Common use of Restrictions on Use and Disclosure of PHI Clause in Contracts

Restrictions on Use and Disclosure of PHI. Neuronetics shall not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration or to carry out the legal responsibilities of Neuronetics, provided that disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Neuronetics of any instances of which it is aware in which the confidentiality of the information has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI, provided that the de- identification processes conform to the requirements of the Privacy Standards. Once the data is de-identified, such information shall no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum in Appendix C. Neuronetics shall not directly or indirectly receive remuneration in exchange for any PHI or use or disclose PHI for marketing, fundraising or sale purposes, unless Neuronetics or Customer has obtained a valid HIPAA- compliant authorization from the patient that specifies whether the PHI can be further exchanged for remuneration, marketing, fundraising or sale purposes by Neuronetics and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f). Neuronetics agrees to use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including without limitation, 45 C.F.R. §§ 164.308, 164.310 and 164.312. Neuronetics agrees to implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics also agrees to maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics agrees to mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics agrees to report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also agrees to report within 15 business days to Customer Neuronetics discovery of any Security Breach and any successful Security Incidents. Neuronetics agrees to report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches shall include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer agrees to make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics agrees to provide Customer with notification- related information required under the HIPAA Standards and the ARRA.

Restrictions on Use and Disclosure of PHI. Neuronetics shall not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration or to carry out the legal responsibilities of Neuronetics, provided that disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Neuronetics of any instances of which it is aware in which the confidentiality of the information has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI, provided that the de- de-identification processes conform to the requirements of the Privacy Standards. Once the data is de-de- identified, such information shall no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum in Appendix C. Neuronetics shall not directly or indirectly receive remuneration in exchange for any PHI or use or disclose PHI for marketing, fundraising or sale purposesPHI, unless Neuronetics or Customer has obtained a valid HIPAA- HIPAA-compliant authorization from the patient that specifies whether the PHI can be further exchanged for remuneration, marketing, fundraising or sale purposes remuneration by Neuronetics and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f)Neuronetics. Neuronetics agrees to use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including without limitation, 45 C.F.R. §§ 164.308, 164.310 and 164.312. Neuronetics agrees to implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics also agrees to maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics agrees to mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics agrees to report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also agrees to report within 15 business days to Customer Neuronetics discovery of any Security Breach and any successful Security Incidents. Neuronetics agrees to report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches shall include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer agrees to make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics agrees to provide Customer with notification- related information required under the HIPAA Standards and the ARRA.

Restrictions on Use and Disclosure of PHI. Neuronetics shall will not use or disclose PHI received from Customer in any manner that would constitute a violation of the Privacy Standards if used in such manner by Customer. Except as otherwise limited in this Agreement, Neuronetics may disclose PHI for the proper management and administration of, or to carry out the legal responsibilities of of, Neuronetics; provided, provided that such disclosures are Required By Law, or Neuronetics obtains reasonable assurances from the person to whom the information PHI is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the such person, and the such person notifies Neuronetics of any instances of which it is aware in which the confidentiality of the information PHI has been breached. Neuronetics may use PHI for any purposes as contemplated in this Agreement and as permitted under HIPAA and applicable state law. Except as otherwise limited in this Agreement, Neuronetics may use PHI to provide data aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Neuronetics may de-identify PHI; provided, provided that the de- de-identification processes must conform to the requirements of the Privacy Standards. Once the data information is de-identified, such information shall will no longer be considered PHI. Neuronetics may also create a Limited Data Set for purposes of research, public health, or health care operations subject to the Data Use Addendum in Appendix C. Addendum. Neuronetics shall will not directly or indirectly receive remuneration in exchange for any PHI or PHI, and Neuronetics will not use or disclose PHI for marketing, fundraising fundraising, or sale purposes, purposes unless Neuronetics or Customer has obtained a valid HIPAA- HIPAA-compliant authorization from the patient that specifies whether the PHI can be further exchanged for remuneration, marketing, fundraising fundraising, or sale purposes by Neuronetics Neuronetics, and only as permitted under 45 C.F.R. §§ 164.508(a) and 164.514(f). Neuronetics agrees to will use appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided for by this Agreement. Neuronetics agrees to will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, maintains, or transmits on behalf of Customer, as required by the Security Standards and the ARRA, including without limitation, 45 C.F.R. §§ 164.308, 164.310 164.310, and 164.312. Neuronetics agrees to will implement reasonable and appropriate policies and procedures to comply with the Security Standards as required by 45 C.F.R. § 164.316(a) and the ARRA. Neuronetics also agrees to will maintain such policies and procedures in written or electronic form and will document and retain such documentation regarding all actions, activities and assessments required under the Security Standards consistent with 45 C.F.R. § 164.316(b) and the ARRA. Neuronetics agrees to will mitigate, to the extent practicable, any harmful effect that is known to Neuronetics of an unauthorized use or disclosure of PHI by Neuronetics in violation of the requirements of this Agreement. Neuronetics agrees to will report to Customer any use or disclosure of PHI not provided for by this Agreement of which Neuronetics becomes aware. Neuronetics also agrees will report to report Customer within 15 fifteen (15) Neuronetics business days to Customer Neuronetics Neuronetics’ discovery of any Security Breach and any successful Security Incidents. Neuronetics agrees to will report to Customer any unsuccessful Security Incidents as requested by Customer. Neuronetics’ reports to Customer regarding Security Breaches shall will include the identification of each individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Neuronetics to have been, accessed, acquired, or disclosed during such Security Breach. Customer agrees to will make any notifications regarding such Breaches required under the HIPAA Standards and the ARRA, and Neuronetics agrees to will provide Customer with notification- notification-related information required under the HIPAA Standards and the ARRA.