Common use of Specific Use and Disclosure Provisions Clause in Contracts

Specific Use and Disclosure Provisions. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1). Business Associate shall promptly following the discovery of a Breach of Unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information.

Specific Use and Disclosure Provisions. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1). Business Associate shall promptly following the discovery of a Breach of Unsecured unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use rules or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Informationregulations.

Specific Use and Disclosure Provisions. (a) Except as otherwise limited provided in this BAAAppendix, Business Associate Aetna may use Protected Health Information for the proper management and administration of the Business Associate Aetna or to carry out the legal responsibilities of the Business Associate. Aetna. (b) Except as otherwise limited provided in this BAAAppendix, Business Associate Aetna may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business AssociateAetna, provided that disclosures are Required By Law, or Business Associate Aetna obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate Aetna of any instances of which it is aware in which the confidentiality of the information has been breached. Except breached in accordance with the Breach and Security Incident notifications requirements of this Appendix. (c) Aetna shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without Customer’s prior written approval and notice from Customer that it has obtained from the individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Aetna. (d) Aetna may use or disclose Protected Health Information to communicate about a product or service, provided that such communication is made in a manner that does not constitute marketing as defined in 45 CFR 164.501 or otherwise limited in this BAA, Business Associate constitute a use or disclosure that Customer is prohibited from performing itself. (e) Aetna may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). Business Associate perform Data Aggregation services. (f) Aetna may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1164.502(j). Business Associate shall promptly following the discovery . (g) The provisions of a Breach of Unsecured this Appendix notwithstanding, Aetna is permitted to de-identify Protected Health Information as defined Information, provided that it does so in the Regulations, notify the Covered Entity of the Breachaccordance with HIPAA de- identification rules. Business Associate shall provide the notification without unreasonable delay and in no case later than twentyDe-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured identified information does not constitute Protected Health Information has beenInformation, or is reasonably believed and may be used and disclosed by the Business Associate to have beenAetna for its own purposes, accessedincluding, acquiredwithout limitation, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating developing comparative databases, performing statistical analysis and research, and improving the Breach quality of Aetna’s products and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Informationservices.

Specific Use and Disclosure Provisions. (1) Except as otherwise limited in prohibited by this BAAHIPAA Agreement or applicable Law, Business Associate may use Protected Health Information PHI as provided in this HIPAA Agreement or the Arrangement and for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. . (2) Except as otherwise limited in prohibited by this BAAHIPAA Agreement or applicable Law, Business Associate may disclose Protected Health Information as provided in this HIPAA Agreement or in the Arrangement and for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are the disclosure is Required By Law, by Law or the Business Associate obtains reasonable assurances assurances, in the form of a business associate agreement, from the any person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breachedbreached in accordance with the Security Breach and Security Incident notifications requirements of this HIPAA Agreement. (3) Business Associate shall not directly or indirectly receive remuneration from a third party in exchange for any Protected Health Information of an Individual without KIC’s prior written approval, such approval not to be unreasonably withheld, denied, delayed or conditioned, and confirmation from Business Associate to KIC that it has obtained from the Individual, in accordance with 45 C.F.R. §164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate from third parties. The foregoing shall not apply to KIC’s payments to Business Associate for services delivered by Business Associate to KIC. (4) Except as otherwise limited in prohibited by this BAAHIPAA Agreement or applicable Law, Business Associate may also use Protected Health Information to provide data aggregation services to Covered Entity KIC as permitted by 45 CFR § 42 C.F.R. §164.504(e)(2)(i)(B). . (5) Business Associate may use Protected Health Information to report violations of law Law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1§164.502 G)(1). . (6) Business Associate shall promptly following the discovery of a Breach of Unsecured may not use or disclose Protected Health Information as defined in the Regulations, notify the Covered Entity a manner that would violate Subpart E of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested 45 C.F.R. Part 164 if done by Covered Entity except for purposes of investigating the Breach specific uses and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is disclosures set out above in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information2. (b).

Specific Use and Disclosure Provisions. (a) Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. . (b) Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. . (c) Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). . (d) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1). . (e) Business Associate shall promptly following the discovery of a Breach of Unsecured unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information.and

Specific Use and Disclosure Provisions. (a) Except as otherwise limited in prohibited by this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Upline Agreement 2015 55 (b) Except as otherwise limited in prohibited by this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited breached in accordance with the Breach and Security Incident notifications requirements of this BAA, . (c) Business Associate may use shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without Covered Entity’s prior written approval and notice from Covered Entity that it has obtained from the Individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. The foregoing shall not apply to Covered Entity’s payments to Business Associate for services delivered by Business Associate to Covered Entity. (d) Business Associate shall not de-identify any Protected Health Information except as authorized by Covered Entity to provide data aggregation services to Covered Entity as permitted by 45 CFR § 42 C.F.R. 164.504(e)(2)(i)(B). . (e) Business Associate may use Protected Health Information to report violations violation of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1164.502 (j)(1). Business Associate shall promptly following the discovery of a Breach of Unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information.

Specific Use and Disclosure Provisions. (a) Except as otherwise limited provided in this BAABA Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. . (b) Except as otherwise limited provided in this BAABA Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except breached in accordance with the Breach and Security Incident notifications requirements of this BA Agreement. (c) Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without Covered Entity’s prior written approval and notice from Covered Entity that it has obtained from the Individual, in accordance with 45 CFR 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. (d) Business Associate may use or disclose Protected Health Information to communicate about a product or service, provided that such communication is made in a manner that does not constitute marketing as defined in 45 CFR 164.501 or otherwise limited in this BAA, constitute a use or disclosure that Covered Entity is prohibited from performing itself. (e) Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). perform Data Aggregation services. (f) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1164.502(j). . (g) The provisions of this BA Agreement notwithstanding, Business Associate shall promptly following the discovery of a Breach of Unsecured is permitted to de-identify Protected Health Information as defined Information, provided that it does so in the Regulationsaccordance with HIPAA de-identification rules. De-identified information does not constitute Protected Health Information, notify the Covered Entity of the Breach. and may be used and disclosed by Business Associate shall provide the notification for its own purposes, including, without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall includelimitation, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating developing comparative databases, performing statistical analysis and research, and improving the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject quality of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Informationproducts and services.

Specific Use and Disclosure Provisions. (i) Except as otherwise limited in this BAAAgreement, Business Associate may use Protected Health Information PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Notwithstanding the foregoing, upon receipt of a written request from Covered Entity, Business Associate will provide Covered Entity with a description of any use made of Covered Entity’s PHI that Business Associate made in reliance on this Clause (2) of Subsection (c) of Section 5 of Paragraph A of Article 29 of the Agreement. (b) Except as otherwise limited in this BAAAgreement, Business Associate may disclose Protected Health Information PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law required by law or for the purpose for which it was disclosed to the person, and the person notifies notified the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited Notwithstanding the foregoing, upon receipt of a written request from Covered Entity, Business Associate will provide Covered Entity with a description of any disclosure made of Covered Entity’s PHI that Business Associate made in reliance on this BAAClause (2) of Subsection (c) of Section 5 of Paragraph A of Article 29 of the Agreement. (c) When specifically requested in writing by Covered Entity, Business Associate may use Protected Health Information to PHI to: (i) provide data aggregation Data Aggregation services to Covered Entity as permitted by 45 CFR § C.F.R. §164.504(e)(2)(i)(B). ; or (ii) create de-identified health information in accordance with 45 C.F.R. §164.514. (d) Business Associate may use Protected Health Information disclose PHI to report violations of law to appropriate Federal federal and State state authorities, consistent with 45 CFR § C.F.R. §164.502(j)(1). Business Associate shall promptly following the discovery of a Breach of Unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information.

Specific Use and Disclosure Provisions. (1) Except as otherwise limited in prohibited by this BAAAgreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. . (2) Except as otherwise limited in prohibited by this BAAAgreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances assurances, in the form of a business associate agreement, from the person or entity to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the personperson or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breachedbreached in accordance with the Security Breach and Security Incident notifications requirements of this Agreement. (3) Business Associate will afford access to Protected Health Information or other personal information received by it to the Plan or the Client, as permitted under this Agreement and by law. Business Associate will afford access to this information to other persons only as reasonably directed in writing by Plan or the Client, with due regard for confidentiality, and Business Associate shall have no further obligation with respect to that information. Except as otherwise limited provided in this BAAAgreement, Business Associate will disclose Protected Health Information to a third party only if authorized by an ancillary agreement respecting confidentiality. Business Associate is directed to afford access to Protected Health Information to the persons listed in Attachment A, under circumstances where disclosure is appropriate and necessary: (4) Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without the Plan’s prior written approval and notice from Plan that it has obtained from the Individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. The foregoing shall not apply to Plan’s payments to Business Associate for services delivered by Business Associate. (5) Except as otherwise prohibited by this Agreement, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity Plan as permitted by 45 CFR § 42 C.F.R. 164.504(e)(2)(i)(B). . (6) Business Associate may use Protected Health Information to report violations violation of law to appropriate Federal and State authorities, consistent with 164.502 (j)(1). (7) Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR § 164.502(j)(1Part 164 if done by Plan except for the specific uses and disclosures set out above in this Section 2.(b). . (8) Business Associate shall promptly following the discovery of a Breach of Unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s not use or disclosure of Unsecured Protected Health Information is disclose health information in violation of the Regulations, Business Associate bears the burden of demonstrating a manner that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Informationwould violate 42 C.F.R. 164.522(a)(vi)(B).

Specific Use and Disclosure Provisions. (a) Except as otherwise limited in prohibited by this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. . (b) Except as otherwise limited in prohibited by this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited breached in accordance with the Breach and Security Incident notifications requirements of this BAA, . (c) Business Associate may use shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without Covered Entity’s prior written approval and notice from Covered Entity that it has obtained from the Individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. The foregoing shall not apply to Covered Entity’s payments to Business Associate for services delivered by Business Associate to Covered Entity. (d) Business Associate shall not de-identify any Protected Health Information except as authorized by Covered Entity to provide data aggregation services to Covered Entity as permitted by 45 CFR § 42 C.F.R. 164.504(e)(2)(i)(B). . (e) Business Associate may use Protected Health Information to report violations violation of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1164.502 (j)(l). Business Associate shall promptly following the discovery of a Breach of Unsecured Protected Health Information as defined in the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information.

Specific Use and Disclosure Provisions. Except as otherwise limited in this BAAAgreement, Business Associate may access, use Protected Health Information and disclose PHI for the Business Associate’s proper management and administration of or to meet its legal responsibilities; provided, however, that such PHI may only be disclosed for such purposes only if the disclosures are required by law or the Business Associate or to carry out obtains the legal responsibilities of the Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains following reasonable assurances from the person or entity to whom the information is disclosed that it disclosed: the information will remain confidential and confidential; the information will be used or further disclosed only as Required By Law required by law or for the purpose for which it the information was disclosed to the person, ; and the person notifies will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAAAgreement, Business Associate may use Protected Health Information PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR C.F.R. § 164.504(e)(2)(i)(B). Data aggregation services involve the combining by the Business Associate of (a) protected health information created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity with (b) protected health information received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities. Business Associate may use Protected Health Information and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR C.F.R. § 164.502(j)(1). Except as otherwise limited in this Agreement, Business Associate shall promptly following may use PHI to de-identify such PHI in accordance with the discovery requirements of a Breach of Unsecured Protected Health Information as defined in the RegulationsHIPAA, notify the Covered Entity of the Breachincluding 45 C.F.R. § 164.514. Business Associate shall provide have the notification right to use and disclose such de-identified information without unreasonable delay and regard to any limitations on the use or disclosure of PHI contained in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall includethis Agreement, to the extent possible, the identification of each individual whose unsecured Protected Health Information has beenHIPAA, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the BreachPrivacy and Security Rules. Business Associate shall also provide will not disclose the Covered Entity with any additional information reasonably requested identity of the source of the original data provided by Covered Entity for purposes of investigating the Breach and any other available information that the unless authorized to do so by Covered Entity. Neither Covered Entity is required nor any third party shall be entitled to provide to the individual(s) who are the subject any revenue, royalties, of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs other compensation for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is in violation of the Regulationsde-identified information, nor shall Covered Entity use or disclose the de-identified information provided to Covered Entity by Business Associate bears for any purpose other than in the burden conduct of demonstrating its own business. Business Associate may only use and disclose PHI in accordance with the Minimum Necessary Standard under HIPAA and the Privacy and Security Rules to the extent that notice as required under such standard would apply if the activities performed by Business Associate pursuant to this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health InformationAgreement were performed by Covered Entity.

Specific Use and Disclosure Provisions. (1) Except as otherwise limited in this BAA, Business Associate CONTRACTOR may use Protected Health Information and EPHI for the proper management and administration of the Business Associate CONTRACTOR or to carry out the legal responsibilities of the Business Associate. CONTRACTOR. (2) Except as otherwise limited in this BAA, Business Associate CONTRACTOR may disclose Protected Health Information and EPHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business AssociateCONTRACTOR, provided that disclosures are Required By Law, or Business Associate CONTRACTOR obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate CONTRACTOR of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate . (3) CONTRACTOR may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). Business Associate may use Protected Health Information and EPHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1). Business Associate shall promptly following the discovery of a Breach of Unsecured . (4) CONTRACTOR may not aggregate or compile COUNTY’s Protected Health Information as defined in or EPHI with the Regulations, notify the Covered Entity of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by EPHI of other Covered Entities unless the Business Associate Agreement permits CONTRACTOR to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breachperform Data Aggregation services. If the Business Associate causes such BreachAgreement permits CONTRACTOR to provide Data Aggregation services, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s CONTRACTOR may use or disclosure of Unsecured Protected Health Information and EPHI to provide the Data Aggregation services requested by COUNTY as permitted by 45 CFR 164.504(e)(2)(i)(B), subject to any limitations contained in this BAA. If Data Aggregation services are requested by COUNTY, CONTRACTOR is in violation authorized to aggregate COUNTY’s Protected Health Information and EPHI with Protected Health Information or EPHI of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or other Covered Entities that the use or disclosure did not constitute CONTRACTOR has in its possession through its capacity as a Breach CONTRACTOR to such other Covered Entities provided that the purpose of Unsecured such aggregation is to provide COUNTY with data analysis relating to the Health Care Operations of COUNTY. Under no circumstances may CONTRACTOR disclose Protected Health Information.Information or EPHI of COUNTY to another Covered Entity absent the express authorization of COUNTY. DocuSign Envelope ID: 3C4D434F-A585-4372-A120-DA95D5337EB4

Specific Use and Disclosure Provisions. i. Except as otherwise limited in prohibited by this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. ii. Except as otherwise limited in prohibited by this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances assurances, in the form of a business associate agreement, from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breachedbreached in accordance with the Security Breach and Security Incident notifications requirements of this BAA. iii. Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without Humana’s prior written approval and notice from Humana that it has obtained from the individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. The foregoing shall not apply to Humana’s payments to Business Associate for services deliver ed by Business Associate to Humana. iv. Except as otherwise limited in prohibited by this BAA, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity Humana as permitted by 45 CFR § 42 C.F.R. 164.504(e)(2)(i)(B). . v. Business Associate may use Protected Health Information to report violations violation of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1164.502 (j)(1). vi. Business Associate shall promptly following the discovery of a Breach of Unsecured associate may not use or disclose Protected Health Information as defined in the Regulations, notify the Covered Entity a manner that would violate Subpart E of the Breach. Business Associate shall provide the notification without unreasonable delay and in no case later than twenty-four (24) hours after discovery of a Breach. The notification shall include, to the extent possible, the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall also provide the Covered Entity with any additional information reasonably requested 45 CFR Part 164 if done by Covered Entity except for purposes of investigating the Breach specific uses and any other available information that the Covered Entity is required to provide to the individual(s) who are the subject of the Breach. Business Associate shall cooperate with Covered Entity to take (i) prompt corrective action to cure any such Breach and (ii) any action required by the Regulations and applicable federal or state laws, rules or regulations as a result of such Breach. If the Business Associate causes such Breach, Business Associate shall pay any required notification costs for purposes of complying with the Regulations or any other applicable federal or state laws, rules, regulations and related guidance issued by the Secretary from time to time. In the event Business Associate’s use or disclosure of Unsecured Protected Health Information is disclosures set out above in violation of the Regulations, Business Associate bears the burden of demonstrating that notice as required under this Section 4(e) was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured Protected Health Information2.(b).