Common use of Obligations and Activities of Business Associate Clause in Contracts

Obligations and Activities of Business Associate. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, or as Required by Law. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Contract and in accordance with HIPAA standards. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Contract. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Contract, or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of Business Associate, agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the request. Business Associate agrees to make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity, and in the time and manner designated by Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner agreed to by the Parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify Covered Entity, in writing, within five (5) Business Days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees that, following the discovery by Business Associate or by a subcontractor of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as of the first Calendar Day on which it is, or reasonably should have been, known to Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.

Obligations and Activities of Business Associate. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Contract or another any other duly executed agreement with Covered Entity, Entity or as Required by Law. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Contract and in accordance with HIPAA standards. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Contract. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Contract, Contract or any other duly executed agreement with Covered Entity or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the Parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection 18.6.10 of this BAAContract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent more stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that the Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, the Business Associate agrees to notify the Covered Entity, in writing, within five (5) Business Days business days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; Contract or any other duly executed agreement with Covered Entity, and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach breach of Unsecured Protected Health Informationunsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such HIPAA Breach breach in accordance with 45 C.F.R. part 164, subpart D, and this BAAContract. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than five thirty (530) Business Days days after the HIPAA Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach breach is considered discovered as of the first Calendar Day day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breachbreach. The Business Associate agrees to include in the notification to the Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breachbreach; the date of the discovery of the HIPAA Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information unsecured protected health information that were involved in the HIPAA Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breachbreach. A detailed description of what the Business Associate is doing or has done to investigate the HIPAA Breachbreach, to mitigate losses, and to protect against any further HIPAA Breachesbreaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.

Obligations and Activities of Business Associate. Business Associate agrees to not to use or disclose PHI Protected Health Information other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, Agreement or as Required by By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured Protected Health Information. Business Associate agrees that 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 shall apply to Business Associate in the same manner that such sections apply to Covered Entity, and that Business Associate shall use appropriate administrative, physical, and maintain appropriate technical safeguards and comply in compliance with applicable HIPAA Standards with respect to all PHI and the Security Rule, to prevent use or disclosure of PHI the Protected Health Information other than as provided for in by this Contract Agreement. Business Associate shall ensure that all Protected Health Information is Secured. The written policies and in accordance procedures and documentation required by 45 CFR § 164.316 shall be made available to Covered Entity, upon Covered Entity’s request. Business Associate shall comply with HIPAA standardsall the obligations required of a Business Associate under the HITECH Act. The additional requirements of the HITECH Act that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into this Agreement. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to promptly mitigate, to the extent practicableRequired by Law with respect to Business Associate, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI Protected Health Information by Business Associate in violation of the requirements of this ContractAgreement, or that would otherwise cause a Breach of Unsecured Protected Health Information. Business Associate agrees to immediately report to Covered Entity any use or disclosure of PHI the Protected Health Information not provided for by this Contract, or any security incident of which it becomes awareAgreement. Business Associate agrees, in accordance with 45 C.F.R. §CFR § 502(e)(1)(ii164.502(e)(1)(ii) and 164.308(d)(2), if applicable, 164.308(b)(2) to ensure that any subcontractors that createagent, receiveincluding Subcontractors, maintain to whom it provides Protected Health Information in any form, including electronic form, created, maintained, transmitted, or transmit protected health information received by Business Associate from or on behalf of Business Associate, agree Covered Entity agrees in writing to the same restrictions, conditions, and requirements that apply through to Business Associate with respect to such information. Moreover, Business Associate shall ensure that any such agent or Subcontractor agrees to implement reasonable and appropriate safeguards to protect the Covered Entity’s Protected Health Information. Notwithstanding anything to the contrary in this BAA, Business Associate shall not use any agent or Subcontractor to perform any service requiring access to Protected Health Information without the express written consent of an authorized representative of Covered Entity. Business Associate agrees to provide access (including inspection, obtaining a copy or both)prompt access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, Entity to PHI Protected Health Information in a Designated Record Set, to Covered Entity Entity, or, as if directed by Covered Entity, to an Individual Individual, in order to meet the requirements under 45 C.F.R. CFR § 164.524. If an Individual requests directly from Business Associate (i) to inspect or copy his or her Protected Health Information, or (ii) requests its disclosure to a third party, the Business Associate shall not charge any fees greater than the lesser of the amount charged by promptly notify Covered Entity in writing of such request. Business Associate also agrees to comply with an Individual for Individual’s request to restrict the disclosure of his or her personal Protected Health Information in a manner consistent with 45 CFR § 164.522, except where such records; use, disclosure or request is required or permitted under applicable law. Business Associate further agrees that when requesting, using or disclosing Protected Health Information in accordance with 45 CFR § 502(b)(1) that such request, use or disclosure shall be to the amount permitted minimum extent necessary, including the use of a “limited data set” as defined in 45 CFR § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the requestSecretary from time to time. Business Associate agrees to promptly make any amendments amendment(s) to PHI Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. CFR § 164.526 at the request of Covered Entity, and Entity in the time and manner designated as mutually agreed by the parties, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526. Business Associate agrees to make its internal practices, books, and records, including its policies and procedures and PHIprocedures, relating to the use and disclosure of PHI received fromProtected Health Information and Breach of any Unsecured Protected Health Information created, transmitted, or created, maintained, transmitted or received by, by Business Associate from or on behalf of Covered Entity, available to Covered Entity or the Secretary Secretary, in a time and manner agreed to by the Parties or designated by Covered Entity or the Secretary, for purposes of Covered Entity or the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule. Business Associate agrees to account for and document such disclosures of PHI Protected Health Information, Breaches of Unsecured Protected Health Information, and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI Protected Health Information in accordance with 45 C.F.R. CFR § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder164.528. Business Associate agrees to promptly provide to Covered Entity, in a time and manner designated by Covered Entity, Entity or an Individual information collected in accordance with subsection 18.6.10 Section 2(j) of this BAA, to permit Covered Entity to respond to a request by an Individual or the Secretary for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 Protected Health Information and section 13405 Breaches of Unsecured Protected Health Information. To the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. extent that Business Associate agrees at is to carry out one or more of Covered Entity’s direction to provide an accounting obligation(s) under Subpart E of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent than the Privacy Rule. CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the HITECH Act relating Covered Entity in the performance of such obligation(s). Business Associate hereby represents and warrants that to privacy the extent it is transmitting a financial or administrative transaction described in the Regulations (each a “Transaction”) for Covered Entity, the format and security structure of such transmissions shall be in compliance with the Transaction Standards. With respect to any such Transactions, neither party shall: (i) change the definition, data, condition, or use of a data element or segment in a Transaction Standard; (ii) add any data elements or segments to the maximum defined data set; (iii) use any code or data elements that are applicable either marked “not used” in the Transaction Standard’s implementation specification or are not in the Transaction Standard’s implementation specification(s); or (iv) change the meaning or intent of the Transaction Standard’s implementation specification(s). With respect to Covered Entity and Electronic Protected Health Information, Business Associate will: Implement, in compliance with the requirements of 45 C.F.R. §§ 164.504(e)the Security Rule, 164.308administrative, 164.310, 164.312physical, and 164.316technical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information it creates, transmits, maintains, or receives from or on behalf of Covered Entity; Ensure that any agent, including a Subcontractor, to whom Business Associate provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect such information in compliance with the Security Rule; Business Associate acknowledges that, effective on the Effective Date of this BAA, (x) the foregoing safeguards, policies and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (y) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements; Report to Covered Entity any Security Incident of which Business Associate becomes aware, including any failure of safeguards or unauthorized access to Electronic Protected Health Information. In the event that Business Associate agrees to account for and document any disclosure of Protected Health Information used or maintained as Electronic Protected Health Information and Breaches of Unsecured Protected Health Information in electronic form in a manner consistent with 45 CFR § 164.528 as would be required for Covered Entity to respond to a request by an Individual requests that Business Associate: restrict disclosures of PHI; provide for an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Protected Health Information. Business Associate agrees to notify promptly provide to Covered Entity, or an Individual, information collected in writingaccordance with this paragraph, within five (5) Business Days to permit Covered Entity to respond to a request by an Individual or the Secretary for an accounting of the requestdisclosures of Protected Health Information and Breaches of Unsecured Protected Health Information. Business Associate agrees that it shall notto comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in section 13405(d) of Subtitle D (Privacy) of the HITECH Act, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in exchange for PHI section 13406 of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2Subtitle D (Privacy) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in related guidance issued by the Event of a HIPAA BreachSecretary from time to time. Business Associate agrees acknowledges that, following effective on the discovery by Business Associate or by a subcontractor Effective Date of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Information, or any Security IncidentBAA, it shall notify Covered Entity of such HIPAA Breach in accordance be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as any of the first Calendar Day on which it is, or reasonably should have been, known use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to Business Associate or its subcontractor. The notification shall include the identification time with respect to such use and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said officialdisclosure requirements.

Obligations and Activities of Business Associate. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, or as Required by Law. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Contract and in accordance with HIPAA standards. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Contract. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Contract, or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of Business Associate, agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the request. Business Associate agrees to make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity, and in the time and manner designated by Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner agreed to by the Parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 6.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent more stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify Covered Entity, in writing, within five (5) Business Days business days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees that, following the discovery by Business Associate or by a subcontractor of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days business days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as of the first Calendar Day day on which it is, or reasonably should have been, known to Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to not to use or disclose PHI other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, the Agreement or as Required by Law. 2.2 Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of the PHI other than as provided for in by this Contract and in accordance with HIPAA standardsAgreement. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this ContractAgreement. 2.4 Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Contract, or any security incident Agreement of which it becomes aware. 2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, agrees to ensure that any subcontractors that createagent, receiveincluding a subcontractor, maintain or transmit protected health information to whom it provides PHI received by Business Associate on behalf of Business Associate, agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the request. 2.6 Business Associate agrees to make any amendments amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § Section 164.526 at the request of Covered EntityEntity or an Individual, and in the time and manner designated by Covered Entityagreed between the parties. 2.7 Business Associate agrees to make internal practices, books, and records, including policies and procedures and related to PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, by Business Associate on behalf of of, Covered Entity, Entity available to the Secretary Covered Entity or to the Secretary, in a time and manner agreed to by between the Parties parties, or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule. 2.8 Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 Section 164.528. Snake River School District 52, 000 Xxxxx 000 Xxxx, Xxxxxxxxx, Xxxxx 00000 Category: 5000 BUSINESS Policy Number: 5450F1 (page 3 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e6), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify Covered Entity, in writing, within five (5) Business Days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees that, following the discovery by Business Associate or by a subcontractor of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as of the first Calendar Day on which it is, or reasonably should have been, known to Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.

Obligations and Activities of Business Associate. Business Associate agrees not to to: Not use or further disclose PHI other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, the Agreement or as Required required by Lawlaw. Business Associate agrees to use and maintain Use appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of the PHI other than as provided for in by this Contract and in accordance with HIPAA standardsAgreement. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to mitigateMitigate, to the extent practicable, any harmful effect that is known to Business Associate of a by the use or disclosure of PHI by Business Associate in violation of the requirements of this ContractAgreement. Business Associate agrees to report Report to Covered Entity any use or disclosure of the PHI not provided for by this Contract, Agreement that is beyond the scope of the routine services provided to or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Covered Entity. Implicit herein is Business AssociateAssociate ability to use PHI as would Covered Entity in the normal course of business when performing services for, agree or on behalf of, Covered Entity. Ensure that any agent, including a subcontractor, to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions, conditions, restrictions and requirements conditions that apply to Business Associate through this Agreement with respect to such information. In the event that the Business Associate maintains PHI in a designated records set, Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § CFR 164.524. In the event that the Business Associate shall not charge any fees greater than the lesser of the amount charged by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postagemaintains PHI in a designated records set, labor and supplies for complying with the request. Business Associate agrees to make any amendments amendment(s) to PHI in a Designated Record Set designated record set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § CFR 164.526 at the request of Covered EntityEntity or an Individual, and in the time and manner designated by Covered Entity. Business Associate agrees to make Make internal practices, books, and records, including policies and procedures and PHI, records relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, by Business Associate on behalf of of, Covered Entity available to the Covered Entity, available or at the request of the Covered Entity to the Secretary Secretary, in a time and manner agreed to designated by the Parties Covered Entity or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA StandardsPrivacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to document notify Covered Entity immediately of such request. Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunderCFR 164.528. Business Associate agrees to provide Provide to Covered EntityEntity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 of this BAAsection, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunderCFR 164.528. Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify Covered Entity, in writing, within five (5) Business Days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI Implementation of an Individual without: Identity Theft Monitoring Policy and Procedure, to protect any patient information that may be breached by the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees that, following the discovery by Business Associate or by a subcontractor of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a under the Federal Trade Commission Regulations Red Flag Rules should such law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as of the first Calendar Day on which it is, or reasonably should have been, known to Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include be implemented for Covered Entity in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said officialfuture.

Obligations and Activities of Business Associate. Business Associate agrees to not to use or further disclose PHI other than as permitted or required by this Contract or another duly executed agreement with Covered Entity, BAA or as Required by Law, provided such use or disclosure would also be permissible by law if done by Covered Entity. Business Associate agrees to use and maintain appropriate safeguards (including encryption as specified in the Security Rule) and comply with applicable HIPAA Standards with respect to all PHI and destruction, to prevent use or disclosure of PHI other than as provided for in by this Contract and in accordance with HIPAA standardsBAA. As required by the Security Rule, Business Associate agrees to use administrativeconduct a risk assessment and implement Administrative Safeguards, physical Physical Safeguards and technical safeguards Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, integrity and availability of electronic protected health information PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate agrees to use reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure, or request. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this ContractBAA. Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this ContractBAA, or including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any security incident Security Incident of which it becomes aware, within five (5) days of the incident’s occurrence or Business Associate’s discovery thereof. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, agrees to ensure that any subcontractors that createagent, receiveincluding a subcontractor or vendor, maintain to whom it provides PHI received from, or transmit protected health information created or received by Business Associate on behalf of Business Associate, agree Covered Entity agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this BAA to Business Associate with respect to such informationinformation through a contractual arrangement that complies with 45 C.F.R. § 164.314. Business Associate agrees to provide access (including inspection, obtaining a copy paper or both)electronic access, at the request of Covered Entity, Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate shall not charge any fees greater than must provide Covered Entity with the lesser of information requested in the amount charged electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the requestEntity. Business Associate agrees to make any amendments amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered EntityEntity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall promptly notify Covered Entity upon receipt of such request. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and PHIprocedures, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, by Business Associate on behalf of Covered Entity available to Covered Entity, available or at the request of Covered Entity to the Secretary Secretary, in a time and manner agreed to by the Parties or designated by Covered Entity or the Secretary, for the purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsOmnibus Rule. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder164.528. Business Associate agrees to provide to Covered EntityEntity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder164.528. If Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured PHI directly to an Individual (as defined in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935164.402) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify for Covered Entity, in writing, within five (5) Business Days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees thatshall, following the discovery by Business Associate or by of a subcontractor of Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach of Unsecured Protected Health Informationsuch information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than within a period of five (5) Business Days days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as discovery of the first Calendar Day on which it is, or reasonably should have been, known to Business Associate or its subcontractorbreach. The notification Such notice shall include include: a) the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been, been accessed, acquired, acquired or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A ; b) a brief description of what happened, including the date of the HIPAA Breach; the date of the Breach and discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A c) a description of the types type of Unsecured Protected Health Information PHI that were was involved in the HIPAA Breach (such as full nameBreach; d) a description of the investigation into the Breach, Social Security number, date of birth, home address, account number, or disability code). The and the steps taken by Business Associate recommends that Individual(sto mitigate harm to the affected Individuals and protect against further Breaches; e) take the results of any and all investigation performed by Business Associate related to protect themselves from potential harm resulting from the HIPAA Breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the Breach and Business Associate’s investigation of the Breach. A detailed description of what To the extent the Business Associate is doing carrying out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation. Business Associate agrees that it will not receive remuneration directly or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or indirectly in writing, that he or she has determined that notification or notice to Individuals or the posting required exchange for PHI without authorization unless an exception under 45 C.F.R. § 164.412 would impede a criminal investigation 164.502(a)(5)(ii)(B)(2) applies. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of “Marketing” under 45 C.F.R. § 164.501, unless permitted by 45 C.F.R. § 164.508(a)(3)(i)(A)-(B). If applicable, Business Associate agrees that it will not use or cause damage to national security and, if so, contact disclose genetic information for said official“underwriting purposes”, as that term is defined in 45 C.F.R. § 164.502. Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and Individuals’ personal information it receives from Covered Entity during the term of the Contract. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law and rules and regulations; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law as applicable.

Obligations and Activities of Business Associate. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Contract or another any other duly executed agreement with Covered Entity, Entity or as Required by Law. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Contract and in accordance with HIPAA standards. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Contract. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Contract, Contract or any other duly executed agreement with Covered Entity or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the Parties parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection 18.6.10 of this BAAContract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent more stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that the Business Associate: Associate restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, set the Business Associate agrees to notify the Covered Entity, in writing, within five (5) Business Days business days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: without the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; Contract or any other duly executed agreement with Covered Entity, and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this Contract, any HIPAA Breach breach of Unsecured Protected Health Informationunsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such HIPAA Breach breach in accordance with 45 C.F.R. part 164, subpart D, and this BAAContract. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than five thirty (530) Business Days days after the HIPAA Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach breach is considered discovered as of the first Calendar Day day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breachbreach. The Business Associate agrees to include in the notification to the Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breachbreach; the date of the discovery of the HIPAA Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information unsecured protected health information that were involved in the HIPAA Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breachbreach. A detailed description of what the Business Associate is doing or has done to investigate the HIPAA Breachbreach, to mitigate losses, and to protect against any further HIPAA Breachesbreaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.

Obligations and Activities of Business Associate. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Contract Agreement or another any other duly executed agreement with Covered Entity, Entity or as Required by Law. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Contract Agreement and in accordance with HIPAA standards. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this ContractAgreement. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Contract, Agreement or any other duly executed agreement with Covered Entity or any security incident of which it becomes aware. Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of Business Associate, agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by Covered Entity to an Individual for such records; the amount permitted by state law; or Business Associate’s actual cost of postage, labor and supplies for complying with the request. Business Associate agrees to make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity, and in the time and manner designated by Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the Parties parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to provide to Covered Entity, in a time and manner designated by Covered Entity, information collected in accordance with subsection 18.6.10 6.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees to comply with any state or federal law that is More Stringent more stringent than the Privacy Rule. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. In the event that an Individual requests that Business Associate: restrict disclosures of PHI; provide an accounting of disclosures of the Individual’s PHI; provide a copy of the Individual’s PHI in an electronic health record; or amend PHI in the Individual’s designated record set, Business Associate agrees to notify Covered Entity, in writing, within five (5) Business Days business days of the request. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without: the written approval of Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract; Agreement or any other duly executed agreement with Covered Entity, and the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. Obligations in the Event of a HIPAA Breach. Business Associate agrees that, following the discovery by Business Associate or by a subcontractor of Business Associate of any use or disclosure not provided for by this ContractAgreement, any HIPAA Breach of Unsecured Protected Health Informationunsecured protected health information, or any Security Incident, it shall notify Covered Entity of such HIPAA Breach in accordance with 45 C.F.R. part 164, subpart D, and this BAA. Such notification shall be provided by Business Associate to Covered Entity without unreasonable delay, and in no case later than five (5) Business Days business days after the HIPAA Breach is discovered by Business Associate, or a subcontractor of Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A HIPAA Breach is considered discovered as of the first Calendar Day day on which it is, or reasonably should have been, known to Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the Individual if the Individual is deceased) whose Unsecured Protected Health Information unsecured protected health information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such HIPAA Breach. Business Associate agrees to include in the notification to Covered Entity at least the following information: A description of what happened, including the date of the HIPAA Breach; the date of the discovery of the HIPAA Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. A description of the types of Unsecured Protected Health Information unsecured protected health information that were involved in the HIPAA Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). The steps Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the HIPAA Breach. A detailed description of what Business Associate is doing or has done to investigate the HIPAA Breach, to mitigate losses, and to protect against any further HIPAA Breaches. Whether a law enforcement official has advised Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and, if so, contact information for said official.