HIPAA Uses in HIPAA Compliance Clause

HIPAA Compliance from Credit Agreement

THIS CREDIT AGREEMENT (this "Agreement") is made and entered into as of June 22, 2016, by and among CROSS COUNTRY HEALTHCARE, INC., a Delaware corporation (the "Borrower"), the Guarantors (defined herein), the Lenders (defined herein), and SUNTRUST BANK, in its capacities as the Administrative Agent, an Issuing Bank and the Swingline Lender.

HIPAA Compliance. To the extent that and for so long as (i) the Borrower or any of its Subsidiaries is a "covered entity" and/or a "business associate" as defined in 45 C.F.R. SS 160.103, (ii) the Borrower or any of its Subsidiaries and/or their business and operations are subject to or covered by HIPAA, and/or (iii) the Borrower or any of its Subsidiaries sponsors any "group health plans" as defined in 45 C.F.R. SS 160.103, the Borrower and each such Subsidiary has implemented, or will implement on or before any applicable compliance date, those provisions of its HIPAA compliance plan necessary to ensure that the Loan Parties are HIPAA Compliant, except where non-compliance, either individually or in the aggregate, could not reasonably be expected to result in a Material Adverse Effect. For purposes of this Agreement, "HIPAA Compliant" shall mean that each Loan Party and each applicable Subsidiary (i) is in full compliance with any and all of the applicable requirements of HIPAA, as amended from time to time and (ii) is not subject to, and could not reasonably be expected to become subject to, any civil or criminal penalty or any investigation, claim or process as the result of any breach or other failure to comply with HIPAA.

HIPAA Compliance from Distributor Agreement

This Distributor Agreement is effective as of the 22nd day of December, 2010 (the "Effective Date") by and between Philips Medical Systems Nederland B.V., having a place of business at Veenpluis 4-6, PO Box 10.000 5680 DA, Best, The Netherlands ("Philips"), and Corindus Inc., having a place of business at 11 Erie Drive, Natick, MA, USA ("Corindus") (individually a "Party" and jointly the "Parties")

HIPAA Compliance. In connection with providing services hereunder, a Party or a Customer may disclose to the other Party individually identifiable health information ("PHI") as defined in and subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto ("HIPAA"). The Customers include "Covered Entities," which are subject to HIPAA. This paragraph is to allow Customers to comply with HIPAA. "PHI" and "ePHI" will mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. SS160.103, limited to the information the other Party received from or created or received on behalf of a Party. Distributor and Supplier agree that: (1) The receiving Party will not use or further disclose PHI other than as permitted by this Agreement or required by law; (2) the receiving Party will use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted by this Agreement, and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI ("Safeguards"); (3) the receiving Party will report to the transferring Party: (a) any use or disclosure of the PHI not permitted by this Agreement or by law of which the receiving Party becomes aware; and (b) any Security Incident (as defined by law) of which the receiving Party becomes aware; (4) To the extent that the receiving Party uses one or more subcontractors or agents to provide services under this Agreement, and such subcontractors or agents receive or have access to the PHI, each such subcontractor or agent will: (a) enter into a written agreement with the receiving Party containing the same restrictions and conditions set forth in the business associate provisions of HIPAA that apply through the receiving Party; and (b) implement reasonable and appropriate Safeguards to protect ePHI; (5) the receiving Party agrees to make (a) its internal practices, books and records relating to the use and disclosure of PHI and (b) its policies, procedures and documentation required by the Security Rule relating to the Safeguards, available to the Secretary of the U.S. Department of Health and Human Services or his designee to the extent necessary to determine the receiving Party's compliance with HIPAA; (6) the receiving Party agrees to make available to the other Party (or at its direction to a Customer) the information in its possession required to provide an accounting of the receiving Party's disclosures of PHI as required by HIPAA (7) the receiving Party will use reasonable commercial efforts to mitigate any harmful effect that is known to the receiving Party of a use or disclosure of PHI by the receiving Party in violation of this Agreement; and (8) Upon the termination of this Agreement for any reason, the receiving Party will return to the transferring Party (or at its direction to a Customer) or destroy all PHI received from the transferring Party or a Customer that the receiving Party maintains in any form, recorded on any medium, or stored in any storage system, unless said information is no longer PHI or if the return or destruction is not feasible. Following termination of this Agreement, the receiving Party will remain bound by the provisions of this Paragraph 18.9 with respect to any PHI that remains in its possession.

HIPAA Compliance from Distributor Agreement

This Distributor Agreement is effective as of the 22nd day of December, 2010 (the "Effective Date") by and between Philips Medical Systems Nederland B.V., having a place of business at Veenpluis 4-6, PO Box 10.000 5680 DA, Best, The Netherlands ("Philips"), and Corindus Inc., having a place of business at 11 Erie Drive, Natick, MA, USA ("Corindus") (individually a "Party" and jointly the "Parties")

HIPAA Compliance. In connection with providing services hereunder, a Party or a Customer may disclose to the other Party individually identifiable health information ("PHI") as defined in and subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto ("HIPAA"). The Customers include "Covered Entities," which are subject to HIPAA. This paragraph is to allow Customers to comply with HIPAA. "PHI" and "ePHI" will mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. SS160.103, limited to the information the other Party received from or created or received on behalf of a Party. Distributor and Supplier agree that: (1) The receiving Party will not use or further disclose PHI other than as permitted by this Agreement or required by law; (2) the receiving Party will use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted by this Agreement, and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI ("Safeguards"); (3) the receiving Party will report to the transferring Party: (a) any use or disclosure of the PHI not permitted by this Agreement or by law of which the receiving Party becomes aware; and (b) any Security Incident (as defined by law) of which the receiving Party becomes aware; (4) To the extent that the receiving Party uses one or more subcontractors or agents to provide services under this Agreement, and such subcontractors or agents receive or have access to the PHI, each such subcontractor or agent will: (a) enter into a written agreement with the receiving Party containing the same restrictions and conditions set forth in the business associate provisions of HIPAA that apply through the receiving Party; and (b) implement reasonable and appropriate Safeguards to protect ePHI; (5) the receiving Party agrees to make (a) its internal practices, books and records relating to the use and disclosure of PHI and (b) its policies, procedures and documentation required by the Security Rule relating to the Safeguards, available to the Secretary of the U.S. Department of Health and Human Services or his designee to the extent necessary to determine the receiving Party's compliance with HIPAA; (6) the receiving Party agrees to make available to the other Party (or at its direction to a Customer) the information in its possession required to provide an accounting of the receiving Party's disclosures of PHI as required by HIPAA (7) the receiving Party will use reasonable commercial efforts to mitigate any harmful effect that is known to the receiving Party of a use or disclosure of PHI by the receiving Party in violation of this Agreement; and (8) Upon the termination of this Agreement for any reason, the receiving Party will return to the transferring Party (or at its direction to a Customer) or destroy all PHI received from the transferring Party or a Customer that the receiving Party maintains in any form, recorded on any medium, or stored in any storage system, unless said information is no longer PHI or if the return or destruction is not feasible. Following termination of this Agreement, the receiving Party will remain bound by the provisions of this Paragraph 18.9 with respect to any PHI that remains in its possession.

HIPAA Compliance from Distributor Agreement

This Distributor Agreement is effective as of the 22nd day of December, 2010 (the "Effective Date") by and between Philips Medical Systems Nederland B.V., having a place of business at Veenpluis 4-6, PO Box 10.000 5680 DA, Best, The Netherlands ("Philips"), and Corindus Inc., having a place of business at 11 Erie Drive, Natick, MA, USA ("Corindus") (individually a "Party" and jointly the "Parties")

HIPAA Compliance. In connection with providing services hereunder, a Party or a Customer may disclose to the other Party individually identifiable health information ("PHI") as defined in and subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto ("HIPAA"). The Customers include "Covered Entities," which are subject to HIPAA. This paragraph is to allow Customers to comply with HIPAA. "PHI" and "ePHI" will mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. SS160.103, limited to the information the other Party received from or created or received on behalf of a Party. Distributor and Supplier agree that: (1) The receiving Party will not use or further disclose PHI other than as permitted by this Agreement or required by law; (2) the receiving Party will use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted by this Agreement, and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI ("Safeguards"); (3) the receiving Party will report to the transferring Party: (a) any use or disclosure of the PHI not permitted by this Agreement or by law of which the receiving Party becomes aware; and (b) any Security Incident (as defined by law) of which the receiving Party becomes aware; (4) To the extent that the receiving Party uses one or more subcontractors or agents to provide services under this Agreement, and such subcontractors or agents receive or have access to the PHI, each such subcontractor or agent will: (a) enter into a written agreement with the receiving Party containing the same restrictions and conditions set forth in the business associate provisions of HIPAA that apply through the receiving Party; and (b) implement reasonable and appropriate Safeguards to protect ePHI; (5) the receiving Party agrees to make (a) its internal practices, books and records relating to the use and disclosure of PHI and (b) its policies, procedures and documentation required by the Security Rule relating to the Safeguards, available to the Secretary of the U.S. Department of Health and Human Services or his designee to the extent necessary to determine the receiving Party's compliance with HIPAA; (6) the receiving Party agrees to make available to the other Party (or at its direction to a Customer) the information in its possession required to provide an accounting of the receiving Party's disclosures of PHI as required by HIPAA (7) the receiving Party will use reasonable commercial efforts to mitigate any harmful effect that is known to the receiving Party of a use or disclosure of PHI by the receiving Party in violation of this Agreement; and (8) Upon the termination of this Agreement for any reason, the receiving Party will return to the transferring Party (or at its direction to a Customer) or destroy all PHI received from the transferring Party or a Customer that the receiving Party maintains in any form, recorded on any medium, or stored in any storage system, unless said information is no longer PHI or if the return or destruction is not feasible. Following termination of this Agreement, the receiving Party will remain bound by the provisions of this Paragraph 18.9 with respect to any PHI that remains in its possession.

HIPAA Compliance from Purchasing Agreement

HIPAA Compliance. Licensor represents and warrants that to the extent applicable it shall, with respect to its obligations under this Agreement and interactions with Participating Members, comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (the "Act"), the privacy standards adopted by the U.S. Department of Health and Human Services ("HHS") as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the "Privacy Rule"), the security standards adopted by HHS as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the "Security Rule"), and the Privacy provision (Subtitle D) of the Health Information Technology for Economic Clinical Health Act, Division A, Title XIII of Pub. L. 111-5, and its implementing regulations (the "HITECH Act"). Without limiting the foregoing, if Licensor serves in the capacity of a Business Associate under the Act for a Participating Member in connection with its obligations under this Agreement, the attached HIPAA Addendum shall apply to Licensor with respect to its interactions with the Participating Member.

HIPAA Compliance from Equity Purchase Agreement

THIS ASSET AND EQUITY PURCHASE AGREEMENT (this Agreement) is made and entered into this 31st day of August 2012 (Effective Date), among American Addiction Centers, Inc. f/k/a Forterus, Inc., a Nevada corporation (Buyer), AJG Solutions, Inc., a Florida corporation (AJG), Member Assistance Solutions, LLC, a Florida limited liability company (MAS), James D. Bevell, Jr., an individual resident of Florida (Bevell), and Michael Blackburn, an individual resident of Rhode Island (Blackburn), (each of AJG, MAS, Bevell and Blackburn individually are sometimes referred to herein as a Seller and collectively, the Sellers). The Sellers and the Companies (as defined below) are sometimes referred to herein collectively as the Selling Parties.

HIPAA Compliance. Selling Parties are and have been in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (collectively HIPAA) and their implementing regulations, including the amendments to HIPAA pursuant to the Health Information Technology for Economic and Clinical Health Act, and all promulgated regulations thereto (HITECH). Selling Parties are and have been in compliance with all other applicable laws, rules, regulations or other requirements governing the privacy, security and confidentiality of medical records or other records containing individually identifiable information generated or obtained in the course of conducting the Business, including, without limitation, all state and federal laws, rules, regulations or other requirements to the extent not preempted by HIPAA. Sellers description of the steps Selling Parties and the Sellers have taken to comply with the requirements of HIPAA, HITECH and its implementing regulations is attached as Schedule 5.20. No Selling Party nor any Seller has received any complaints or notices of investigation or claims from any person (including without limitation inquiries or other communications from the Department of Health and Human Services Office for Civil Rights, the Centers for Medicare & Medicaid Services, and the Department of Health and Human Services Office of Inspector General) regarding any of Selling Parties, the Sellers, or any of their agents, employees or contractors, uses or disclosures of, or security practices or incidents regarding, individually identifiable information. With regard to individually identifiable information, no Selling Party nor the Sellers are aware of any non-permitted use or disclosure, breach of a confidentiality agreement or security incident (each as determined by reference to the Privacy Standards, Security Standards or state law, as applicable) by, or involving the systems of, any Selling Party or Seller or by any their agents or employees or contractors. Selling Parties are, and at all times since the date compliance became required has been, in compliance with all applicable laws, regulations, rules or directives related to reporting to individuals, customers, governmental or regulatory authorities, the media or credit reporting agencies, as applicable, breaches involving individually identifiable information, including but not limited to HIPAA and the Privacy Standards. Schedule 5.20 lists all business associate agreements to which any Seller is a party, with the name of the party, and date of the agreement. Sellers have made available to Buyer, with respect to the facilities a true and correct copy of the facilities log of possible Breaches (as defined by HITECH) of HIPAA for the years 2010, 2011 and 2012 through the date of this Agreement (the Breach Notification Log). Except as set forth in the Breach Notification Log, to the knowledge of Sellers, there has not been any Breach (as defined by HITECH) at any of the facilities which, individually or in the aggregate, constitute a Material Adverse Effect.

HIPAA Compliance from Commercial Supply Agreement

This Addendum 1 (the Addendum, which expression includes any Appendices hereto) is to the LICENSE, DEVELOPMENT, COLLABORATION AND COMMERCIALIZATION AGREEMENT (the License Agreement) by and between Aerogen Limited, a private limited company incorporated in Ireland having its principal place of business at Galway Business Park, Dangan, Galway, Ireland (Aerogen) and Dance Biopharm, Inc., a Delaware, USA corporation having its principal place of business at 2 Mint Plaza, Suite 804, San Francisco, CA 94103, USA (Dance) (individually, a Party and jointly, the Parties) with an Effective Date of the 15th day of November, 2010. The effective date of this Addendum is 4th October, 2013 (the Addendum Effective Date.)

HIPAA Compliance. Aerogen may provide certain services to Dance or Dances customers and, in connection with those services, Dance or its customers may disclose to Aerogen individually identifiable health information as defined in and subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto (HIPAA). Dances customers may include Covered Entities, which are subject to HIPAA. This Article is to allow Dances customers to comply with HIPAA. PHI and ePHI will mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. SS160.103, limited to the information Aerogen received from or created or received on behalf of Dance as Dances Customers Business Associate. Dance and Aerogen agree that: (1) Aerogen will not use or further disclose PHI other than as permitted by this Addendum or required by law; (2) Aerogen will use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted by this Addendum, and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI (Safeguards); (3) Aerogen will report to Dance: (a) any use or disclosure of the PHI not permitted by this Addendum or by law of which Aerogen becomes aware; and (b) any Security Incident of which Aerogen becomes aware; (4) To the extent that Aerogen uses one or more subcontractors or agents to provide services under this Addendum, and such subcontractors or agents receive or have access to the PHI, each such subcontractor or agent will: (a) enter into a written agreement with Aerogen containing the same restrictions and conditions set forth in the business associate provisions of HIPAA that apply through Aerogen; and (b) implement reasonable and appropriate Safeguards to protect ePHI; (5) Aerogen agrees to make (a) its internal practices, books and records relating to the use and disclosure of PHI and (b) its policies, procedures and documentation required by the Security Rule relating to the Safeguards, available to the Secretary of the U.S. Department of Health and Human Services or his designee to the extent necessary to determine Aerogens customers compliance with HIPAA ; (6) Aerogen agrees to make available to Dance (or at Dances direction to a Dance customer) the information in its possession required to provide an accounting of Aerogens disclosures of PHI as required by HIPAA; (7) Aerogen will use reasonable commercial efforts to mitigate any harmful effect that is known to Aerogen of a use or disclosure of PHI by Aerogen in violation of this Addendum; and (8) upon the termination of this Addendum for any reason, Aerogen will return to Dance (or at Dances direction to Dances customer) or destroy all PHI received from Dance or Dances customer that Aerogen maintains in any form, recorded on any medium, or stored in any storage system, unless said information is no longer PHI or if the return or destruction is not feasible. Following termination of this Addendum, Aerogen will remain bound by the provisions of this Article with respect to any PHI that remains in its possession.

HIPAA Compliance from Commercialization Agreement

This Addendum 1 (the Addendum, which expression includes any Appendices hereto) is to the LICENSE, DEVELOPMENT, COLLABORATION AND COMMERCIALIZATION AGREEMENT (the License Agreement) by and between Aerogen Limited, a private limited company incorporated in Ireland having its principal place of business at Galway Business Park, Dangan, Galway, Ireland (Aerogen) and Dance Biopharm, Inc., a Delaware, USA corporation having its principal place of business at 2 Mint Plaza, Suite 804, San Francisco, CA 94103, USA (Dance) (individually, a Party and jointly, the Parties) with an Effective Date of the 15th day of November, 2010. The effective date of this Addendum is 4th October, 2013 (the Addendum Effective Date.)

HIPAA Compliance. Aerogen may provide certain services to Dance or Dances customers and, in connection with those services, Dance or its customers may disclose to Aerogen individually identifiable health information as defined in and subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto (HIPAA). Dances customers may include Covered Entities, which are subject to HIPAA. This Article is to allow Dances customers to comply with HIPAA. PHI and ePHI will mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. SS160.103, limited to the information Aerogen received from or created or received on behalf of Dance as Dances Customers Business Associate. Dance and Aerogen agree that: (1) Aerogen will not use or further disclose PHI other than as permitted by this Addendum or required by law; (2) Aerogen will use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted by this Addendum, and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI (Safeguards); (3) Aerogen will report to Dance: (a) any use or disclosure of the PHI not permitted by this Addendum or by law of which Aerogen becomes aware; and (b) any Security Incident of which Aerogen becomes aware; (4) To the extent that Aerogen uses one or more subcontractors or agents to provide services under this Addendum, and such subcontractors or agents receive or have access to the PHI, each such subcontractor or agent will: (a) enter into a written agreement with Aerogen containing the same restrictions and conditions set forth in the business associate provisions of HIPAA that apply through Aerogen; and (b) implement reasonable and appropriate Safeguards to protect ePHI; (5) Aerogen agrees to make (a) its internal practices, books and records relating to the use and disclosure of PHI and (b) its policies, procedures and documentation required by the Security Rule relating to the Safeguards, available to the Secretary of the U.S. Department of Health and Human Services or his designee to the extent necessary to determine Aerogens customers compliance with HIPAA ; (6) Aerogen agrees to make available to Dance (or at Dances direction to a Dance customer) the information in its possession required to provide an accounting of Aerogens disclosures of PHI as required by HIPAA; (7) Aerogen will use reasonable commercial efforts to mitigate any harmful effect that is known to Aerogen of a use or disclosure of PHI by Aerogen in violation of this Addendum; and (8) upon the termination of this Addendum for any reason, Aerogen will return to Dance (or at Dances direction to Dances customer) or destroy all PHI received from Dance or Dances customer that Aerogen maintains in any form, recorded on any medium, or stored in any storage system, unless said information is no longer PHI or if the return or destruction is not feasible. Following termination of this Addendum, Aerogen will remain bound by the provisions of this Article with respect to any PHI that remains in its possession.

HIPAA Compliance from Purchasing Agreement

This Group Purchasing Agreement (the Agreement) is comprised of the following documents and is entered into by the Parties as of the Effective Date set forth in Item 3 above:

HIPAA Compliance. The U.S. Department of Health and Human Services issued regulations on Standards for Privacy of Individually Identifiable Health Information, which comprise 45 C.F.R. Parts 160 and 164 (the Privacy Rule), and Security Standards, which comprise 45 C.F.R. Parts 160, 162, and 164 (the Security Rule), promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996. Seller shall comply with the Privacy Rule and Security Rule, pursuant to the manner set forth in the HIPAA Addendum attached hereto, if applicable.

HIPAA Compliance from Amended and Restated Credit Agreement

This AMENDED AND RESTATED CREDIT AGREEMENT is entered into as of December 18, 2007, among GILEAD SCIENCES, INC., a Delaware corporation (the Parent), and GILEAD BIOPHARMACEUTICS IRELAND CORPORATION, an Irish company (Gilead Ireland; Gilead Ireland together with the Parent are together referred to as the Borrowers, and each individually, as a Borrower), each lender from time to time party hereto (collectively, the Lenders and each individually, a Lender), and BANK OF AMERICA, N.A., as Administrative Agent, Swing Line Lender and L/C Issuer.

HIPAA Compliance. To the extent that and for so long as (a) either Borrower is a covered entity within the meaning of HIPAA or (b) either Borrower and/or its business and operations are subject to or covered by the so-called Administrative Simplification provisions of HIPAA, each such Borrower (i) has undertaken or will promptly undertake all necessary surveys, audits, inventories, reviews, analyses and/or assessments (including any necessary risk assessments) of all areas of its business and operations required by HIPAA and/or that could be materially adversely affected by the failure of such Borrower to be HIPAA Compliant (as defined below); (ii) has developed or will promptly develop a detailed plan and time line for becoming HIPAA Compliant (a HIPAA Compliance Plan); and (iii) has implemented or will implement those provisions of such HIPAA Compliance Plan in all material respects necessary to ensure that such Borrower is or becomes HIPAA Compliant. For purposes hereof, HIPAA Compliant shall mean that each Borrower (x) is or will be in compliance with each of the applicable requirements of the so-called Administrative Simplification provisions of HIPAA on and as of each date upon which compliance with any part thereof, or any final rule or regulation thereunder, is required in accordance with its or their terms, as the case may be (each such date, a HIPAA Compliance Date) and (y) is not and could not reasonably be expected to become, as of any date following any such HIPAA Compliance Date, the subject of any civil or criminal penalty, process, claim, action or proceeding, or any administrative or other regulatory review, survey, process or proceeding (other than routine surveys or reviews conducted by any governmental health plan or other accreditation entity) that could result in any of the foregoing or that would in the case of each of (x) and (y) reasonably be expected to have a Material Adverse Effect, in connection with any actual or potential violation by such Borrower of the then effective provisions of HIPAA.