Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act.

Use and Disclosure of PHI. A. Except as otherwise permitted by provided in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, howeverBAA, Business Associate may use and or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate, or ’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it createsfor its proper management and administration, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held in confidence confidential as provided under this BAA and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; this third party and (iib) the person or entity will an agreement from this third party to notify Business Associate immediately of any instances breaches of which it is aware in which the confidentiality of the PHI, to the extent it has knowledge of the breach. C. Business Associate will not use or disclose PHI has been breached; and 2.1.3 agree to notify in a manner other than as provided in this BAA, as permitted under the Privacy Officer Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity Entity’s PHI that Business Associate or any of any instances its agents or subcontractors have in their possession. E. Business Associate may use PHI to report violations of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actlaw to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Use and Disclosure of PHI. (i) Except as otherwise permitted by limited in this Agreement, the HIPAA RulesLicensed-Only Agent may use or disclose PHI to perform functions, activities, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services tofor, or on behalf of, Covered Entity Company as described specified in the Underlying AgreementLicensed-Only Agent Agreements, and shall not provided that such use or disclose PHI that disclosure would not violate the HIPAA Privacy & Security Rules if done by Company or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduresprocedures of Company. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of Company has the Covered Entity for right to amend this Agreement at any purpose except as otherwise provided time with respect to permitted uses and disclosures by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to Licensed-Only Agent. (ii) To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate Licensed-Only Agent is to carry out one or more of Covered EntityCompany’s obligations under the Privacy RuleSubpart E of 45 C.F.R. Part 164, it shall Licensed- Only Agent agrees to comply with the requirements of the Privacy Rule which Subpart E that apply to Covered Entity the Company in the performance of such obligation(s). Business Associate obligations. (iii) Licensed-Only Agent may use or disclose PHI as required by law. (iv) Licensed-Only Agent shall not use or disclose, and shall ensure that its directors, officers, employees, agents, and subcontractors do not use or disclose, PHI in such cases: 2.1.1 provide information to members any manner that would constitute a violation of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Privacy Rule or the HITECH Act if done by Company, except that Licensed-Only Agent may use and this Agreement; 2.1.2 obtain disclose PHI as permitted under the HIPAA Privacy Rule for the proper management and administration of Licensed-Only Agent or to carry out the legal responsibilities of Licensed-Only Agent, provided that disclosures are: (a) required by law or (b) Licensed-Only Agent obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) the PHI that it will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose for which it was is disclosed to the person or entity; person, and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity notifies Licensed-Only Agent of any instances of which it is aware in which the confidentiality of the information has been breached. (v) Except as otherwise limited in this Agreement, Licensed-Only Agent may use or disclose PHI is to provide Data Aggregation services relating to the health care operations of the Company if such services are required under the Licensed-Only Agent Agreements. (vi) Licensed-Only Agent shall neither use nor disclose PHI for the purpose of creating de-identified information that will be used or disclosed for a any purpose that is not otherwise provided for other than as directed by Company to carry out the obligations of Licensed-Only Agent set forth in this Agreement or for a purpose not expressly permitted the applicable Licensed-Only Agent Agreements, or as required by the HIPAA Rules or HITECH Actlaw.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for permitted or required under other agreements between the proper management parties, this BA Agreement and administration of Business Associateas Required by Law, but shall not otherwise use or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduresdisclose any PHI. Business Associate may shall not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the received from Covered Entity for in any purpose manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as otherwise provided by set forth in Sections 2.1(a), (b) and (c) of this BA Agreement). To the Agreement and this BAA. extent Business Associate agrees to review and understand carries out any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy RuleHIPAA privacy standards, it Business Associate shall comply with the requirements of the Privacy Rule which HIPAA privacy standards that apply to Covered Entity in the performance of such obligation(s)obligations. Business Associate shall in such casesis permitted to use or disclose PHI as set forth below: 2.1.1 provide information (a) Business Associate may use PHI internally for Business Associate’s proper management and administration or to members of carry out its workforce using legal responsibilities. (b) Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration, provided that the disclosure is Required by Law or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain Business Associate obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) the person or entity will notify Business Associate of any instances of which it the third party is aware in which the confidentiality of the PHI has been breached; and. 2.1.3 agree (c) Business Associate may use PHI to notify provide Data Aggregation services relating to the Privacy Officer Health Care Operations of Covered Entity of if required or permitted under this Agreement. (d) Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may disclose de- identified health information for any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actlaw.

Use and Disclosure of PHI. Except Cue may use and disclose PHI as otherwise permitted or required under these Terms or as Required by this Agreement, the HIPAA Rules, or applicable law, Business Associate Law but shall not make otherwise use or disclose any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and PHI. Cue shall not use or disclose PHI received from Your Covered Entity in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Your Covered Entity for any purpose (except as otherwise provided by the Agreement set forth in Sections 2.1(a), (b) and this BAA(c) of these BA Terms). Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry Cue carries out one or more any of Your Covered Entity’s obligations under the Privacy RuleHIPAA privacy standards, it Cue shall comply with the requirements of the Privacy Rule which HIPAA privacy standards that apply to Your Covered Entity in the performance of such obligation(s)obligations. Business Associate shall in such casesWithout limiting the generality of the foregoing, Cue is permitted to use or disclose PHI as set forth below: 2.1.1 provide information i. Cue may use PHI internally for Cue’s proper management and administration or to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreementcarry out Cue’s legal responsibilities; 2.1.2 obtain ii. Cue may disclose PHI to a third party for Xxx’s proper management and administration, provided that the disclosure is Required by Law or Cue obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) the person or entity will notify Business Associate Your Covered Entity of any instances of which it the third party is aware in which the confidentiality of the PHI has been breached; iii. Cue may use PHI to provide Data Aggregation services relating to the Health Care Operations of Your Covered Entity if required or permitted under these Terms; iv. Cue may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Cue may use or disclose de-identified health information for any purpose permitted by law; v. Cue may submit PHI for reporting to federal, state, or local public health authorities when permitted or required; vi. Cue may use and disclose PHI to request an authorization, consent or other form of permission from an Individual and may use and disclose PHI in accordance with any such permission obtained from an Individual; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the vii. Cue may use and disclose PHI is used or disclosed (including, without limitation, a Limited Data Set) for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly Research as permitted by the HIPAA Rules or HITECH Actand other applicable law.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI except from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to provide perform the services to, specified in this Contract or on behalf of, Covered Entity as described in the Underlying Agreementrequired by law, and shall not use Use or disclose such PHI in any manner that would violate the HIPAA Rules or HITECH Act Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if used or disclosed done by Covered Entity; provided, however, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may use Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate, Associate or to carry out its the legal responsibilitiesresponsibilities of the Business Associate, consistent with Covered Entity’s minimum necessary policies and procedures. provided the disclosures are required by law, or Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to notify DOC in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the Privacy Officer unauthorized Use or disclosure of Covered Entity PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any instances Security Incident of which it is aware in which becomes aware. Upon request by DOC, Business Associate shall mitigate, to the PHI is used extent practicable, any harmful effect resulting from the impermissible Use or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actdisclosure.

Use and Disclosure of PHI. Except MMBS may use and disclose PHI as otherwise permitted or required under this Agreement (including this Addendum) or as Required by this AgreementLaw, the HIPAA Rules, or applicable law, Business Associate but shall not make any uses otherwise use or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and disclose PHI. MMBS shall not use or disclose PHI received from the Medical Practice in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; providedthe Medical Practice (except as set forth in Sections 2.1(a), however(b) and (c) of this Addendum). To the extent MMBS carries out any of the Medical Practice’s obligations under the HIPAA Privacy Rule, Business Associate may MMBS shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice in the performance of such obligations. Without limiting the generality of the foregoing, MMBS is permitted to use and or disclose PHI as necessary set forth below: (a) MMBS may use PHI internally for the MMBS’s proper management and administration of Business Associate, administrative services or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate ; (b) MMBS may not use or disclose PHI which it createsto a third party for MMBS’s proper management and administration, receives, maintains provided that the disclosure is Required by Law or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain MMBS obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentially of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) the person or entity will notify Business Associate MMBS of any instances of which it the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS may use PHI to provide Data Aggregation services as defined by HIPAA; and 2.1.3 agree (d) MMBS may use PHI to notify the Privacy Officer of Covered Entity of any instances of which it is aware create de-identified health information in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by accordance with the HIPAA Rules de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS may use, create, sell, disclose to third parties and otherwise exploit de- identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or HITECH Actearlier termination of this Agreement.

Use and Disclosure of PHI. Except Manager may use and disclose individually identifiable protected health information (“PHI”) (as otherwise permitted defined in HIPAA), whether or not maintained or transmitted by “Electronic Media” (as defined in HIPAA), only as required to satisfy its obligations under this Agreement, the HIPAA Rulesas permitted herein, or applicable required by law, Business Associate but shall not make otherwise use or disclose any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, PHI. Manager shall not and shall ensure that its employees, contractors and agents do not use or disclose PHI received from PA or a PC in any manner that would violate constitute a violation of the HIPAA Rules or HITECH Act “Privacy Standards” (as defined in HIPAA) if so used or disclosed by Covered Entity; providedPA or a PC, however, Business Associate except that Manager may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates(i) for Manager’s proper management and administrative services, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is (ii) to carry out one the legal responsibilities of Manager, or more (iii) to provide data aggregation services relating to the health care operations of Covered Entity’s obligations PA or the PCs if required under this Agreement, provided that any disclosure for such purposes shall be either required by law or to a recipient who has agreed (a) to maintain the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance confidentiality of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using PHI and only further use or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only disclose it as required by law or for the purpose purposes for which it was disclosed to the person or entity; recipient, and (iib) to notify Manager in the person or entity will notify Business Associate of any instances of which it is aware in which event the confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the such PHI is used or disclosed for a purpose breached. Manager may de-identify PHI pursuant to the specific requirements of HIPAA; any PHI that is not otherwise provided fully de-identified pursuant to HIPAA shall no longer be considered PHI. Manager hereby acknowledges that, as between Manager and PA or the PCs, all PHI shall be and remain the sole property of PA or the applicable PC, including any and all forms thereof developed by Manager in the course of its fulfillment of its obligations pursuant to this Agreement. Manager further represents that, to the extent Manager requests that PA or a PC disclose PHI to Manager, such a request is only for the minimum necessary PHI for the accomplishment of Manager’s purpose. To the extent Manager is to carry out PA’s or a PC’s obligations under the privacy provisions of HIPAA, Manager shall comply with such provisions under HIPAA in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actperforming such obligation.

Use and Disclosure of PHI. Except Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Logicalis or the Covered Entity, in any manner that would constitute a violation of the Privacy Standards if used by Logicalis or the Covered Entity, and may only use PHI as otherwise permitted allowed under HIPAA and the HITECH Act for the limited purpose of performing Services on Logicalis’ behalf or as Required by Law. To the extent the terms of the Agreement and the terms of this AgreementBAA are not consistent, the HIPAA Rulesterms of the document that provides the most protection for PHI shall govern. Business Associate agrees to comply with applicable federal and state laws, or applicable law, including but not limited to the Privacy Standards. Business Associate shall not make any uses use or disclosures of disclose PHI except as necessary to provide services to, Services to Logicalis or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such all cases: 2.1.1 a. provide information training to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Privacy and Security Standards, the Agreement, and this AgreementBAA, and other applicable privacy and security laws. The training shall be updated periodically, as the laws and regulations evolve; 2.1.2 b. obtain reasonable assurances, in writing assurances from the person or entity to whom the or to which PHI is disclosed that: (i) that the PHI will be held in confidence confidentially and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; entity and (ii) the such person or entity will agrees to notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and; 2.1.3 agree to c. notify the Privacy Officer of Covered Entity Logicalis as soon as it becomes aware of any instances of which it is aware in which the PHI is used used, compromised, inappropriately disclosed, or disclosed becomes at risk for breach for a purpose that is not otherwise provided for in this Agreement BAA or for a purpose not expressly permitted by the HIPAA Rules Privacy or HITECH ActSecurity Standards and notify Logicalis immediately of any security incident of which it becomes aware; and d. ensure that all disclosures of PHI, including those made for treatment purposes, are subject to the principle of “minimum necessary use and disclosure,” i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed.

Use and Disclosure of PHI. Except TSI may use and disclose PHI as otherwise permitted or required under this BA Agreement or as Required by this AgreementLaw, the HIPAA Rules, or applicable law, Business Associate but shall not make any uses otherwise use or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and disclose PHI. TSI shall not use or disclose PHI received from End User in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose End User (except as otherwise provided by the Agreement set forth in Sections 1.1(b), (c), (d) and (e) of this BAABA Agreement). Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry TSI carries out one or more any of Covered EntityEnd User’s obligations under the HIPAA Privacy Rule, it TSI shall comply with the requirements of the HIPAA Privacy Rule which that apply to Covered Entity End User in the performance of such obligation(s)obligations. Business Associate shall in such casesWithout limiting the generality of the foregoing, TSI is permitted to use or disclose PHI as set forth below: 2.1.1 provide information (a) TSI and its Subcontractors may use and disclose PHI to members of carry out TSI’s duties and obligations and exercise their rights under the XXXX. (b) TSI and its workforce using Subcontractors may use PHI internally for TSI’s or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Subcontractor’s proper management and this Agreementadministrative services or to carry out their legal responsibilities; 2.1.2 obtain (c) TSI and its Subcontractors may disclose PHI to a third party for TSI’s or the Subcontractor’s proper management and administration, provided that the disclosure is Required by Law or TSI or the Subcontractor, as applicable, obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentially of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) notify, as applicable, TSI or the person or entity will notify Business Associate Subcontractor of any instances of which it the person is aware in which the confidentiality of the PHI has been breached; (d) TSI and its Subcontractors may use PHI to provide Data Aggregation services; and 2.1.3 agree (e) TSI and its Subcontractors may use PHI to notify the Privacy Officer of Covered Entity of any instances of which it is aware create de-identified health information in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by accordance with the HIPAA Rules de-identification requirements. Without limiting any other rights of TSI under the XXXX, TSI may use, create, sell, disclose to third parties and otherwise exploit de-identified health information for any purposes not prohibited by law. For the avoidance of doubt, the second sentence of this Section 1.1(e) shall survive the expiration or HITECH Actearlier termination of the XXXX or this BA Agreement.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate must protect PHI except from, and will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to ePHI, to prevent the unauthorized Use or disclosure of PHI for as long as the PHI is within its possession and control, even after the termination or expiration of this DSA. Minimum Necessary Standard. Business Associate will apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to provide services to, or on behalf of, Covered Entity achieve the purposes of this DSA. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as described in Part of the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Provision of Services. Business Associate may use and will only Use or disclose PHI as necessary to perform the services specified in this DSA or as required by law, and will not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for the proper management and administration of Business Associate, subject to HCA approval, or to carry out its the legal responsibilitiesresponsibilities of the Business Associate, consistent with Covered Entity’s minimum necessary policies and procedures. provided the disclosures are required by law, or Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree Breached. Impermissible Use or Disclosure of PHI. Business Associate must report to notify the Privacy Officer contact identified in Subsection 12.1 in writing all Uses or disclosures of Covered Entity PHI not provided for by this DSA within five (5) business days of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any instances Security Incident of which it is aware in which becomes aware. Upon request by HCA, Business Associate will mitigate, to the PHI is used extent practicable, any harmful effect resulting from the impermissible Use or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actdisclosure.

Use and Disclosure of PHI. (a) Except as otherwise permitted by provided in this AgreementSubBAA, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not Subcontractor may use or disclose PHI that would violate only as reasonably necessary to provide the HIPAA Rules services described in the Agreement or HITECH Act if used other activities of Subcontractor permitted or disclosed required of Subcontractor by Covered Entity; provided, howeverthis SubBAA or as required by law. (b) Except as otherwise limited by this SubBAA, Business Associate may authorizes Subcontractor to use and disclose PHI as necessary in its possession for the proper management and administration of Business Associate, or Subcontractor’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate Subcontractor may not use or disclose PHI which it createsfor such purposes, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) such disclosures are required by law; or (ii) Subcontractor obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that the PHI will be held in confidence confidential as provided under this SubBAA and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entitysuch third party; and (iib) the person or entity will an agreement from such third party to notify Business Associate Subcontractor immediately of any instances breaches of which it is aware in which the confidentiality of the PHI, to the extent it has knowledge of such breach. (c) Business Associate does not authorize Subcontractor to provide Data Aggregation services with respect to the PHI has been breached; andor to De-Identify the PHI. 2.1.3 agree (d) Subcontractor shall not transfer PHI outside the United States without the prior written consent of Business Associate. In this context, a “transfer” outside the United States occurs if Subcontractor’s workforce members, agents, or subcontractors physically located outside the fifty United States and United States territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands) are able to notify access, use, or disclose PHI which was received from or on behalf of Business Associate. (e) Subcontractor shall not use or disclose PHI in a manner other than as provided in this SubBAA, as permitted under the Privacy Officer HIPAA Rules, or as required by law. Except as permitted under paragraphs (a-b) of this section, Subcontractor will not use or disclose PHI in any manner that would violate applicable laws or regulations, including, without limitation, the HIPAA Rules, if done by Business Associate or Business Associate’s Covered Entity clients. Subcontractor shall use or disclose only the minimum necessary amount of PHI for each use or disclosure it makes of PHI in accordance with the provisions of Section 13405(b) of the HITECH Act and any instances implementing regulations. (f) Upon request, Subcontractor shall make available to Business Associate any of which it is aware Business Associate’s PHI that Subcontractor, or any of its subcontractors or agents, have in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Acttheir possession.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, To fulfill its obligations under the HIPAA Rules, or applicable lawPrivacy Rule, Business Associate shall not make any uses or disclosures of PHI except as necessary agrees to provide services to, or on behalf of, Covered Entity as described in do the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, following: (a) Business Associate may use and or disclose PHI, provided that such use or disclosure of PHI would not violate the Privacy Rule, as necessary follows: (1) as permitted or required in this BAA, including the provision of Services; (2) as Required by Law; (3) for the proper management and administration of Business Associate; (4) to fulfill any present or future legal responsibilities; (5) for Data Aggregation services to Covered Entity; or (6) any use and disclosure of PHI that has been de- identified within the meaning of 45 CFR §164.514. (b) Use all appropriate safeguards to prevent the unauthorized use or disclosure of PHI and use reasonable efforts to mitigate any harmful effect. (c) Report to the Covered Entity any unauthorized use or disclosure of PHI within ten (10) business days of becoming aware of such unauthorized use or disclosure. To the extent that such unauthorized use or disclosure of PHI described in this Section 2(c) also constitutes a Breach of Unsecured PHI, the provisions of this Section 2(c) shall not apply, but rather the provisions of Section 5(a) shall apply. (d) Ensure that any agent, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply throughout this BAA to Business Associate with respect to such PHI. (e) Provide access, at the request of the Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to the Covered Entity, or as directed by the Covered Entity, to carry out its legal responsibilitiesan Individual in order to meet the requirements under 45 CFR §164.524. Business Associate shall have the right to charge the Individual a reasonable cost-based fee, consistent with as permitted by 45 CFR §164.524. Business Associate assumes no obligation to coordinate the provision of PHI maintained by other agents or subcontractors of the Covered Entity or business associates of the Covered Entity’s minimum necessary Group Health Plan. (f) At the request of the Covered Entity, make amendments to PHI that it maintains in a Designated Record Set, as directed by the Covered Entity, and to incorporate any amendments to PHI in accordance with 45 CFR §164.526. (g) Make its internal practices, books, and records, including without limitation its policies and proceduresprocedures and PHI, relating to the Services, available to Covered Entity, or upon its request to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with Privacy Rule. (h) Document disclosures of PHI, and information related to such disclosures, as would be required for Covered Entity to respond to an Individual’s request for an accounting of disclosures of PHI in accordance with the Privacy Rule. Such records of disclosure shall include: (1) the date of disclosure; (2) the name of and, if known, the address of the recipient of the PHI; (3) a brief description of PHI disclosed; and (4) a brief statement that would reasonably inform Covered Entity of the purpose of the disclosure. Business Associate may shall provide such information in the time and manner requested by Covered Entity. (i) Request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. (j) To not use or disclose PHI which it creates, receives, maintains that contains Genetic Information if such use or transmits for disclosure would violate XXXX. (k) not directly or on behalf of the Covered Entity indirectly receive remuneration in exchange for any purpose except PHI as otherwise provided prohibited by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, 42 U.S.C. § 17935(d) as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using Compliance Date. (l) not make or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person cause to be made any communication about a product or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose service that is prohibited by 42 U.S.C. § 17936(a) as of its Compliance Date. (m) not otherwise provided make or cause to be written fundraising communication that is prohibited by 42 U.S.C. § 17936(b) as of its Compliance Date. (n) accommodate reasonable requests by Individuals for confidential communications in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act.accordance with 42 U.S.C. § 164.522(b)

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall may receive PHI from multiple sources, including but not make any uses or disclosures of PHI except as necessary to provide services limited to, or on behalf of, : (a) Covered Entity as described pursuant to the Collaborative Services Agreement; (b) other covered entities pursuant to Covered Entity’s collaborative services agreements with such other covered entities; and (c) other Camden Health Information Exchange (“HIE”) participants through Business Associate’s participation in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, HIE. Business Associate may use and disclose HIE data and any PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity only as necessary permitted or required by the Collaborative Services Agreement, this Agreement or as otherwise permitted or required by law. The services provided by Business Associate under the Collaborative Services Agreement include care management, certain consulting services, and HIE coordination. All such uses and disclosures also shall be in compliance with each applicable requirement of 45 C.F.R. § 164.504(e). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such manner by Covered Entity. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate, Associate or to carry out its the legal responsibilitiesresponsibilities of the Business Associate. Except as otherwise limited in this Agreement, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains for the proper management and administration or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements legal responsibilities of the Privacy Rule which apply to Covered Entity in the performance of such obligation(sBusiness Associate, provided that disclosures are Required by Law (as defined under 45 C.F.R. § 164.103). , or Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) the PHI that it will be held in confidence remain confidential and used or further used and disclosed only as required Required by law Law or for the purpose for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree . Except as otherwise limited in this Agreement, Business Associate may use PHI to notify provide data aggregation services to the Privacy Officer of Covered Entity of as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any instances of which it is aware in which PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI is used or disclosed can be further exchanged for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted remuneration by the HIPAA Rules or HITECH ActBusiness Associate.

Use and Disclosure of PHI. Except as otherwise permitted Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by this Agreement, the HIPAA Rules, or applicable lawUnderlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate shall not make any uses or disclosures will comply with the requirements of PHI except as necessary Subpart E that apply to provide services to, or on behalf of, the Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For the proper management and administration of Business Associate, Associate or to carry out its legal responsibilitiesresponsibilities when: (i) such Disclosure is Required by Law, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more shall not, without the prior written consent of Covered Entity’s obligations under , Disclose any PHI on the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to basis that such disclosure is Required by Law without notifying Covered Entity in so that Covered Entity shall have an opportunity to object to the performance of disclosure and to seek appropriate relief. If Covered Entity objects to such obligation(s)disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such cases: 2.1.1 persons will provide information Covered Entity with similar notice and opportunity to members of its workforce using or object before disclosing PHI regarding on the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person or entity to whom the PHI is disclosed being Disclosed that: (i) such person willhold the PHI confidentially; (ii) such person will be held in confidence and further used and disclosed only not Use or Disclose such PHI except as required Required by law Law or for the purpose purpose(s) for which Business Associate Disclosed it was disclosed to the person or entity; them, and (iiiii) the such person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; and. 2.1.3 agree 2.1.4. To the extent permitted in the Underlying Agreement or otherwise approved in writing by Covered Entity, Business Associate may Use PHI to notify provide Data Aggregation services to Covered Entity relating to the Privacy Officer Health Care Operations of Covered Entity provided, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without the express written permission of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH ActCovered Entity.

Use and Disclosure of PHI. (a) Except as otherwise permitted by provided in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, howeverAddendum, Business Associate may use and or disclose PHI as reasonably necessary to provide the services described in the Agreement, or as otherwise permitted or required of Business Associate by this Addendum or as Required by Law, provided that, such disclosure does not violate HIPAA. (a) Except as otherwise limited by this Addendum, Business Associate may perform Data Aggregation services for the Covered Entity to the extent such services are required in the Agreement. (b) Except as otherwise limited by this Addendum, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate, or ’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may disclose PHI for its proper management and administration, provided that (i) such disclosures are Required by Law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that the PHI will be held confidential as provided under this Addendum and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such third party; and (b) an agreement from such third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI or Breach of Unsecured PHI. (c) Business Associate shall not use or disclose PHI which it createsin a manner other than as provided in this Addendum, receivesas allowed by HIPAA, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided Required by the Agreement and this BAALaw. Business Associate agrees to review and understand will not use or disclose PHI in any state privacy and security manner that would violate applicable laws to the extent that such laws are not preempted by or regulations, including, without limitation, HIPAA, as may be amended from time to time. . (d) Upon request, Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, make available to the extent that Business Associate is to carry out one or more Covered Entity any of Covered Entity’s obligations under the Privacy RulePHI that Business Associate, it shall or any of Business Associate's agents or subcontractors, have in their possession. (e) Business Associate agrees to comply with the HIPAA minimum necessary requirements of the Privacy Rule which apply at 45 C.F.R. § 164.502(b), as may be amended for time to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Acttime.

Use and Disclosure of PHI. Except as otherwise permitted by this AgreementBusiness Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Logicalis or Logicalis’ customer, the Covered Entity, in any manner that would constitute a violation of the Privacy Standards if used by Logicalis or Logicalis’ customer, the Covered Entity, and may only use PHI as allowed under HIPAA Rulesand the HITECH Act for the limited purpose of performing Services on Logicalis’s behalf or as Required by Law. To the extent the terms of the Agreement and the terms of this BAA are not consistent, or the terms of the document that provides the most protection for PHI shall govern. Business Associate agrees to comply with applicable lawfederal and state laws, including but not limited to the Privacy Standards. Business Associate shall not make any uses use or disclosures of disclose PHI except as necessary to provide services toServices to Logicalis or Logicalis’ customer, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such all cases: 2.1.1 a. provide information training to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Privacy and Security Standards, the Agreement, and this AgreementBAA, and other applicable privacy and security laws. The training shall be updated periodically, as the laws and regulations evolve; 2.1.2 b. obtain reasonable assurances, in writing assurances from the person or entity to whom the or to which PHI is disclosed that: (i) that the PHI will be held in confidence confidentially and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; entity and (ii) the such person or entity will agrees to notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and; 2.1.3 agree to c. notify the Privacy Officer of Covered Entity Logicalis as soon as it becomes aware of any instances of which it is aware in which the PHI is used used, compromised, inappropriately disclosed, or disclosed becomes at risk for breach for a purpose that is not otherwise provided for in this Agreement BAA or for a purpose not expressly permitted by the HIPAA Rules Privacy or HITECH ActSecurity Standards and notify Logicalis immediately of any security incident of which it becomes aware; and d. ensure that all disclosures of PHI, including those made for treatment purposes, are subject to the principle of “minimum necessary use and disclosure,” i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI except from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to provide perform the services to, specified in this Contract or on behalf of, Covered Entity as described in the Underlying Agreementrequired by law, and shall not use Use or disclose such PHI in any manner that would violate the HIPAA Rules or HITECH Act Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if used or disclosed done by Covered Entity; provided, however, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may use Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate, Associate or to carry out its the legal responsibilitiesresponsibilities of the Business Associate, consistent with Covered Entity’s minimum necessary policies and procedures. provided the disclosures are required by law, or Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to notify DSHS in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the Privacy Officer unauthorized Use or disclosure of Covered Entity PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any instances Security Incident of which it is aware in which becomes aware. Upon request by DSHS, Business Associate shall mitigate, to the PHI is used extent practicable, any harmful effect resulting from the impermissible Use or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actdisclosure.

Use and Disclosure of PHI. Except EF may use and disclose PHI as otherwise permitted or required under this BA Addendum or as Required by this AgreementLaw, the HIPAA Rules, or applicable law, Business Associate but shall not make any uses otherwise use or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and disclose PHI. EF shall not use or disclose PHI received from Customer in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose Customer (except as otherwise provided by the Agreement set forth in Sections 1.1(b), (c), (d) and (e) of this BAABA Addendum). Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry EF carries out one or more any of Covered EntityCustomer’s obligations under the HIPAA Privacy Rule, it EF shall comply with the requirements of the HIPAA Privacy Rule which that apply to Covered Entity Customer in the performance of such obligation(s)obligations. Business Associate shall in such casesWithout limiting the generality of the foregoing, EF is permitted to use or disclose PHI as set forth below: 2.1.1 provide information (a) EF and its Subcontractors may use and disclose PHI to members of carry out EF’s duties and obligations and exercise their rights under the License Agreement. (b) EF and its workforce using Subcontractors may use PHI internally for EF’s or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Subcontractor’s proper management and this Agreementadministrative services or to carry out their legal responsibilities; 2.1.2 obtain (c) EF and its Subcontractors may disclose PHI to a third party for EF’s or the Subcontractor’s proper management and administration, provided that the disclosure is Required by Law or EF or the Subcontractor, as applicable, obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentially of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) notify, as applicable, EF or the person or entity will notify Business Associate Subcontractor of any instances of which it the person is aware in which the confidentiality of the PHI has been breached; (d) EF and its Subcontractors may use PHI to provide Data Aggregation services; and 2.1.3 agree (e) EF and its Subcontrators may use PHI to notify create de-identified health information in accordance with the Privacy Officer HIPAA de-identification requirements. Without limiting any other rights of Covered Entity EF under the License Agreement, EF may use, create, sell, disclose to third parties and otherwise exploit de-identified health information for any purposes not prohibited by law. For the avoidance of any instances doubt, the second sentence of which it is aware in which this Section 1.1(e) shall survive the PHI is used expiration or disclosed for a purpose that is not otherwise provided for in this earlier termination of the License Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actthis BA Addendum.

Use and Disclosure of PHI. A. Except as otherwise permitted by provided in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, howeverBAA, Business Associate may use and or disclose PHI as necessary reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate, or ’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it createsfor its proper management and administration, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held in confidence confidential as provided under this BAA and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; this third party and (iib) the person or entity will an agreement from this third party to notify Business Associate immediately of any instances breaches of which it is aware in which the confidentiality of the PHI, to the extent it has knowledge of the breach. C. Business Associate will not use or disclose PHI has been breached; and 2.1.3 agree to notify in a manner other than as provided in this BAA, as permitted under the Privacy Officer Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity Entity’s PHI that Business Associate or any of any instances its agents or subcontractors have in their possession. E. Business Associate may use PHI to report violations of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actlaw to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, Agreement or applicable law, Business Associate shall not make any uses use or disclosures of disclose PHI other than as permitted or required by the Agreement or as Required By Law, except as necessary to provide services to, conduct an audit of Emergency Medical Billing practices of the LAFD as described in this Agreement and the Contract to or on behalf ofof the Covered Entity. These activities include a review of selected records and may include the transmitting or receiving of PHI, as may be required from time to time, to other business associates or covered entities on behalf of Covered Entity as described in the Underlying Agreement, and Entity. Business Associate shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide (a) Provide information to members of its workforce using suing or disclosing PHI regarding the confidentiality requirements in of the HIPAA Final Rules and this Agreement; 2.1.2 obtain (b) Obtain reasonable assurances, in writing assurances from the person or entity to whom the PHI is disclosed that: : (i) the PHI will be held in confidence confidential and further used and disclosed only as required Required by law Law or for the purpose for which it was disclosed to the person or entity; and and (ii) the person or entity will notify Business Associate Associates of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree (c) Agree to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules within 24 hours of discovery of the improper use or HITECH Actdisclosure, or, if CE’s offices are closed, at the earliest moment following discovery.

Use and Disclosure of PHI. (i) Except as otherwise permitted by limited in this Agreement, the HIPAA RulesAssociate may use or disclose PHI to perform functions, activities, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services tofor, or on behalf of, Covered Entity Company as described specified in the Underlying AgreementAssociate Agreements, and shall not provided that such use or disclose PHI that disclosure would not violate the HIPAA Privacy & Security Rules if done by Company or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and proceduresprocedures of Company. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of Company has the Covered Entity for right to amend this Agreement at any purpose except as otherwise provided time with respect to permitted uses and disclosures by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to Associate. (ii) To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered EntityCompany’s obligations under the Privacy RuleSubpart E of 45 C.F.R. Part 164, it shall Associate agrees to comply with the requirements of the Privacy Rule which Subpart E that apply to Covered Entity the Company in the performance of such obligation(s). Business obligations. (iii) Associate may use or disclose PHI as required by law. (iv) Associate shall not use or disclose, and shall ensure that its directors, officers, employees, agents, and subcontractors do not use or disclose, PHI in such cases: 2.1.1 provide information to members any manner that would constitute a violation of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules Privacy Rule or the HITECH Act if done by Company, except that Associate may use and this Agreement; 2.1.2 obtain disclose PHI as permitted under the HIPAA Privacy Rule for the proper management and administration of Associate or to carry out the legal responsibilities of Associate, provided that disclosures are: (a) required by law or (b) Associate obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) the PHI that it will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose for which it was is disclosed to the person or entity; person, and (ii) the person or entity will notify Business notifies Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and. 2.1.3 agree (v) Except as otherwise limited in this Agreement, Associate may use or disclose PHI to notify provide Data Aggregation services relating to the Privacy Officer health care operations of Covered Entity the Company if such services are required under the Associate Agreements. (vi) Associate shall neither use nor disclose PHI for the purpose of creating de-identified information that will be used for any instances purpose other than as directed by Company to carry out the obligations of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for Associate set forth in this Agreement or for a purpose not expressly permitted the applicable Associate Agreements, or as required by the HIPAA Rules or HITECH Actlaw.

Use and Disclosure of PHI. A. Except as otherwise permitted by provided in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, howeverBAA, Business Associate may use and or disclose PHI as necessary reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate, or ’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it createsfor its proper management and administration, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases:that 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held in confidence confidential as provided under this BAA and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; this third party and (iib) the person or entity will an agreement from this third party to notify Business Associate immediately of any instances breaches of which it is aware in which the confidentiality of the PHI, to the extent it has knowledge of the breach. C. Business Associate will not use or disclose PHI has been breached; and 2.1.3 agree to notify in a manner other than as provided in this BAA, as permitted under the Privacy Officer Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity Entity’s PHI that Business Associate or any of any instances its agents or subcontractors have in their possession. E. Business Associate may use PHI to report violations of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actlaw to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Use and Disclosure of PHI. (a) Except as otherwise permitted by provided in this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, howeverAddendum, Business Associate may use and or disclose PHI as reasonably necessary to provide the services described in the Agreement, or as otherwise permitted or required of Business Associate by this Addendum or as Required by Law, provided that, such disclosure does not violate HIPAA. (b) Except as otherwise limited by this Addendum, Business Associate may perform Data Aggregation services for the Covered Entity to the extent such services are required in the Agreement. (c) Except as otherwise limited by this Addendum, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate, or ’s business and to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may disclose PHI for its proper management and administration, provided that (i) such disclosures are Required by Law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that the PHI will be held confidential as provided under this Addendum and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such third party; and (b) an agreement from such third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI or Breach of Unsecured PHI. (d) Business Associate shall not use or disclose PHI which it createsin a manner other than as provided in this Addendum, receivesas allowed by HIPAA, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided Required by the Agreement and this BAALaw. Business Associate agrees to review and understand will not use or disclose PHI in any state privacy and security manner that would violate applicable laws to the extent that such laws are not preempted by or regulations, including, without limitation, HIPAA, as may be amended from time to time. . (e) Upon request, Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, make available to the extent that Business Associate is to carry out one or more Covered Entity any of Covered Entity’s obligations under the Privacy RulePHI that Business Associate, it shall or any of Business Associate's agents or subcontractors, have in their possession. (f) Business Associate agrees to comply with the HIPAA minimum necessary requirements of the Privacy Rule which apply at 45 C.F.R. § 164.502(b), as may be amended for time to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Acttime.

Use and Disclosure of PHI. a. Except as otherwise permitted limited by this AgreementAddendum, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate SIRUM may use and disclose PHI as necessary to provide the services described in the Agreement, or as otherwise permitted or required of SIRUM by this Addendum or as Required by Law. b. Except as otherwise limited by this Addendum, SIRUM may de-identify PHI and that de- identified information shall not be further restricted under this Addendum. SIRUM may, in accordance with HIPAA, use PHI to perform data aggregation services for the healthcare operations of Covered Entity. c. Except as otherwise limited by this Addendum, Covered Entity authorizes SIRUM to use the PHI in its possession for the proper management and administration of Business Associate, or SIRUM’s business and to carry out its legal responsibilities. SIRUM may disclose PHI for its proper management and administration, consistent with Covered Entity’s minimum necessary policies provided that (i) such disclosures are Required by Law; or (ii) SIRUM obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that the PHI will be held confidential as provided under this Addendum and procedures. Business Associate may used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such third party; and (b) an agreement from such third party to notify SIRUM of any breaches of the confidentiality of the PHI or Breach of Unsecured PHI. x. XXXXX shall not use or disclose PHI which it createsin a manner other than as permitted by this Addendum or as Required by Law, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate SIRUM is to carry out one or more any of Covered Entity’s obligations under the Privacy Rule, it shall SIRUM will comply with the requirements of the Privacy Rule which that apply to Covered Entity in the performance of such obligation(s). Business Associate those obligations. e. Upon request, SIRUM shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed make available to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of within thirty (30) days any instances of which it is aware PHI that SIRUM has in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actits possession.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, Agreement or applicable lawas Required by Law, Business Associate shall not make any uses Use or disclosures of Disclose PHI except as necessary necessary, in its sole discretion, to provide services to, to or on behalf of, of Covered Entity as described in the Underlying AgreementEntity, and shall not use Use or disclose Disclose PHI in a manner that would violate the HIPAA Rules Privacy Rule if Used or HITECH Act Disclosed by Covered Entity. Each such Use or Disclosure must either be Required By Law or in compliance with each applicable requirement of this Agreement, and Business Associate may not Use or Disclose PHI in a manner that would violate the Privacy Rule if used or disclosed done by Covered Entity; provided, however, Business Associate may use Use and disclose Disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s)Data Aggregation services described below. Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 cases obtain reasonable assurances, in writing assurances from the person or entity to whom the PHI is disclosed Disclosed that: (ia) the PHI will be held in confidence confidential and further used Used and disclosed Disclosed only as required Required by law Law or for the purpose for which it was disclosed Disclosed to the person or entity; and (iib) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree . Business Associate may also Disclose PHI to a Subcontractor and may allow the Subcontractor to create, receive, maintain or transmit PHI on its behalf, if Business Associate obtains a written agreement with the Subcontractor in accordance with 45 CFR 164.504(e)(1)(i) and this Agreement that the Subcontractor will appropriately safeguard the information. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). Business Associate shall provide information to members of its workforce Using or Disclosing PHI regarding the requirements of the Privacy Rule, the Security Rule, and this Agreement. Business Associate agrees to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used Used or disclosed Disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Privacy Rule or the Security Rule, or in which a Breach has occurred, within three (3) business days of becoming aware of the improper Use or Disclosure or Breach. Business Associate shall not Use or further Disclose PHI other than as permitted or required by this Agreement or as Required By Law. The parties acknowledge that applicable law requires Business Associate to Disclose PHI when required to do so by the Secretary to investigate Business Associate’s compliance with regulations promulgated under HIPAA Rules or the HITECH Act, or to the Covered Entity, individual who is the subject of the PHI, or the individual’s designee, as necessary to satisfy Covered Entity’s obligations with respect to an individual’s request for an electronic copy of PHI.

Use and Disclosure of PHI. Except Cue may use and disclose PHI as otherwise permitted or required under these Terms or as Required by this Agreement, the HIPAA Rules, or applicable law, Business Associate Law but shall not make otherwise use or disclose any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and PHI. Cue shall not use or disclose PHI received from Your Covered Entity in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Your Covered Entity for any purpose (except as otherwise provided by the Agreement set forth in Sections 2.1(a), (b) and this BAA(c) of these BA Terms). Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry Cue carries out one or more any of Your Covered Entity’s obligations under the Privacy RuleHIPAA privacy standards, it Cue shall comply with the requirements of the Privacy Rule which HIPAA privacy standards that apply to Your Covered Entity in the performance of such obligation(s)obligations. Business Associate shall in such casesWithout limiting the generality of the foregoing, Cue is permitted to use or disclose PHI as set forth below: 2.1.1 provide information i. Cue may use PHI internally for Cue’s proper management and administration or to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreementcarry out Cue’s legal responsibilities; 2.1.2 obtain ii. Cue may disclose PHI to a third party for Cue’s proper management and administration, provided that the disclosure is Required by Law or Cue obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) the person or entity will notify Business Associate Your Covered Entity of any instances of which it the third party is aware in which the confidentiality of the PHI has been breached; iii. Cue may use PHI to provide Data Aggregation services relating to the Health Care Operations of Your Covered Entity if required or permitted under these Terms; iv. Cue may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Cue may use or disclose de-identified health information for any purpose permitted by law; v. Cue may submit PHI for reporting to federal, state, or local public health authorities when permitted or required; vi. Cue may use and disclose PHI to request an authorization, consent or other form of permission from an Individual and may use and disclose PHI in accordance with any such permission obtained from an Individual; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the vii. Cue may use and disclose PHI is used or disclosed (including, without limitation, a Limited Data Set) for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly Research as permitted by the HIPAA Rules or HITECH Actand other applicable law.

Use and Disclosure of PHI. Except a) BUSINESS ASSOCIATE will hold and keep the PHI strictly confidential and use and/or disclose PHI only as otherwise required or permitted by under the terms of the Contract and this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate . b) The BUSINESS ASSOCIATE may use and and/or disclose the PHI as necessary for the proper management and administration of Business Associatethe BUSINESS ASSOCIATE, or to carry out its the legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf responsibilities of the Covered Entity for any purpose except as otherwise provided BUSINESS ASSOCIATE. However, such use and/or disclosure must be either required by the Agreement and this BAA. Business Associate agrees law or, prior to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements making use of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using PHI or disclosing PHI regarding the confidentiality requirements in PHI, the HIPAA Rules and this Agreement; 2.1.2 BUSINESS ASSOCIATE must obtain reasonable assurances, in writing assurance from the person or entity to whom the PHI is will be disclosed thatthat the PHI: (i) the PHI will be held in confidence confidentially and used or further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entitydisclosed; and (ii) the person or entity will to whom it is disclosed agrees to notify Business Associate the BUSINESS ASSOCIATE of any instances instance of which it the person is aware in which the confidentiality of the PHI has been breached; and. 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which c) The BUSINESS ASSOCIATE may use the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted to provide data aggregation services to the PRACTICE. Data aggregation means, with respect to PHI, the combining of the PHI by the BUSINESS ASSOCIATE with protected health information received by the BUSINESS ASSOCIATE in its capacity as a BUSINESS ASSOCIATE of another health care provider to permit data analysis that relates to the health care operations (excluding genetic information) of the PRACTICE and the other health care provider. d) To the extent the BUSINESS ASSOCIATE is to carry out one or more of Practices obligation(s) under HIPAA Rules Rules; comply with the requirements of Subpart E that apply to the PRACTICE in the performance of such obligation(s). e) BUSINESS ASSOCIATE obligations and permitted uses of PHI are as follows:  Processing insurance claims  Scheduling appointments, electronic billing  Patient health information  EHR information f) BUSINESS ASSOCIATE will ensure that any agents, including subcontractors, to whom it provides in writing to the same restrictions and conditions including but not limited to those relating to termination of the contract for disclosure, that apply to BUSINESS ASSOCIATE with respect to such information. BUSINESS ASSOCIATE shall terminate any agreement with an agent or HITECH Actsubcontractor, if any, who fails to abide by such restrictions and obligations.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI except from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to provide perform the services to, specified in this Contract or on behalf of, Covered Entity as described in the Underlying Agreementrequired by law, and shall not use Use or disclose such PHI in any manner that would violate the HIPAA Rules or HITECH Act Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if used or disclosed done by Covered Entity; provided, however, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may use Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Disclosure for Proper Management and Administration. Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate, Associate or to carry out its the legal responsibilitiesresponsibilities of the Business Associate, consistent with Covered Entity’s minimum necessary policies and procedures. provided the disclosures are required by law, or Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) that the PHI information will be held in confidence remain confidential and used or further used and disclosed only as required by law or for the purpose purposes for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree Breached. Impermissible Use or Disclosure of PHI. Business Associate shall report to notify DSHS in writing all Uses or disclosures of PHI not provided for by this Contract within one (1) business day of becoming aware of the Privacy Officer unauthorized Use or disclosure of Covered Entity PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any instances security incident of which it is aware in which becomes aware. Upon request by DSHS, Business Associate shall mitigate, to the PHI is used extent practicable, any harmful effect resulting from the impermissible Use or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Actdisclosure.

Use and Disclosure of PHI. Except as otherwise permitted by Treatment, Payment and Operations (“TPO”): Business Associate agrees to create, receive, maintain, transmit, use, or disclose PHI only in a manner that is consistent with this Agreement, Agreement and the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary Security and Privacy Rule and only in connection with providing the services to provide services to, or on behalf of, of Covered Entity as described identified in any existing Service Agreement and amendments thereto. Accordingly, in providing services to or on behalf of the Covered Entity, the Business Associate, for example, will be permitted to use and disclose PHI for Treatment, Payment and Healthcare Operations consistent with the HIPAA Security and Privacy Rule, without obtaining authorization. PHI does not include summary health information or information that has been de-identified in accordance with the standards for de-identification provided for in the Underlying Agreement, HIPAA Security and shall not Privacy Rule. Other Permissible Uses and Disclosures: As permitted by 42 CFR §164.504(e)(4) Business Associate also may use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, it receives in its capacity as a Business Associate may to the Covered Entity if: The use and disclose PHI as necessary for relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or (2) data aggregation services relating to carry out its legal responsibilities, consistent with the health care operations of the Covered Entity’s minimum necessary policies ; or The disclosure of PHI received in such capacity may be made in connection with a function, responsibility, or service identified above in (i)(1), and procedures. such disclosure is (1) required by law, or (2) the Business Associate may obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential, and the person agrees to notify the Business Associate of any breaches of confidentiality; or The disclosure of PHI is made, if applicable, pursuant to 42 CFR §423.884(b), not use or disclose PHI which it createswithstanding any provisions to the contrary, receives, maintains or transmits for or Covered Entity agrees that the Business Associate (on behalf of the Covered Entity Entity) may disclose PHI to the Center for any purpose except as otherwise provided by the Agreement Medicare and this BAA. Business Associate agrees to review and understand any state privacy and security laws Medicaid Services (“CMS”) to the extent that such laws are not preempted by HIPAA, as may be amended from time necessary to time. Business Associate acknowledges that it shall comply specifically with Subpart R of 42 CFR §423 relating to applications for drug subsidy payment to the Plan Sponsor in connection with the HIPAA Security Rule, and, to prescription drug benefit under the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act.

Use and Disclosure of PHI. Except Company may use and disclose PHI as otherwise permitted or required under this Agreement (including this Addendum) or as Required by this AgreementLaw, the HIPAA Rules, or applicable law, Business Associate but shall not make any uses otherwise use or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and disclose PHI. Company shall not use or disclose PHI received from the Client in any manner that would violate the constitute a violation of HIPAA Rules or HITECH Act if so used or disclosed by Covered Entity; providedthe Client (except as set forth in Sections 2.1(a), however(b) and (c) of this Addendum). To the extent Company carries out any of the Client’s obligations under the HIPAA Privacy Rule, Business Associate may Company shall comply with the requirements of the HIPAA Privacy Rule that apply to the Client in the performance of such obligations. Without limiting the generality of the foregoing, Company is permitted to use and or disclose PHI as necessary set forth below: (a) Company may use PHI internally for the Company’s proper management and administration of Business Associate, administrative services or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate ; (b) Company may not use or disclose PHI which it createsto a third party for Company’s proper management and administration, receives, maintains provided that the disclosure is Required by Law or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain Company obtains reasonable assurances, in writing assurances from the person or entity third party to whom the PHI is to be disclosed that: that the third party will (i1) protect the confidentially of the PHI, (2) only use or further disclose the PHI will be held in confidence and further used and disclosed only as required Required by law Law or for the purpose for which it the PHI was disclosed to the person or entity; third party and (ii3) the person or entity will notify Business Associate Company of any instances of which it the person is aware in which the confidentiality of the PHI has been breached; ; (c) Company may use PHI to provide Data Aggregation services as defined by HIPAA; (d) Company may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of Company under this Agreement, Company may use, create, sell, disclose to third parties and otherwise commercialize de-identified health information for any purposes not prohibited by law. Company owns all right, title and interest in such de-identified health information and any data, information and material created by Company with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement; (e) Company may use and disclose PHI to develop, create, improve, update or otherwise change currently contracted for or new products and services for Client and other customers of Company; (f) Company may use and disclose PHI for purposes of obtaining an authorization to use and disclose PHI or any other permission from an individual and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the (g) Company may use and disclose PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly Research purposes as permitted by the HIPAA Rules or HITECH Actapplicable law.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, received from Covered Entity or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. created or received by Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except only as otherwise provided permitted or required by the Agreement and this BAAlaw. Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of the Covered Entity’s obligations obligation(s) under the Privacy RuleSubpart E of 45 CFR Part 164, it shall comply with the requirements of the Privacy Rule which Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such cases: 2.1.1 provide manner by Covered Entity, except as otherwise limited in this Agreement. Business Associate may only use or disclose protected health information it receives or is provided from the Covered Entity necessary to members of its workforce using or disclosing PHI regarding perform the confidentiality requirements services set forth in the HIPAA Rules attached Participation Agreement. Business Associate may disclose PHI for the proper management and this Agreement; 2.1.2 obtain administration or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required by Law (as defined under 45 C.F.R. § 164.103), or Business Associate obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) the PHI that it will be held in confidence remain confidential and used or further used and disclosed only as required Required by law Law or for the purpose for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree . Except as otherwise limited in this Agreement, Business Associate may use PHI to notify provide data aggregation services to the Privacy Officer of Covered Entity of as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any instances of which it is aware in which PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI is used or disclosed can be further exchanged for a purpose that is not otherwise provided remuneration by Business Associate. Business Associate agrees to make uses and disclosures for protected health information subject to the Minimum Necessary requirements in this Agreement or for a purpose not expressly permitted by the HIPAA Rules or HITECH Act45 C.F.R. § 164.502(b) and § 164.514.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, received from Covered Entity or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. created or received by Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except only as permitted or required by the Exchange Agreement, this BAA, or as otherwise provided permitted or required by the Agreement and this BAAlaw. Business Associate agrees to review and understand any state privacy and security laws to To the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of the Covered Entity’s obligations under the Privacy RuleSubpart E of 45 C.F.R. Part 164, it shall Business Associate must comply with the requirements of the Privacy Rule which Subpart E that apply to the Covered Entity in the performance of such obligation(sobligations. All such uses and disclosures also shall be in compliance with each applicable requirement of 45 C.F.R. § 164.504(e). Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents, including subcontractors, do not use or disclose PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in any manner that would constitute a violation of the Privacy Standards if used in such cases: 2.1.1 provide information manner by Covered Entity. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of the Business Associate or to members carry out the legal responsibilities of its workforce using the Business Associate, provided that disclosures are Required by Law (as defined under 45 C.F.R. § 164.103), or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain Business Associate obtains reasonable assurances, in writing assurances from the person or entity to whom the PHI information is disclosed that: (i) the PHI that it will be held in confidence remain confidential and used or further used and disclosed only as required Required by law Law or for the purpose for which it was disclosed to the person or entity; person, and (ii) the person or entity will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached; and 2.1.3 agree . Except as otherwise limited in this BAA, Business Associate may use PHI to notify provide data aggregation services to the Privacy Officer of Covered Entity of as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate shall not directly or indirectly receive remuneration in exchange for any instances of which it is aware in which PHI unless Business Associate or Covered Entity has obtained a valid HIPAA-compliant authorization from the individual that specifies whether the PHI is used or disclosed can be further exchanged for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted remuneration by the HIPAA Rules or HITECH ActBusiness Associate.