Common use of Uses or Disclosures Clause in Contracts

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 Regulations, if done by Entity directly; (b) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (c) to create de-identified information in accordance with 45 C.F.R. § 164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law; and (d) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: any disclosure made for purposes of Associate’s Operations is Required By Law or is made after Associate obtains reasonable assurances, evidenced by a written contract, from the recipient that the recipient: (i) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iii) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations; and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operations. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this Addendum, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By Law. To the extent Associate is to carry out an obligation of a Covered Entity under the HIPAA Rules45 CFR Part 164, Subparts A and E, Associate shall comply with the requirements of the HIPAA Rules 45 CFR Part 164, Subparts A and E that apply to such Covered Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsRules, if done by Entity directly; (b) as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Entity directly and provided that Entity gives its prior written consent; (c) to perform Data Aggregation services relating to the Entity’s health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreementoperations; (cd) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. CFR § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (de) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate it was disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiif) acknowledges to create de-identified information in writing thataccordance with 45 CFR § 164.514(b), in receiving PHIprovided that such de-identified information may be used and disclosed only consistent with applicable law; (g) to create a limited data set as defined at 45 CFR §164.514(e)(2), the recipient is fully bound by the Part 2 Regulations; provided that Associate will only use and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made disclose such limited data set for purposes of Associate’s Operationsresearch, public health or health care operations and will comply with the data use agreement requirements of 45 CFR §164.514(e)(4), including that Associate will not identify the information or contact the individuals. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this Addendum, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum BAA or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 Regulations, if done by Entity directly; (b) otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Entity directly and provided that Entity gives its prior written consent; (c) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (cd) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (de) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiif) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de- identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsdisclosed only consistent with applicable law. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this AddendumBAA, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum BAA or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate is permitted to use and disclose PHI: : (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules if done by Entity directly; (b) otherwise permitted by law, provided that such use or disclosure would not violate the Part 2 RegulationsHIPAA Rules, if done by Entity directly; directly and provided that Entity gives its prior written consent; (bc) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; ; (cd) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and (de) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iiif) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de-identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsdisclosed only consistent with applicable law. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this AddendumBAA, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Business Associate will neither use nor disclose PHI except as permitted or required by this Addendum BAA or as Required By Law. To the extent Business Associate is to carry out an obligation of Entity Customer under the HIPAA Rules45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements of the HIPAA Rules 45 CFR Part 164, Subpart E that apply to Entity Customer in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Business Associate is permitted to use and disclose PHI:: DRAFT (a) to perform any and all obligations of Business Associate as described in the Service Onsite Services Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 Regulations, if done by Entity Customer directly; (b) otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Customer directly and provided that Customer gives its prior written consent; (c) to perform Data Aggregation services relating to the health care operations of EntityCustomer; (d) to report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1); (e) as necessary for Business Associate’s proper management and administration and to carry out Business Associate’s legal responsibilities (collectively “Business Associate’s Operations”), provided that such services are part of Business Associate may only disclose PHI for Business Associate’s obligations Operations if the disclosure is Required By Law or Business Associate obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient will: (1) hold such PHI in confidence and use or further disclose it only for the purpose for which Business Associate disclosed it to the recipient or as set forth Required By Law; and (2) notify Business Associate of any instance of which the recipient becomes aware in which the Service Agreementconfidentiality of such PHI was breached; (cf) to create de-identified information in accordance with 45 C.F.R. § 164.514(b), provided that such de-de- identified information may be used and disclosed only consistent with applicable law; and; (dg) to create a limited data set as necessary for Associate’s proper management defined at 45 CFR §164.514(e)(2), provided that Business Associate will only use and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: any disclosure made disclose such limited data set for purposes of Associate’s Operations is Required By Law research, public health or is made after health care operations and will comply with the data use agreement requirements of 45 CFR §164.514(e)(4), including that Business Associate obtains reasonable assurances, evidenced by a written contract, from will not identify the recipient that information or contact the recipient: (i) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iii) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations; and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsindividuals. In the event Entity Customer notifies Business Associate of a an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this AddendumSection, Business Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By by Law. To the extent Associate is to carry out an obligation of a Covered Entity under the HIPAA RulesPrivacy and Security Rule, Associate shall comply with the requirements of the HIPAA Rules Privacy and Security Rule that apply to Entity Covered Entities in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA RulesPrivacy and Security Rule and HITECH. Associate is permitted to use and disclose PHI: (ai) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsPrivacy and Security Rule, if done by Entity directly; (bii) as otherwise permitted by law, provided that such use or disclosure would not violate the Privacy and Security Rule, if done by Entity directly and provided that Entity gives its prior written consent; (iii) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (civ) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (dv) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold 20150225 such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiivi) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de-identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsdisclosed only consistent with applicable law. In the event Entity notifies Associate of a an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this AddendumSection, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA RulesRules and HITECH. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsRules, if done by Entity directly; (b) as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Entity directly and provided that Entity gives its prior written consent; (c) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (cd) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. CFR § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (de) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: that any disclosure made for purposes of Associate’s Operations is Required By Law or is made after Associate obtains reasonable assurances, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiif) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de- identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate disclosed only consistent with applicable law and shall promptly notify Entity of any disclosures made for purposes of Associatenot be commercialized or sold without Entity’s Operationsprior written consent. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this Addendum, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By by Law. To the extent Associate is to carry out an obligation of a Covered Entity under the HIPAA RulesPrivacy and Security Rule, Associate shall comply with the requirements of the HIPAA Rules Privacy and Security Rule that apply to Entity Covered Entities in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA RulesPrivacy and Security Rule and HITECH. Associate is permitted to use and disclose PHI: (ai) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsPrivacy and Security Rule, if done by Entity directly; (bii) as otherwise permitted by law, provided that such use or disclosure would not violate the Privacy and Security Rule, if done by Entity directly and provided that Entity gives its prior written consent; (iii) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (civ) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (dv) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold 20151019 such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiivi) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de-identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsdisclosed only consistent with applicable law. In the event Entity notifies Associate of a an Individual’s restriction request granted pursuant to 45 C.F.R. §164.522 that would restrict a use or disclosure otherwise permitted by this AddendumSection, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum or as Required By Law. To the extent Associate is to carry out an any obligation of a Covered Entity under the HIPAA RulesPrivacy and Security Rule, Associate shall comply with the requirements of the HIPAA Rules Privacy and Security Rule that apply to Entity Covered Entities in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA RulesPrivacy and Security Rule and HITECH. Associate is permitted to use and disclose PHI: (ai) to perform any and all obligations of Associate as described in the Service AgreementXXXX, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsPrivacy and Security Rule, if done by Entity End User directly; (bii) as otherwise permitted by law, provided that such use or disclosure would not violate the Privacy and Security Rule, if done by End User directly and provided that End User gives its prior written consent; (iii) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service AgreementEnd User; (civ) to create de-identified information in accordance report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.514(b164.502(j)(1), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (dv) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) ), provided that: any disclosure made that Associate may only disclose PHI for purposes of Associate’s Operations if the disclosure is Required By Law or is made after Associate obtains reasonable assurancesassurance, evidenced by a written contract, from the recipient that the recipientrecipient will: (i1) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; and (ii2) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; ; (iiivi) acknowledges to de-identify PHI in writing thataccordance with 45 C.F.R. § 164.514(b), in receiving PHI, the recipient is fully bound by the Part 2 Regulations; provided that such de-identified information may be used and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsdisclosed only consistent with applicable law. In the event Entity End User notifies Associate of a an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this AddendumSection, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Business Associate will neither use nor disclose PHI except as permitted or required by this Addendum BAA or as Required By Law. To the extent Business Associate is to carry out an obligation of a Covered Entity under the HIPAA Rules45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements of the HIPAA Rules 45 CFR Part 164, Subpart E that apply to such Covered Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Business Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Business Associate as described in pursuant to the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 RegulationsRules, if done by Covered Entity directly; (b) as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Covered Entity directly and provided that Covered Entity gives its prior written consent; (c) to perform Data Aggregation services relating to the Covered Entity’s health care operations operations; (d) to report violations of Entitythe law to federal or state authorities consistent with 45 CFR § 164.502(j)(1); (e) as necessary for Business Associate’s proper management and administration and to carry out Business Associate’s legal responsibilities (collectively “Business Associate’s Operations”), provided that such services are part of Business Associate may only disclose PHI for Business Associate’s obligations Operations if the disclosure is Required By Law or Business Associate obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient will: (1) hold such PHI in confidence and use or further disclose it only for the purpose for which it was disclosed or as set forth Required By Law; and (2) notify Business Associate of any instance of which the recipient becomes aware in which the Service Agreementconfidentiality of such PHI was breached; (cf) to create de-identified information in accordance with 45 C.F.R. CFR § 164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law; and; (dg) to create a limited data set as necessary for Associate’s proper management defined at 45 CFR §164.514(e)(2), provided that Business Associate will only use and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: any disclosure made disclose such limited data set for purposes of Associate’s Operations is Required By Law research, public health or is made after health care operations and will comply with the data use agreement requirements of 45 CFR §164.514(e)(4), including that Business Associate obtains reasonable assurances, evidenced by a written contract, from will not identify the recipient that information or contact the recipient: (i) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iii) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations; and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operationsindividuals. In the event Covered Entity notifies Business Associate of a an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this AddendumSection, Business Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this Addendum Agreement or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules, Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 Regulations, if done by Entity directly; (b) to perform Data Aggregation services relating to the health care operations of Entity, provided that such services are part of Associate’s obligations as set forth in the Service Agreement; (c) to create de-identified information in accordance with 45 C.F.R. § 164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law; and (d) as necessary for Associate’s proper management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: any disclosure made for purposes of Associate’s Operations is Required By Law or is made after Associate obtains reasonable assurances, evidenced by a written contract, from the recipient that the recipient: (i) will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iii) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations; and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operations. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this AddendumAgreement, Associate shall comply with the terms of the restriction request.

Uses or Disclosures. Associate Catapult will neither use nor disclose PHI except as permitted or required by this Addendum BAA or as Required By Law. To the extent Associate Catapult is to carry out an obligation of Entity Customer under the HIPAA Rules45 CFR Part 164, Associate Subpart E, Catapult shall comply with the requirements of the HIPAA Rules 45 CFR Part 164, Subpart E that apply to Entity Customer in the performance of such obligation. Without limiting the foregoing, Associate will not sell PHI or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. Associate Catapult is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate Catapult as described in the Service Agreement, provided that such use or disclosure is consistent with the terms of Entity’s notice of privacy practices and would not violate the HIPAA Rules or the Part 2 Regulations, if done by Entity Customer directly; (b) as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules, if done by Customer directly and provided that Customer gives its prior written consent; (c) to perform Data Aggregation services relating to the health care operations of EntityCustomer; (d) to report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1); (e) as necessary for Catapult’s proper management and administration and to carry out Catapult’s legal responsibilities (collectively “Catapult’s Operations”), provided that Catapult may only disclose PHI for Catapult’s Operations if the disclosure is Required By Law or Catapult obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient will: (1) hold such services are part PHI in confidence and use or further disclose it only for the purpose for which Catapult disclosed it to the recipient or as Required By Law; and (2) notify Catapult of Associate’s obligations as set forth any instance of which the recipient becomes aware in which the Service Agreementconfidentiality of such PHI was breached; (cf) to create de-identified information in accordance with 45 C.F.R. § 164.514(b), provided that such de-de- identified information may be used and disclosed only consistent with applicable law; and; (dg) to create a limited data set as necessary for Associate’s proper management defined at 45 CFR §164.514(e)(2), provided that Catapult will only use and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s Operations”) provided that: any disclosure made disclose such limited data set for purposes of Associate’s Operations is Required By Law research, public health or is made after Associate obtains reasonable assurances, evidenced by a written contract, from the recipient that the recipient: (i) health care operations and will hold such PHI in confidence and use or further disclose it only for the purpose for which Associate disclosed it to the recipient or as Required By Law; (ii) will notify Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; (iii) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations; and (iv) agrees to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations. Associate shall promptly notify Entity of any disclosures made for purposes of Associate’s Operations. In the event Entity notifies Associate of a restriction request that would restrict a use or disclosure otherwise permitted by this Addendum, Associate shall comply with the terms data use agreement requirements of 45 CFR §164.514(e)(4), including that Catapult will not identify the restriction requestinformation or contact the individuals.