Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. a. PHI, in electronic form or otherwise, may be used or disclosed only when required by law or as necessary to enable Agent to satisfy the obligations and to perform the functions, activities, services and operations to which Agent is contractually obligated by Company. Agent shall not and shall ensure that its directors, officers, employees, contractors and agents do not use PHI received from the Company in any manner that would constitute a violation of applicable law. b. Agent shall not and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from the Company in any manner that would constitute a violation of applicable law if used or disclosed by the Company. Agent may disclose PHI (a) as permitted and pursuant to the requirements of this Addendum or (b) as required by law. c. To the extent Agent discloses PHI to a third party, Agent must obtain, prior to making any such disclosure: 1. Reasonable assurances evidenced by written contract from such third party that PHI will be held confidential and safeguarded consistent with the terms of this Addendum, and only used or further disclosed for the purpose for which Agent disclosed it to the third party or as required by law; and 2. An agreement from such third party to immediately notify Agent (who will in turn notify the Company in accordance with Section 4 of this Addendum A) of any: i. Unauthorized access, use or disclosure of PHI; ii. Security Incident as defined in 45 C.F.R. §164.304 and further explained in Section 4(b) of this Addendum; and iii. Breaches of the confidentiality of the PHI, as “Breach” is defined by 45 C.F.R. §164.402, to the extent such third party has discovered such unauthorized access, use or disclosure of PHI, Security Incident or Breach. d. Agent shall utilize a Limited Data Set, if practicable, for all uses, disclosures or requests of PHI. Otherwise, any uses or disclosures of PHI shall be limited to the “Minimum Necessary,” as defined in 45 C.F.R. §514(d) and any further guidance that may be issued by the Department of Health and Human Services. Agent acknowledges its obligation under 45 C.F.R. §164.502(b) to determine what constitutes the minimum necessary to accomplish the intended purposes of any disclosure of PHI. e. To the extent that Agent fulfills Company’s obligations under Subpart E of 45 C.F.R. Part 164, Agent will comply with the requirements of this Subpart as such obligations apply to Company.

Use and Disclosure of PHI. a. PHI, in electronic form or otherwise, may be used or disclosed only when required by law or as necessary to enable Agent to satisfy the obligations and to perform the functions, activities, services and operations to which required the Agent is contractually obligated Agreement entered into by Companythe Company and Agent. Agent shall not and shall ensure that its directors, officers, employees, contractors and agents agents, do not not, use PHI received from the Company in any manner that would constitute a violation of applicable law. b. Agent shall not and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from the Company in any manner that would constitute a violation of applicable law if used or disclosed by the Company. Agent may disclose PHI (a) as permitted and pursuant to the requirements of this Addendum or (b) as required by law. c. To the extent Agent discloses PHI to a third party, Agent must obtain, prior to making any such disclosure: 1. Reasonable assurances evidenced by written contract from such third party that PHI will be held confidential and safeguarded consistent with the terms of this Addendum, and only used or further disclosed for the purpose for which Agent disclosed it to the third party or as required by law; and 2. An agreement from such third party to immediately notify Agent (who will in turn notify the Company in accordance with Section 4 1.4 of this Addendum AAddendum) of any: i. a. Unauthorized access, use or disclosure of PHI; ii. b. Security Incident as defined in 45 C.F.R. §164.304 and further explained in Section 4(b) 1.4.b of this Addendum; and iii. c. Breaches of the confidentiality of the PHI, as “Breach” Breach is defined by 45 C.F.R. §164.40213400(1)(A) (42 U.S.C. §17921(1)(A)) of the HITECH Act, to the extent such third party has discovered such unauthorized access, use or disclosure of PHI, Security Incident or Breach. d. Agent shall utilize a Limited Data Set, if practicable, for all uses, disclosures or requests of PHI. Otherwise, any uses or disclosures of PHI shall be limited to the “Minimum Necessary,” as defined in 45 C.F.R. §514(d) and any further guidance that may be issued by pursuant to the Department of Health and Human Servicesrequirements set forth in the HITECH Act at §13405(b). Agent acknowledges its obligation under 45 C.F.R. §164.502(b13405(b)(2) (42 U.S.C. §17935(b)(2)) of the HITECH Act to determine what constitutes the minimum necessary to accomplish the intended purposes of any disclosure of PHI. e. To the extent that Agent fulfills Company’s obligations under Subpart E of 45 C.F.R. Part 164, Agent will comply with the requirements of this Subpart as such obligations apply to Company.

Use and Disclosure of PHI. a. PHIExcept as otherwise provided in this BAA, in electronic form or otherwise, Business Associate may be used or disclosed only when required by law or as necessary to enable Agent to satisfy the obligations and to perform the functions, activities, services and operations to which Agent is contractually obligated by Company. Agent shall not and shall ensure that its directors, officers, employees, contractors and agents do not use PHI received from the Company in any manner that would constitute a violation of applicable law. b. Agent shall not and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from as reasonably to provide the Company services described in any manner that would constitute a violation the Agreement to Covered Entity, and to undertake other activities of applicable law if used Business Associate permitted or disclosed required of Business Associate by the Company. Agent may disclose PHI (a) as permitted and pursuant to the requirements of this Addendum BAA or (b) as required by law. c. To . Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the extent Agent discloses PHI in its possession for the proper management and administration of Business Associate’s business and to a third partycarry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, Agent must obtainprovided that (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any such disclosure: 1. Reasonable disclosure to a third party (a) reasonable assurances evidenced by written contract from such this third party that the PHI will be held confidential as provided under this BAA and safeguarded consistent with the terms of this Addendum, and only used or further disclosed only as required by law or for the purpose for which Agent it was disclosed it to the this third party or as required by law; and 2. An and (b) an agreement from such this third party to notify Business Associate immediately notify Agent (who will in turn notify the Company in accordance with Section 4 of this Addendum A) of any: i. Unauthorized access, use or disclosure of PHI; ii. Security Incident as defined in 45 C.F.R. §164.304 and further explained in Section 4(b) of this Addendum; and iii. Breaches any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. Business Associate will not use or disclose PHI in a manner other than as “Breach” is defined provided in this BAA, as permitted under the Privacy Rule, or as required by 45 C.F.R. §164.402law. Business Associate will use or disclose PHI, to the extent such third party has discovered such unauthorized accesspracticable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. Upon request, Security Incident Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or Breachany of its agents or subcontractors have in their possession. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). d. Agent shall utilize a Limited Data Set, if practicable, for all uses, disclosures or requests of PHI. Otherwise, any uses or disclosures of PHI shall be limited to the “Minimum Necessary,” as defined in 45 C.F.R. §514(d) and any further guidance that may be issued by the Department of Health and Human Services. Agent acknowledges its obligation under 45 C.F.R. §164.502(b) to determine what constitutes the minimum necessary to accomplish the intended purposes of any disclosure of PHI. e. To the extent that Agent fulfills Company’s obligations under Subpart E of 45 C.F.R. Part 164, Agent will comply with the requirements of this Subpart as such obligations apply to Company.