Common use of HIPAA Clause in Contracts

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;Designated

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-160- 164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;agents

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;section

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;)

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii164.502 (e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii164.502 (e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528,

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;maintained

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or

HIPAA. To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524;of