Common use of RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION Clause in Contracts

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following: a. Shall use and disclose the Protected Health Information only in the amount minimally necessary to perform the services of the Contract or under this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity or as required by law. b. Shall immediately report to the designated privacy officer of the covered entity, in writing, any use and/or disclosure of unsecured Protected Health Information that is not permitted or required by this Agreement or required by law. c. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards to maintain the privacy and security of PHI and to prevent uses and/or disclosures of unsecured PHI other than as provided in this Agreement. e. Require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this Agreement, to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosures of PHI that apply to the Business Associate pursuant to this Agreement. f. Make available all policies, records, books, agreements, records or procedures relating to the use or disclosure of Protected Health Information to the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and disclosure of Protected Health Information to the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement. h. Upon Covered Entity’s request, Business Associate shall provide to the Covered Entity an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary. i. Subject to Section 4.5 below, Business Associate shall return to the covered entity or destroy, at the termination of this Agreement, the PHI in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of all backup tapes. j. Disclose to its subcontractors, agents, or other third parties, and request from the covered entity, only the minimum PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following: a. : Shall use and disclose the Protected Health Information only in the amount minimally necessary to perform the services of the Contract or under this AgreementContract, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity or as required by law. b. Entity. Shall immediately report to the designated privacy officer Privacy Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured the Protected Health Information that is not permitted or required by this Agreement or required by law. c. of which Business Associate. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of PHI Protected Health Information that the Business Associate reports to the Covered Entity. d. . Use appropriate administrative, technical and physical safeguards to maintain the privacy and security of PHI the Protected Health Information and to prevent uses and/or disclosures of unsecured PHI such Protected Health Information other than as provided for in this Agreement. e. . Require all of its subcontractors and agents that receive or use, or have access to, PHI provided Protected Health Information under this AgreementAgreement to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI Protected Health Information that apply to the Business Associate pursuant to this Agreement. f. . Make available all policies, records, books, agreements, records or procedures relating to the use or disclosure of Protected Health Information to the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of Health and Human Services for purposes of determining the Covered Entity’s compliance with the Privacy Regulation. Upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement. h. . Upon Covered Entity’s request, Business Associate shall provide to the Covered Entity an accounting of each disclosure Disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure Disclosure of PHI for which Covered Entity is required to maintain. The information shall be sufficient to satisfy Covered Entity’s obligations under 45 CFR §164.528. Business Associate shall include in the accounting: : (a) the date of the disclosureDisclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosureDisclosure. For each disclosure Disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), above, and shall securely retain the this documentation for six (6) years from the date of the disclosureDisclosure. To the extent that the Business Associate maintains PHI in an electronic formathealth record, Business Associate shall maintain an accounting of disclosures Disclosure for treatment, payment, and other health care operations purposes for three (3) years from the disclosuredate of Disclosure. Notwithstanding anything to the contrary, this agreement requirement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic health record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary. i. . Subject to Section 4.5 5.5 below, Business Associate shall return to the covered entity Covered Entity or destroy, at the termination of this Agreement, the PHI Protected Health Information in its possession and retain no copies (which shall include for the purposes of this Agreement shall mean without limitations limitation the destruction of all backup tapes. j. ). Disclose to its subcontractors, agents, or other third parties, and request from the covered entityCovered Entity, only the minimum PHI Protected Health Information necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. hereunder. Business Associate agrees to immediately report to the covered entity Covered Entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entityCovered Entity’s electronic PHI Protected Health Information or interference with the systems operations in an information system that involves the covered entityCovered Entity’s electronic PHIProtected Health Information. An attempt attempted unauthorized access, for purposes of reporting to the covered entityCovered Entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of but merely reviewing and or and/or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (a “Material Attempt”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its systemsystems, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. . Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains maintains, or submits transmits on behalf of the covered entity as required by Subpart C of 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. CFR. Business Associate agrees that any EPHI it acquires, maintains, receives maintains or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines guidance from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. . Business Associate agrees to ensure that any agencyagent, including a subcontractor, to whom it provides EPHI that creates, receives, maintains, or transmits protected health information on behalf of the business associate agrees to implement reasonable the same restrictions, conditions, and appropriate safeguards requirements that apply to protect it as required by the business associate with respect to such information, in accordance with 45 C.F.R. CFR §164.308, §164.310, §164.312 164.502(e)(1)(ii) and §164.414. o. The 45 CFR § 164.308(b)(2). Business Associate agrees to immediately notify the covered entity Covered Entity of any breach of unsecured unsecure PHI as that term is defined in the ARRA and any subsequent regulations and/or guidance from the Secretary of DHHS. Notice of such a breach shall include the identification of each individual whose unsecured PHI protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired acquired, or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breach, and any remedial action taken to address the such breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity Covered Entity to respond to the individual’s individuals’ inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Servicesbreach. Business Associate shall be responsible agrees to notify in writing the individuals affected report to covered entity any use or disclosure of protected health information not provided for by the breach Agreement of which it becomes aware, including breaches of unsecured protected health information as required under HIPAA regulationsat 45 CFR 164.410, but shall have the notice approved before mailing by the covered entity. p. and any security incident of which it becomes aware Business Associate agrees to indemnify the covered entity Covered Entity for the reasonable costs cost to notify the individuals affected by whose information was the subject of the breach if the covered entity provides that notice, and for any costs, cost or damages, fines, penalties, including attorney feesfees or fines, incurred by covered entity Covered Entity as a result of the breach by the Business Associate or its employees, agents or subcontractorsAssociate, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein specifically addressed in the Contract made applicable to the Business Associate by the ARRA on the applicable effective date as designated by ARRA and any subsequent regulations promulgated under ARRA and/or guidance thereto. Business Associate agrees to make uses and disclosures and requests for protected health information consistent with the provisions of HIPAA or ARRAcovered entity’s minimum necessary policies and procedures.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 3.1 Responsibilities of the Business Associate. With respect regard to its PHI obtained from Covered Entity, Business Associate agrees as follows: (a) Business Associate will use and/or disclosure of Protected Health Informationdisclose the PHI only as permitted by this Agreement or as Required by Law, whichever the more restrictive. (b) Business Associate hereby agrees will use appropriate safeguards to do maintain the following: a. Shall use and disclose the Protected Health Information only in the amount minimally necessary security of PHI to perform the services of the Contract or under this Agreement, provided that such prevent unauthorized use or disclosure would not violate of PHI, which will in no event be any less than the Privacy and Security Regulations if done by the means which Business Associate uses to protect its own confidential information. (c) Business Associate will report to Covered Entity or as required by law. b. Shall immediately report to the designated privacy officer of the covered entity, in writing, any use and/or or disclosure of unsecured Protected Health Information PHI of which Business Associate becomes aware that is not permitted or required by this Agreement or required by law. c. Establish procedures for mitigatingAgreement. Business Associate agrees to mitigate, to the greatest extent possiblepracticable, any deleterious effects harmful effect that is known or suspected by Business Associate resulting from any improper a use and/or or disclosure of PHI that the by Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards to maintain the privacy and security or its agents in violation of PHI and to prevent uses and/or disclosures of unsecured PHI other than as provided in this Agreement. e. Require all (d) Relative to PHI received from Covered Entity or created by Business Associate on behalf of its subcontractors and agents Covered Entity, Business Associate agrees to ensure that receive or use, or have access to, PHI provided under this Agreement, to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosures of PHI that apply to the it in this Agreement shall be applicable to any of its agents, including a subcontractor, to whom Business Associate pursuant to this Agreementprovides and/or makes accessible PHI. f. Make available all policies(e) At the request of Covered Entity, records, books, agreements, records or procedures relating Business Associate agrees to the use or disclosure of Protected Health Information to provide Covered Entity and the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at access to PHI in a Designated Record Set as well as Business Associate’s office all recordsinternal practices, books, agreements, policies books and procedures records relating to the use and disclosure of Protected Health Information to the Covered Entity PHI in order to determine the Business Associate’s compliance with the terms of HIPAA and this Agreement. h. Upon (f) Beginning upon the compliance date established by HIPAA and in accordance therewith, Business Associate will provide to Covered Entity such information in Business Associate’s possession as in reasonably requested by Covered Entity and necessary to enable Covered Entity to respond to a request by an individual for an accounting of the use and/or disclosures of PHI. (g) Should Business Associate have a legal obligation to disclose PHI, it will notify Covered Entity as soon as reasonably practical after it learns of such obligation, in order to allow Covered Entity sufficient opportunity to take any action necessary to protect the Covered Entity’s requestinterest in connection with such disclosure. If Covered Entity objects to the release of such PHI, Business Associate shall will cooperate and agrees to provide to the Covered Entity an accounting of each disclosure of assistance, as necessary and at Covered Entity’s expense, in connection with Covered Entity’s objection to such PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting:disclosure. (ah) date of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary. i. Subject to Section 4.5 below, Business Associate shall return to the covered entity or destroy, at the termination of this Agreement, the PHI in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of all backup tapes. j. Disclose to its subcontractors, agents, or other third parties, and request from the covered entity, only the minimum PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report document and keep a record of PHI disclosures and information related to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting such disclosures to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity enable Covered Entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary a request by an individual for an accounting of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entityPHI disclosures. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationPHI, the Business Associate hereby agrees to do the following: a. Shall use and and/or disclose the Protected Health Information PHI only in the amount minimally necessary to perform the services of the Contract as permitted or under required by this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity Agreement or as otherwise required by law. b. Shall immediately report to the designated privacy officer Privacy Officer and/or Security Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured Protected Health Information the PHI that is not permitted or required by this Agreement or required by lawof which Business Associate becomes aware within 30 days of the Business Associate’s discovery of such unauthorized use and/or disclosure. c. Establish procedures for mitigating, use commercially reasonable efforts to maintain the greatest extent possible, any deleterious effects from any improper security of the PHI and to prevent unauthorized use and/or disclosure of PHI that the Business Associate reports to the Covered Entitysuch Protected Health Information. d. Use appropriate administrative, technical and physical safeguards to maintain the privacy and security of PHI and to prevent uses and/or disclosures of unsecured PHI other than as provided in this Agreement. e. Require require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this AgreementAgreement to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement. f. Make available all policies, records, books, agreements, records or procedures relating to the use or disclosure of Protected Health Information to the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, e. make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and and/or disclosure of Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy and/or Security Regulation, subject to attorney- client and other applicable legal privileges. f. upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within 30 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement. h. Upon g. within 30 days of receiving a written request from the Covered Entity’s request, Business Associate shall provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified individual's Protected Health Information in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretaryaccordance with 45 C.F.R. § 164.528. i. Subject h. subject to Section 4.5 3.4 below, Business Associate shall return to the covered entity Covered Entity or destroy, at within 30 days of the termination of this Agreement, the PHI Protected Health Information in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of all backup tapes. j. Disclose to its subcontractors, agents, or other third parties, and request from the covered entity, only the minimum PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHIcopies. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attemptThis includes, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”)is not limited to; and (ii) continuously reviewingall media, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breachmedia backups, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entityfiles (i.e. sound or .wav files) and/or paper which contains PHI. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationPHI, the Business Associate hereby agrees to do the following: a. Shall use and and/or disclose the Protected Health Information PHI only in the amount minimally necessary to perform the services of the Contract as permitted or under required by this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity Agreement or as otherwise required by law. b. Shall immediately report to the designated privacy officer Privacy Officer and/or Security Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured Protected Health Information the PHI that is not permitted or required by this Agreement or required by lawof which Business Associate becomes aware within days of the Business Associate’s discovery of such unauthorized use and/or disclosure. c. Establish establish procedures for mitigatinga mutual satisfactory resolution, to the greatest extent possible, regarding any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards use commercially reasonable efforts to maintain the privacy and security of the PHI and to prevent uses unauthorized use and/or disclosures disclosure of unsecured PHI other than as provided in this Agreementsuch Protected Health Information. e. Require require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this AgreementAgreement to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement. f. Make available all policies, records, books, agreements, records or procedures relating to the use or disclosure of Protected Health Information to the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and and/or disclosure of Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy and/or Security Regulation, subject to attorney-client and other applicable legal privileges. g. upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement. h. Upon within days of receiving a written request from the Covered Entity’s request, Business Associate shall provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified individual's Protected Health Information in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretaryaccordance with 45 C.F.R. § 164.528. i. Subject subject to Section 4.5 below, Business Associate shall return to the covered entity Covered Entity or destroy, at within days of the termination of this Agreement, the PHI Protected Health Information in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of all backup tapes. j. Disclose to its subcontractors, agents, or other third parties, and request from the covered entity, only the minimum PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHIcopies. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attemptThis includes, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”)is not limited to; and (ii) continuously reviewingall media, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breachmedia backups, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entityfiles (i.e. sound or .wav files) and/or paper which contains PHI. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationInformation provided to it by the Covered Entity, or received by it on behalf of the Covered Entity, the Business Associate hereby agrees to do the following:-- a. Shall to use and disclose the Protected Health Information only in the amount minimally necessary to perform the services of the Contract or under as permitted by this Business Associate Agreement, provided that such use by a Service Agreement, or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity or as required by law.; b. Shall immediately to exercise reasonable diligence to discover and report to the designated privacy officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured the Protected Health Information or Electronic Protected Health Information that is not permitted by this Business Associate Agreement or that may constitute a “breach” (as defined by HITECH) within two business days of the Business Associate's discovery of such unauthorized use or disclosure. The Business Associate should not delay notice to the Covered Entity to gather information, but should, if necessary, provide the Covered Entity with immediately known information and supplement the information as additional information is gathered. The information to be reported to the Covered Entity’s privacy officer includes, to the extent possible: a brief description of what happened, including the date of the potential breach and its discovery; the identity of each individual whose unsecured Protected Health Information or Electronic Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; a description of the Protected Health Information that may have been breached; and any other available information that may be useful or necessary for sending the notifications required by this Agreement HITECH or state law to those potentially affected. The information will be provided to the privacy officer even if it becomes available after HITECH or state law required by law.notifications have been sent to affected individuals or after the applicable notice period has elapsed; c. Establish to establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or or disclosure of PHI that the Business Associate reports to the Covered Entity.Protected Health Information; d. Use appropriate administrative, technical and physical safeguards to use commercially reasonable efforts to maintain the privacy and security of PHI the Protected Health Information and to prevent uses and/or disclosures of unsecured PHI other than as provided in this Agreement.its unauthorized use or disclosure; e. Require all of its subcontractors and agents that receive if a breach occurs, to work with the Covered Entity to determine which party is in the best position to provide required notices to affected individuals; f. if it allows any subcontractor or agent to use, or have access to, PHI provided under this Agreementthe Protected Health Information, to agree require the subcontractor or agent to agree, in writing writing, to adhere to abide by the same restrictions and conditions on requirements regarding the use and/or disclosures of PHI that Protected Health Information as apply to the Business Associate pursuant itself, including not but limited to, implementing reasonable and appropriate safeguards to this Agreement.protect Electronic Protected Health Information, if applicable; g. to comply with 45 C.F.R. § 164.530(b), (d), (e), (g), (h), (i) and (j) by, among other things: designating a privacy official who is responsible for the development and implementation of policies and procedures regarding the privacy and security of Protected Health Information and Electronic Protected Health Information and for receiving complaints connected thereto; developing and adopting such policies and procedures; training all members of its workforce on the policies and procedures as necessary to carry out their functions; and applying appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures; f. Make h. to make available all policies, records, books, agreements, records or policies, and procedures relating to the use or disclosure of Protected Health Information to the Secretary of the U.S. Department of Health & and Human Services for purposes of determining (the “Secretary”), in the time and manner designated by the Secretary, to enable the Secretary to determine whether the Covered Entity and the Business Associates’ compliance Associate have complied with all applicable law relating to the Privacy privacy and Security Regulations.security of Protected Health Information, subject to attorney-client and other applicable legal privileges; g. Upon written requesti. if the Covered Entity so requests in writing, to make available to the Covered Entity within 10 days, during normal working business hours at the Business Associate’s office 's offices, all records, books, agreements, policies policies, and procedures relating to the use and or disclosure of Protected Health Information Information, to enable the Covered Entity to determine whether the Business Associate’s compliance Associate has complied with the terms of this Business Associate Agreement.; h. Upon j. within five days of receiving a written request from the Covered Entity’s request, Business Associate shall to provide to the Covered Entity such information the Covered Entity may need to respond to a request by an individual for an accounting of each disclosure the disclosures of PHI the individual's Protected Health Information in accordance with 45 C.F.R. § 164.528; if the Business Associate is acting on behalf of the Covered Entity with respect to Electronic Protected Health Information, the Business Associate shall provide an accounting of disclosures made by the Business Associate or its employeesAssociate, agentsas may be required of business associates by the HITECH Act, representatives, or subcontractors. Business Associate shall implement upon a process that allows for request made by an accounting individual directly to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the SecretaryAssociate. i. Subject k. subject to Section 4.5 3.3 below, Business Associate shall to return to the covered entity Covered Entity or to destroy, at within 180 days of the termination of this Business Associate Agreement, the PHI all Protected Health Information in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of (including all backup tapes.) and not to retain any copies of such information; j. Disclose l. to disclose to its subcontractors, agents, or and other third parties, and request from the covered entity, parties only the minimum PHI Protected Health Information necessary to perform or fulfill for the performance of a specific function required by this referred to in the Services Agreement or the Contract or permitted by law. k. this Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”)Agreement; and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314.and m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity Protected Health Information that the Covered Entity directs pursuant to 45 C.F.R. §164.526 or take other measures as necessary § 164.526, and to satisfy covered entity’s obligations under 45 C.F.R. §164.526make such changes in the time and manner designated by Covered Entity. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationPHI, the Business Associate hereby agrees to do the following: a. Shall use and and/or disclose the Protected Health Information PHI only in the amount minimally necessary to perform the services of the Contract as permitted or under required by this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity BAA or as otherwise required by law.; b. Shall immediately report to the designated privacy officer Privacy Officer and/or Security Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured Protected Health Information the PHI that is not permitted or required by this Agreement or required by law. c. Establish procedures for mitigatingBAA of which Business Associate becomes aware, to including breaches of unsecured PHI and any security incident of which it becomes aware, within five (5) days of the greatest Business Associate’s discovery of such unauthorized use and/or disclosure. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by the Covered Entity in its notification to affected individuals. Business Associates shall comply with all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entities. Business Associates agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528; c. establish procedures for a mutually satisfactory resolution, regarding any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity.; d. Use appropriate administrative, technical and physical safeguards use commercially reasonable efforts to maintain the privacy and security of the PHI and to prevent uses unauthorized use and/or disclosures disclosure of unsecured PHI other than as provided in this Agreement.such PHI; e. Require require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this AgreementBAA to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement.BAA, as well as to have the subcontractors and agents require of their subcontractors and agents who receive, use, or have access to PHI the same restrictions and conditions as agreed to by them with the Business Associate; f. Make make available all policiesinternal practices, records, books, agreements, records or policies, procedures and PHI relating to the use or and/or disclosure of Protected Health Information PHI received from, or created or received by Business Associate, on behalf of Covered Entity, available to Covered Entity or to the Secretary of Health & Human Services HHS in a prompt and commercially reasonable manner for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and disclosure of Protected Health Information to the Covered Entity to determine (i) the Business Associate’s compliance with the terms of this Agreement.BAA and (ii) compliance by the Business Associate and the Covered Entity with all applicable statutory provisions and regulations of and under HIPAA and the HITECH Act, subject to attorney- client and other applicable legal privileges; h. Upon g. within ten (10) days of receiving a written request from the Covered Entity’s request, Business Associate shall to provide to the Covered Entity or Individual such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains individual's PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary.accordance with 45 C.F.R. § 164.528; i. Subject h. subject to Section 4.5 below, Business Associate shall return to the covered entity Covered Entity or destroy, at within days of the termination of this AgreementBAA, the PHI in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of copies. This includes, but is not limited to; all backup tapes. j. Disclose to its subcontractorsmedia, agents, or other third partiesmedia backups, and request from the covered entity, only the minimum any other files (i.e. sound or .wav files) and/or paper which contains PHI; i. with respect to PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation and/or Electronic Protected Health Information (“Material AttemptEPHI”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its systemas that term is used in 45 CFR, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate Part 164, Subpart C, implement administrative, physical physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of the electronic protected health information (EPHI) EPHI that it creates, receives, maintains maintains, or submits transmits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, Covered Entity and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agencyagent, including subcontractora sub-contractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414.EPHI; o. The Business Associate agrees to immediately notify j. at the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description request of the PHI involved in Covered Entity, provide the breach, description Covered Entity (or any designate of the factual grounds leading Covered Entity) access to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set Designated Record Set in a prompt and commercially reasonable manner in order to meet the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations requirements under 45 C.F.R. §CFR § 164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format.; and r. Business Associate shall k. make any amendments amendment(s) to protected health information PHI in a designated record set as directed Designated Record Set that the Covered Entity directs or agreed to by the covered entity agrees pursuant to 45 C.F.R. §CFR § 164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to at the extent the business associate is to carry out one or more request of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligationsCovered Entity or an Individual in a prompt and commercially reasonable manner. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationPHI, the Business Associate hereby agrees to do the following: a. Shall use and and/or disclose the Protected Health Information PHI only in the amount minimally necessary to perform the services of the Contract as permitted or under required by this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity BAC or as otherwise required by law. b. Shall immediately report to the designated privacy officer Privacy Officer and/or Security Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured Protected Health Information the PHI that is not permitted or required by this Agreement or BAC of which Business Associate becomes aware within five (5) days of the Business Associate’s discovery of such unauthorized use and/or disclosure. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by lawthe Covered Entity in its notification to affected individuals. Business Associates shall comply with all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entities. Business Associates agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. c. Establish establish procedures for mitigatinga mutual satisfactory resolution, to the greatest extent possible, regarding any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards use commercially reasonable efforts to maintain the privacy and security of the PHI and to prevent uses unauthorized use and/or disclosures disclosure of unsecured PHI other than as provided in this Agreementsuch PHI. e. Require require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this AgreementBAC to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI that apply to the Business Associate pursuant to section 2 of this AgreementBAC. f. Make make available all policiesinternal practices, records, books, agreements, records or policies, procedures and PHI relating to the use or and/or disclosure of Protected Health Information PHI received from, or created or received by Business Associate, on behalf of Covered Entity, available to Covered Entity or to the Secretary of Health & Human Services HHS in a prompt and commercially reasonable manner for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and disclosure of Protected Health Information to the Covered Entity to determine (i) the Business Associate’s compliance with the terms of this AgreementBAC and (ii) compliance by the Business Associate and the Covered Entity with all applicable statutory provisions and regulations of and under HIPAA and the HITECH Act, subject to attorney-client and other applicable legal privileges. h. Upon g. Within ten (10) days of receiving a written request from the Covered Entity’s request, Business Associate shall to provide to the Covered Entity or Individual such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains individual's PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosure. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretaryaccordance with 45 C.F.R. § 164.528. i. Subject h. subject to Section 4.5 below, Business Associate shall return to the covered entity Covered Entity or destroy, at within fifteen (15) days of the termination of this AgreementBAC, the PHI in its possession and retain no copies copies. This includes, but is not limited to; all media, media backups, and any other files (i.e. sound or .wav files) and/or paper which shall include for the purposes of this Agreement without limitations the destruction of all backup tapescontains PHI. j. Disclose i. with respect to its subcontractors, agents, or other third parties, and request from the covered entity, only the minimum PHI necessary to perform or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation and/or Electronic Protected Health Information (“Material AttemptEPHI”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its systemas that term is used in 45 CFR, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate Part 164, Subpart C, implement administrative, physical physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of the electronic protected health information (EPHI) EPHI that it creates, receives, maintains maintains, or submits transmits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, Covered Entity and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agencyagent, including subcontractora sub-contractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414EPHI. o. The Business Associate agrees to immediately notify j. at the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description request of the PHI involved in the breachCovered Entity, description provide Covered Entity (or designate of the factual grounds leading Covered Entity) access to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set Designated Record Set in a prompt and commercially reasonable manner in order to meet the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations requirements under 45 C.F.R. §CFR § 164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall k. make any amendments amendment(s) to protected health information PHI in a designated record set as directed Designated Record Set that the Covered Entity directs or agreed to by the covered entity agrees pursuant to 45 C.F.R. §CFR § 164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to at the extent the business associate is to carry out one or more request of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligationsCovered Entity or an Individual in a prompt and commercially reasonable manner. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 3.1. Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationInformation that is received from the Clinic, the Business Associate hereby agrees to do the following: a. Shall use and Use and/or disclose the such Protected Health Information only in the amount minimally necessary to perform the services of the Contract or under this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity or as required by law. b. Shall immediately report to the designated privacy officer of the covered entity, in writing, any use and/or disclosure of unsecured Protected Health Information that is not permitted or required by this Agreement or as otherwise required by law.; b. Use commercially reasonable efforts to maintain the security of such Protected Health Information and to prevent unauthorized use and/or disclosure of such Protected Health Information (an “Improper Use or Disclosure”); c. Report to the designated Privacy Official of the Clinic, in writing, any Improper Use or Disclosure of which Business Associate becomes aware within ten (10) days of the Business Associate’s discovery of such Improper Use or Disclosure; d. Establish procedures for f or mitigating, to the greatest extent possible, any deleterious harmful effects from any improper use and/or disclosure of PHI Improper Use or Disclosure that the Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards to maintain the privacy and security of PHI and to prevent uses and/or disclosures of unsecured PHI other than as provided in this Agreement.Clinic; e. Require all of its subcontractors and agents that receive or receive, use, or have access to, PHI provided under this Agreement, to such Protected Health Information to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI such Protected Health Information that apply to the Business Associate pursuant to this Agreement.Associate; f. Make available all policies, records, books, agreements, records or procedures relating to the use or disclosure of Protected Health Information to the Secretary of Health & Human Services for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and and/or disclosure of such Protected Health Information Information, subject to applicable legal privileges, to the Covered Entity to determine Secretary of Health and Hum an Services (“HHS”) for purposes of determining the Business AssociateClinic’s compliance with the terms of this Agreement.Privacy Regulation; h. Upon Covered Entity’s requestg. Within thirty (30) days after receiving a written request from the Clinic, Business Associate shall provide to the Covered Entity Clinic such information as is necessary to permit the Facility to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified individual's Protected Health Information in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that accordance with 45 C.F.R. §164.528; h. If the Business Associate maintains PHI in an electronic formatProtected Health Information that constitutes a Designated Record Set, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three within thirty (330) years days after receiving a written request from the disclosure. Notwithstanding anything Clinic, make available Protected Health Information as is necessary for the Clinic to respond to a request for access to Protected Health Information that is not maintained by the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if Clinic under 45 C.F.R. §164.524; i. If the Business Associate acquired maintains Protected Health Information that constitutes a Designated Record Set, within thirty (30) days after receiving a written request from the electronic record before January 1, 2009; or (bClinic make any amendment(s) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by to the Secretary.Protected Health Information that the Clinic directs pursuant to 45 C.F.R. §164.526; i. j. Subject to Section 4.5 4.3 below, Business Associate shall return to the covered entity Clinic or destroy, at within thirty (30) days of the termination of this Agreement, the PHI Protected Health Information that is received from, or created or received on behalf of , the Facility then in its possession and retain no copies (which shall include for the purposes of this Agreement without limitations the destruction of shall mean destroy all backup tapes.); and j. k. Disclose to its subcontractors, agents, agents or other third parties, and request from the covered entityClinic, only the minimum PHI Protected Health Information that is received from, or created or received on behalf of, the Clinic as necessary to perform or fulfill a specific function f unction required by this Agreement or the Contract or permitted by lawhereunder. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic PHI. An attempt unauthorized access, for purposes of reporting to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (“Material Attempt”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its system, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains or submits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agency, including subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description of the PHI involved in the breach, description of the factual grounds leading to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set to the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to the extent the business associate is to carry out one or more of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligations. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.

RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 2.1 Responsibilities of the Business Associate. With respect regard to its use and/or disclosure of Protected Health InformationPHI, the Business Associate hereby agrees to do the following: a. Shall : use and and/or disclose the Protected Health Information PHI only in the amount minimally necessary to perform the services of the Contract as permitted or under required by this Agreement, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity BAC or as otherwise required by law. b. Shall immediately . report to the designated privacy officer Privacy Officer and/or Security Officer of the covered entityCovered Entity, in writing, any use and/or disclosure of unsecured Protected Health Information the PHI that is not permitted or required by this Agreement or required by law. c. Establish procedures for mitigatingBAC of which Business Associate becomes aware, to including breaches of unsecured PHI and any security incident of which it becomes aware, within _10_ days of the greatest Business Associate’s discovery of such unauthorized use and/or disclosure. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by the Covered Entity in its notification to affected individuals. Business Associates shall comply with all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entities. Business Associates agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. establish procedures for a mutually satisfactory resolution, regarding any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity. d. Use appropriate administrative, technical and physical safeguards . use commercially reasonable efforts to maintain the privacy and security of the PHI and to prevent uses unauthorized use and/or disclosures disclosure of unsecured PHI other than as provided in this Agreement. e. Require such PHI. require all of its subcontractors and agents that receive or use, or have access to, PHI provided under this AgreementBAC to agree, to agree in writing writing, to adhere to the same restrictions and conditions on the use and/or disclosures disclosure of PHI that apply to the Business Associate pursuant to section 2 of this Agreement. f. Make BAC, as well as to have the subcontractors and agents require of their subcontractors and agents who receive, use, or have access to PHI the same restrictions and conditions as agreed to by them with the Business Associate. make available all policiesinternal practices, records, books, agreements, records or policies, procedures and PHI relating to the use or and/or disclosure of Protected Health Information PHI received from, or created or received by Business Associate, on behalf of Covered Entity, available to Covered Entity or to the Secretary of Health & Human Services HHS in a prompt and commercially reasonable manner for purposes of determining the Business Associates’ compliance with the Privacy and Security Regulations. g. Upon written request, make available during normal working hours at Business Associate’s office all records, books, agreements, policies and procedures relating to the use and disclosure of Protected Health Information to the Covered Entity to determine (i) the Business Associate’s compliance with the terms of this Agreement. h. Upon BAC and (ii) compliance by the Business Associate and the Covered Entity with all applicable statutory provisions and regulations of and under HIPAA and the HITECH Act, subject to attorney-client and other applicable legal privileges. within 5 days of receiving a written request from the Covered Entity’s request, Business Associate shall to provide to the Covered Entity or Individual such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of each disclosure of PHI made by the Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any disclosure of PHI for which Covered Entity is required to maintain. Business Associate shall include in the accounting: (a) date disclosures of the disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), and shall securely retain the documentation for six (6) years from the date of the disclosure. To the extent that the Business Associate maintains individual's PHI in an electronic format, Business Associate shall maintain an accounting of disclosures for treatment, payment, and other health care operations purposes for three (3) years from the disclosureaccordance with 45 C.F.R. § 164.528. Notwithstanding anything to the contrary, this agreement shall become effective upon either of the following: (a) on or after January 1, 2014, if the Business Associate acquired the electronic record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary. i. Subject subject to Section 4.5 below, Business Associate shall return to the covered entity Covered Entity or destroy, at within _45__ days of the termination of this AgreementBAC, the PHI in its possession and retain no copies which shall include for the purposes of this Agreement without limitations the destruction of copies. This includes, but is not limited to; all backup tapes. j. Disclose to its subcontractorsmedia, agents, or other third partiesmedia backups, and request from the covered entity, only the minimum PHI necessary to perform any other files (i.e. sound or fulfill a specific function required by this Agreement or the Contract or permitted by law. k. Business Associate agrees to immediately report to the covered entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of covered entity’s electronic PHI or interference with the systems operations in an information system that involves the covered entity’s electronic .wav files) and/or paper which contains PHI. An attempt unauthorized access, for purposes of reporting with respect to the covered entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating solely for the purposed of reviewing and or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation PHI and/or Electronic Protected Health Information (“Material AttemptEPHI”); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its systemas that term is used in 45 CFR, but rather requires notification only when a Material Attempt results in significant modifications to the Business Associate’s security measures in order to prevent such Material Attempt in the future. l. Business Associate agrees to use appropriate Part 164, Subpart C, implement administrative, physical physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of the electronic protected health information (EPHI) EPHI that it creates, receives, maintains maintains, or submits transmits on behalf of the covered entity as required by 45 C.F.R. §164.308, §164.310, §164.312, Covered Entity and § 164.314. m. Business Associate agrees that any EPHI it acquires, maintains, receives or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any subsequent regulations or guidelines from the Secretary of the Department of Health and Human Services (“DHHS”) promulgated under ARRA. n. Business Associate agrees to ensure that any agencyagent, including subcontractora sub-contractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it as required by 45 C.F.R. §164.308, §164.310, §164.312 and §164.414. o. The Business Associate agrees to immediately notify EPHI. at the covered entity of any breach of unsecured PHI . Notice of such breach shall include the identification of each individual whose unsecured PHI has been, or reasonably believed by the business associate to have been, accessed, acquired or disclosed during the breach. Notice shall also include the description request of the PHI involved in Covered Entity, provide the breach, description Covered Entity (or any designate of the factual grounds leading Covered Entity) access to the breach, and any remedial action taken to address the breach. Business Associate further agrees to make available in a reasonable time and manner any other information needed by covered entity to respond to the individual’s inquiries regarding said breach and to report the breach to the Secretary of the Department of Health and Human Services. Business Associate shall be responsible to notify in writing the individuals affected by the breach as required under HIPAA regulations, but shall have the notice approved before mailing by the covered entity. p. Business Associate agrees to indemnify the covered entity for the reasonable costs to notify the individuals affected by the breach if the covered entity provides that notice, and for any costs, damages, fines, penalties, including attorney fees, incurred by covered entity as a result of the breach by the Business Associate or its employees, agents or subcontractors, including but not limited to any identity theft related prevention or monitoring costs. q. Business Associate shall make available PHI in a designated record set Designated Record Set in a prompt and commercially reasonable manner in order to meet the covered entity or to the individual requesting access to PHI as necessary to satisfy covered entity’s obligations requirements under 45 C.F.R. §CFR § 164.524. If the information is maintained in an electronic format, the access shall be provided to the individual in the electronic format. r. Business Associate shall make any amendments amendment(s) to protected health information PHI in a designated record set as directed Designated Record Set that the Covered Entity directs or agreed to by the covered entity agrees pursuant to 45 C.F.R. §CFR § 164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 C.F.R. §164.526. s. Business Associate, to at the extent the business associate is to carry out one or more request of the covered entity’s obligations under Subpart E of 45 C.F.R. part 164 shall comply with the requirements found therein which apply to the covered entity’s performance of such obligationsCovered Entity or an Individual in a prompt and commercially reasonable manner. t. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specified herein made applicable to the Business Associate under the provisions of HIPAA or ARRA.