Common use of Restrictions on Use and Disclosure of PHI Clause in Contracts

Restrictions on Use and Disclosure of PHI. Neuronetics will not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration of, or to carry out the legal responsibilities of, Neuronetics; provided, that such disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom PHI is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to such person, and such person notifies Neuronetics of any instances of which it is aware in which the confidentiality of PHI has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI; provided, that the de-identification processes must conform to the requirements of the Privacy Standards. Once the information is de-identified, such information will no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum. Neuronetics will not directly or indirectly receive remuneration in exchange for any PHI, and Neuronetics will not use or disclose PHI for marketing, fundraising, or sale purposes unless Neuronetics or Customer has obtained a valid HIPAA-compliant authorization from the patient that specifies whether PHI can be further exchanged for remuneration, marketing, fundraising, or sale purposes by Neuronetics, and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f). Neuronetics will use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including 45 C.F.R. §§ 164.308, 164.310, and 164.312. Neuronetics will implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics will maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics will mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics will report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also will report to Customer within fifteen (15) Neuronetics business days Neuronetics’ discovery of any Security Breach and any successful Security Incidents. Neuronetics will report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches will include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer will make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics will provide Customer with notification-related information required under the HIPAA Standards and the ARRA.

Restrictions on Use and Disclosure of PHI. Neuronetics will shall not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration of, or to carry out the legal responsibilities ofof Neuronetics, Neuronetics; provided, provided that such disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom PHI the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to such the person, and such the person notifies Neuronetics of any instances of which it is aware in which the confidentiality of PHI the information has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI; provided, provided that the de-de- identification processes must conform to the requirements of the Privacy Standards. Once the information data is de-identified, such information will shall no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum. Addendum in Appendix C. Neuronetics will shall not directly or indirectly receive remuneration in exchange for any PHI, and Neuronetics will not PHI or use or disclose PHI for marketing, fundraising, fundraising or sale purposes purposes, unless Neuronetics or Customer has obtained a valid HIPAA-HIPAA- compliant authorization from the patient that specifies whether the PHI can be further exchanged for remuneration, marketing, fundraising, fundraising or sale purposes by Neuronetics, Neuronetics and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f). Neuronetics will agrees to use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics will agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including without limitation, 45 C.F.R. §§ 164.308, 164.310, 164.310 and 164.312. Neuronetics will agrees to implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics will also agrees to maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics will agrees to mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics will agrees to report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also will agrees to report within 15 business days to Customer within fifteen (15) Neuronetics business days Neuronetics’ discovery of any Security Breach and any successful Security Incidents. Neuronetics will agrees to report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches will shall include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer will agrees to make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics will agrees to provide Customer with notification-notification- related information required under the HIPAA Standards and the ARRA.

Restrictions on Use and Disclosure of PHI. Neuronetics will shall not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration of, or to carry out the legal responsibilities ofof Neuronetics, Neuronetics; provided, provided that such disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom PHI the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to such the person, and such the person notifies Neuronetics of any instances of which it is aware in which the confidentiality of PHI the information has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI; provided, provided that the de-identification processes must conform to the requirements of the Privacy Standards. Once the information data is de-de- identified, such information will shall no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum. Addendum in Appendix C. Neuronetics will shall not directly or indirectly receive remuneration in exchange for any PHI, and Neuronetics will not use or disclose PHI for marketing, fundraising, or sale purposes unless Neuronetics or Customer has obtained a valid HIPAA-compliant authorization from the patient that specifies whether the PHI can be further exchanged for remuneration, marketing, fundraising, or sale purposes remuneration by Neuronetics, and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f). Neuronetics will agrees to use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics will agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including without limitation, 45 C.F.R. §§ 164.308, 164.310, 164.310 and 164.312. Neuronetics will agrees to implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics will also agrees to maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics will agrees to mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics will agrees to report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also will agrees to report within 15 business days to Customer within fifteen (15) Neuronetics business days Neuronetics’ discovery of any Security Breach and any successful Security Incidents. Neuronetics will agrees to report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches will shall include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer will agrees to make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics will agrees to provide Customer with notification-notification- related information required under the HIPAA Standards and the ARRA.