access to PHI to any subcontractor or agent without the prior written consent of Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers Entity; 8. Ensure that any agent or by exercising reasonable diligence would have known of or discovered the PHI Incident. Within forty-eight (48) hours of verbal notice, subcontractor to whom the Business Associate shall provide a full written report provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America; 9. Have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI Incident in violation of this Addendum or applicable law; 10. Have and apply appropriate sanctions against any workforce member, subcontractor or agent who uses or discloses PHI in violation of this Addendum or applicable law; 11. Within five (5) business days’ request of Covered Entity, make available PHI in a designated record set, if applicable, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524; 12. Within five (5) business days, make any amendment(s) to PHI, i f applicable, in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. §164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526; 13. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528; 14. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity, including, without limitation, (i) the names and contact information of each Individual whose PHI has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during the PHI Incident, (ii) a brief description of what happened, including the date of the PHI Incident and the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved Entity in the PHI Incidentperformance of such obligation(s); 15. Upon request, (iv) any steps Individuals should take make its internal practices, books, and records available to protect themselves from potential harm resulting from the PHI Incident, (v) a brief description of what Business Associate is doing to investigate the PHI Incident, to mitigate harm to Individuals Secretary and to protect against any further PHI Incidents,the Covered Entity for purposes of determining compliance with the HIPAA Rules; and 16. Comply with minimum necessary requirements under the HIPAA Rules.

Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: a. 1. Not use or further disclose PHI other than as permitted or required by this Agreement, or the Agreement or as Required by LawUnderlying Agreement(s); b. 2. Not, without the prior written consent of Covered Entity, disclose any PHI on the basis that such disclosure is required by law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with Section II.B.2 hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law; 3. Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted; 4. Use reasonable and maintain appropriate safeguards to prevent the unauthorized use or disclosure of PHI other than pursuant to the terms and conditions of this Agreement, and comply with Subpart C of 45 CFR C.F.R. Part 164 with respect to Electronic electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the this Agreement; 5. Such Use appropriate administrative, physical and technical safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with the HIPAA Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of any guidance issued by Electronic PHI in accordance with the Secretary commencing on HIPAA Security Rule and the effective date of such guidanceHITECH Standards; 6. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Report promptly, in writing, to Covered Entity, Business Associate will provide evidence but in no event later than within two (2) calendar days of all such safeguards utilized by Business Associate to safeguard Electronic PHI; c. Report to Covered Entity the following occurrences relating to PHI (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i) which it becomes aware any access, acquisition, use or disclosure of PHI not provided for by this Agreementthe Underlying Agreement(s), (ii) any breach including breaches of unsecured PHI (actual or suspected)as required at 45 C.F.R.§164.410, and (iii) any security incident Security Incident of which it becomes aware, and cooperate with the Covered Entity in any mitigation or breach reporting efforts; 7. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any agents, including subcontractors, that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information; provided, however, that Business Associate shall notify not disclose or provide access to PHI to any subcontractor or agent without the prior written consent of Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers Entity; 8. Ensure that any agent or by exercising reasonable diligence would have known of or discovered the PHI Incident. Within forty-eight (48) hours of verbal notice, subcontractor to whom the Business Associate shall provide a full written report provides PHI, as well as Business Associate, not export PHI beyond the borders of the United States of America; 9. Have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI Incident in violation of this Agreement or applicable law; 10. Have and apply appropriate sanctions against any workforce member, subcontractor or agent who uses or discloses PHI in violation of this Agreement or applicable law; 11. Within five (5) business days’ request of Covered Entity, make available PHI in a designated record set, i f applicabl e , to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524; 12. Within five (5) business days, make any amendment(s) to PHI, i f applicabl e , in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. §164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526; 13. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528; 14. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity, including, without limitation, (i) the names and contact information of each Individual whose PHI has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during the PHI Incident, (ii) a brief description of what happened, including the date of the PHI Incident and the date of discovery of the PHI Incident, if known, (iii) a description of the types of unsecured PHI involved Entity in the PHI Incidentperformance of such obligation(s); 15. Upon request, (iv) any steps Individuals should take make its internal practices, books, and records available to protect themselves from potential harm resulting from the PHI Incident, (v) a brief description of what Business Associate is doing to investigate the PHI Incident, to mitigate harm to Individuals Secretary and to protect against any further PHI Incidents,the Covered Entity for purposes of determining compliance with the HIPAA Rules; and 16. Comply with minimum necessary requirements under the HIPAA Rules.