Common use of Security of Protected Health Information Clause in Contracts

Security of Protected Health Information. (a) Sub-Business Associate agrees to use appropriate safeguards to protect against any use or disclosure of Personal Information not provided for herein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information. Without limiting the foregoing, Sub-Business Associate agrees to implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Personal Information, and to protect the confidentiality, integrity, and availability of Electronic Personal Information against accidental or unlawful destruction, alteration, unauthorized or improper disclosure or access, including monitoring access to, use and disclosure of Personal Information whether in physical or electronic form. Sub-Business Associate will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures, and will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, and availability of the Personal Information, and ensure that these risks are addressed. Sub-Business Associate shall use secure user identification and authentication protocols, including, but not limited to unique user identification, use of appropriate access controls, and strict measures to protect identification and authentication processes. (b) Sub-Business Associate agrees, to the extent practicable, to Secure all Personal Information at rest, in motion or in use. Without limiting the foregoing, Sub-Business Associate agrees in all cases to Secure all Electronic Protected Health Information in motion and all Electronic Personal Information placed or stored on portable devices, and to dispose of all Protected Health Information in a Secure manner, including the permanent removal of all Protected Health Information from Electronic Media and hard disks, whether on fax, copier, computer, portable device or otherwise, before making such Electronic Media available for re- use. Notwithstanding the foregoing, beginning January 1, 2017, Sub-Business Associate agrees to Secure all electronic Personal Information at rest. (c) Sub-Business Associate’s security practices for Protected Health Information must be evaluated and certified by a person holding a Certified Information Systems Security Professional (“CISSP”) certification or an equivalent qualification as meeting health care industry security best practices. Sub-Business Associate will perform periodic reviews of its security safeguards to ensure they are appropriate and operating as intended. At a minimum, all security practices will be assessed for compliance and re-certified by a CISSP or an equivalently qualified information security professional at least once a year. (d) Documentation of Sub-Business Associate’s security assessments, including testing and any remediation efforts and CISSP or equivalent safeguard certification, must be retained for a period of six (6) years following (i) termination hereof and (ii) destruction or return of Protected Health Information, whichever is last to occur, or such longer period as required by Applicable Law. (e) Sub-Business Associate agrees that neither it nor any of its Workforce members will place Protected Health Information on portable computing/storage devices which are not owned by Sub-Business Associate. Sub-Business Associate shall ensure that data files containing Protected Health Information are not saved on public or private computers while accessing corporate e-mail through the Internet. (f) Sub-Business Associate warrants and represents that Sub-Business Associate has obtained, at Sub-Business Associate’s own expense and in a manner compliant with all applicable local, state, federal and international laws, a Satisfactory Background Screening for all of its Workforce members with access to any Personal Information. Sub-Business Associate agrees to update such background screening upon reasonable request by Company, it being agreed that any request based upon the occurrence of any Incident or, illegal activity or the reasonable suspicion of illegal activity involving Sub-Business Associate’s Workforce members, or any regulatory requirements requiring such updates, would be deemed reasonable hereunder. In addition, prior to allowing any Workforce Members to Process any Personal Information, Sub-Business Associate shall require the Workforce Member to execute an enforceable confidentiality agreement (in a form acceptable to the Company), and provide the Workforce Member with appropriate privacy and security training, including on the responsibilities under this Agreement such as the responsibilities to safeguard and, where appropriate or required, Secure Personal Information, and the consequences for failing to do so. Sub-Business Associate will also monitor its Workforce Members for compliance with the security program requirements. Upon request, Sub- Business Associate shall provide to Company a list of all Workforce Members who have (or have had) access to the Personal Information and the work location of each such Workforce Member. (g) As healthcare industry security best practices evolve, Sub-Business Associate agrees to adjust its security practices accordingly so that they continue to reflect the then- current industry best practices. To the extent that Sub-Business Associate has access to any part of Company’s data systems, Sub-Business Associate shall comply with Company’s information security policies.

Security of Protected Health Information. (a) Sub-Business Associate agrees to use appropriate safeguards to protect against any use or disclosure of Personal Information not provided for herein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information. Without limiting the foregoing, Sub-Business Associate agrees to implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Personal Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Personal Information against accidental or unlawful destructionProtected Health Information, alterationas required by the HIPAA Rules. Without limiting the foregoing, unauthorized or improper disclosure or access, including monitoring access to, use and disclosure of Personal Information whether in physical or electronic form. Sub-Business Associate will regularly test and monitor agrees to comply with the effectiveness requirements of its safeguards45 CFR 164.308, controls164.310, systems and procedures164.312, and will periodically identify reasonably foreseeable internal 164.316, as may be amended and external risks interpreted in guidance from time to the security, confidentiality, integrity, and availability of the Personal Information, and ensure that these risks are addressed. Sub-Business Associate shall use secure user identification and authentication protocols, including, but not limited to unique user identification, use of appropriate access controls, and strict measures to protect identification and authentication processestime. (b) Sub-Business Associate agrees, to the extent practicable, to Secure all Personal Protected Health Information at rest, in motion or in use. Without limiting the foregoing, Sub-Business Associate agrees in all cases to Secure all Electronic electronic Protected Health Information in motion and all Electronic Personal electronic Protected Health Information placed or stored on portable devices, and to dispose of all Protected Health Information in a Secure manner, including the permanent removal of all Protected Health Information from Electronic Media and hard disks, whether on fax, copier, computer, portable device or otherwise, before making such Electronic Media available for re- re-use. Notwithstanding the foregoing, beginning January 1, 2017, Sub-Business Associate agrees to Secure all electronic Personal Information at rest. (c) Sub-Business Associate’s security practices safeguards for Protected Health Information must be evaluated and certified by a person holding a Certified Information Systems Security Professional (“CISSP”) certification or an equivalent qualification as meeting health care industry security best practices. Sub-Business Associate will perform periodic reviews of its security safeguards to ensure they are appropriate and operating as intended. At a minimum, all security practices safeguards will be assessed for compliance and re-certified by a CISSP or an equivalently qualified information security professional at least once a year. (d) Documentation of Sub-Business Associate’s security assessments, including testing and any remediation efforts and CISSP or equivalent safeguard certification, must be retained for a period of six (6) years following (i) termination hereof and (ii) destruction or return of Protected Health Information, whichever is last to occur, or such longer period as required by Applicable Lawapplicable law. (e) Sub-Business Associate agrees that neither it nor any of its Workforce members will place Protected Health Information on portable computing/storage devices which are not owned by Sub-Business Associate. Sub-Business Associate shall ensure that data files containing Protected Health Information are not saved on public or private computers while accessing corporate e-mail through the Internet. (f) Sub-Business Associate warrants and represents that Sub-Business Associate has obtained, at Sub-Business Associate’s own expense and in a manner compliant with all applicable local, state, federal and international laws, a Satisfactory Background Screening for all of its shall train Workforce members with access to any Personal Information. Sub-Business Associate agrees to update such background screening upon reasonable request by Company, it being agreed that any request based upon the occurrence of any Incident or, illegal activity or the reasonable suspicion of illegal activity involving Sub-Business Associate’s Workforce members, or any regulatory requirements requiring such updates, would be deemed reasonable hereunder. In addition, prior to allowing any Workforce Members to Process any Personal Information, Sub-Business Associate shall require the Workforce Member to execute an enforceable confidentiality agreement (in a form acceptable to the Company), and provide the Workforce Member with appropriate privacy and security training, including on the responsibilities under this Agreement such as Agreement, including the responsibilities to safeguard and, where appropriate or required, Secure Personal Protected Health Information, and the consequences for failing to do so. Sub-Business Associate will also monitor its Workforce Members for compliance with the security program requirements. Upon request, Sub- Business Associate shall provide to Company a list of all Workforce Members who have (or have had) access to the Personal Information and the work location of each such Workforce Member.a (g) As healthcare industry security best practices evolveevolve to satisfy the HIPAA Rules and other applicable security standards, Sub-Business Associate agrees to adjust its security practices safeguards accordingly so that they continue to reflect the then- then-current industry best practices. To the extent that Sub-Business Associate has access to any part of Company’s data systems, Sub-Business Associate Contractor shall comply with Company’s information security policies.

Security of Protected Health Information. (a) Sub-Business Associate agrees to use appropriate safeguards to protect against any use or disclosure of Personal Information not provided for herein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information. Without limiting the foregoing, Sub-Business Associate agrees to implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Personal Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Personal Information against accidental or unlawful destructionProtected Health Information, alterationas required by the HIPAA Rules. Without limiting the foregoing, unauthorized or improper disclosure or access, including monitoring access to, use and disclosure of Personal Information whether in physical or electronic form. Sub-Business Associate will regularly test and monitor agrees to comply with the effectiveness requirements of its safeguards45 CFR 164.308, controls164.310, systems and procedures164.312, and will periodically identify reasonably foreseeable internal 164.316, as may be amended and external risks interpreted in guidance from time to the security, confidentiality, integrity, and availability of the Personal Information, and ensure that these risks are addressed. Sub-Business Associate shall use secure user identification and authentication protocols, including, but not limited to unique user identification, use of appropriate access controls, and strict measures to protect identification and authentication processestime. (b) Sub-Business Associate agrees, to the extent practicable, to Secure all Personal Protected Health Information at rest, in motion or in use. Without limiting the foregoing, Sub-Business Associate agrees in all cases to Secure all Electronic electronic Protected Health Information in motion and all Electronic Personal electronic Protected Health Information placed or stored on portable devices, and to dispose of all Protected Health Information in a Secure manner, including the permanent removal of all Protected Health Information from Electronic Media and hard disks, whether on fax, copier, computer, portable device or otherwise, before making such Electronic Media available for re- re-use. Notwithstanding the foregoing, beginning January 1, 2017, Sub-Business Associate agrees to Secure all electronic Personal Information at rest. (c) Sub-Business Associate’s security practices safeguards for Protected Health Information must be evaluated and certified by a person holding a Certified Information Systems Security Professional (“CISSP”) certification or an equivalent qualification as meeting health care industry security best practices. Sub-Business Associate will perform periodic reviews of its security safeguards to ensure they are appropriate and operating as intended. At a minimum, all security practices safeguards will be assessed for compliance and re-certified by a CISSP or an equivalently qualified information security professional at least once a year. (d) Documentation of Sub-Business Associate’s security assessments, including testing and any remediation efforts and CISSP or equivalent safeguard certification, must be retained for a period of six (6) years following (i) termination hereof and (ii) destruction or return of Protected Health Information, whichever is last to occur, or such longer period as required by Applicable Lawapplicable law. (e) Sub-Business Associate agrees that neither it nor any of its Workforce members will place Protected Health Information on portable computing/storage devices which are not owned by Sub-Business Associate. Sub-Business Associate shall ensure that data files containing Protected Health Information are not saved on public or private computers while accessing corporate e-mail through the Internet. (f) Sub-Business Associate warrants and represents that Sub-Business Associate has obtained, at Sub-Business Associate’s own expense and in a manner compliant with all applicable local, state, federal and international laws, a Satisfactory Background Screening for all of its shall train Workforce members with access to any Personal Information. Sub-Business Associate agrees to update such background screening upon reasonable request by Company, it being agreed that any request based upon the occurrence of any Incident or, illegal activity or the reasonable suspicion of illegal activity involving Sub-Business Associate’s Workforce members, or any regulatory requirements requiring such updates, would be deemed reasonable hereunder. In addition, prior to allowing any Workforce Members to Process any Personal Information, Sub-Business Associate shall require the Workforce Member to execute an enforceable confidentiality agreement (in a form acceptable to the Company), and provide the Workforce Member with appropriate privacy and security training, including on the responsibilities under this Agreement such as Agreement, including the responsibilities to safeguard and, where appropriate or required, Secure Personal Protected Health Information, and the consequences for failing to do so. Sub-Business Associate will also monitor its Workforce Members for compliance with the security program requirements. Upon request, Sub- Business Associate shall provide to Company a list of all Workforce Members who have (or have had) access to the Personal Information and the work location of each such Workforce Member.t (g) As healthcare industry security best practices evolveevolve to satisfy the HIPAA Rules and other applicable security standards, Sub-Business Associate agrees to adjust its security practices safeguards accordingly so that they continue to reflect the then- then-current industry best practices. To the extent that Sub-Business Associate has access to any part of Company’s data systems, Sub-Business Associate Contractor shall comply with Company’s information security policies.