Common use of Obligations of Covered Entity Clause in Contracts

Obligations of Covered Entity. Covered Entity hereby agrees to: A. notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change or revocation may affect Business Associate’s use or Disclosure of PHI; B. notify Business Associate in writing of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as may otherwise be provided by Section 4 of this BAA.

Obligations of Covered Entity. 4.1. Covered Entity hereby agrees toshall: A. notify (i) Promptly provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes in, or revocation of, permission by an Individual limitations to use or disclose PHI, to the extent that such change or revocation may affect Business Associate’s use or Disclosure of PHI; B. notify Business Associate in writing of any limitation(s) in its notice of privacy practices, as required by under 45 C.F.R. § 164.520, to the extent that such limitation(s) changes or limitations may affect Business Associate’s 's use or Disclosure disclosure of the PHI;. C. notify (ii) Notify Business Associate of any restriction(s) on restriction to the use or Disclosure disclosure of PHI that Covered Entity has agreed to in accordance or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction(s) restriction may affect Business Associate’s 's use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security disclosure of PHI transmitted under this BAA. Covered Entity will make such notification prior to the disclosure of such PHI to Business Associate pursuant or, if Covered Entity agrees or becomes subject to this BAA and such restriction after disclosing the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by to Business Associate;, then Covered Entity will make such notification not later than five (5) business days prior to the date such restriction will become effective. E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse (iii) Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI under this BAA. 4.2. Covered Entity shall not disclose to Business Associate more than the minimum necessary PHI for all reasonable costs related Business Associate to a query, audit, or investigation triggered by this BAA that are due to perform its obligations under the Underlying Agreement. 4.3. Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. Entity shall not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as may otherwise be provided by under Section 4 3 of this BAA.

Obligations of Covered Entity. a. Covered Entity hereby agrees to:shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI under this Agreement. A. b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change or revocation changes may affect Business Associate’s use or Disclosure disclosure of PHI;PHI under this Agreement. B. notify Business Associate in writing of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. c. Covered Entity shall notify Business Associate of any restriction(s) restriction on the use or Disclosure disclosure of PHI that to which Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) restriction may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security disclosure of PHI transmitted to under this Agreement (in such case, Business Associate pursuant shall abide by such restriction, unless such restriction would unreasonably burden healthcare operations). d. Covered Entity represents that either: 1. Covered Entity is the Plan Sponsor; or 2. That Covered Entity is not the Plan Sponsor, and where Covered Entity directs or requires Business Associate to this BAA and provide PHI to the Service Agreement Plan Sponsor, (i) Plan Sponsor is entitled to receive PHI in accordance with 45 C.F.R. § 164.504(f); (ii) Covered Entity has received a certification from the standards Plan Sponsor in accordance with 45 C.F.R. § 164.504(f)(2)(ii); and requirements of (iii) the Privacy Rule until such PHI is received by Plan documents permit the Plan to receive PHI, including detailed invoices, reports and statements from Business Associate;. E. be responsible for managing all of e. Covered Entity in performing its users of obligations and exercising its rights under this Agreement shall use and disclose PHI in compliance with the Services including their qualified access, password restrictions, inactivity timeouts, HIPAA Rules and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. shall not request Business Associate to use or disclose any PHI in any manner that would not violate this Agreement or the HIPAA Rules. Covered Entity represents that a request for PHI from Business Associate to Covered Entity shall only be permissible under the Privacy Rule if done by Covered Entity, except as may otherwise be provided by Section 4 minimum amount of this BAAPHI necessary to accomplish the permitted purpose of the applicable request or use.

Obligations of Covered Entity. 4.1 Covered Entity hereby agrees toshall: A. notify (a) Provide Business Associate with any and all necessary and accurate information regarding the permitted uses and disclosures of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent necessary for Business Associate to fulfill its obligations under this BAA. (b) Represent and warrant that such change or revocation may affect it has obtained all necessary authorizations, consents, and permissions required under applicable law for the use and disclosure of PHI by Covered Entity and/or Business Associate’s use or Disclosure of PHI;, as contemplated under an Underlying Agreement. B. notify (c) Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in writing of accordance with the Privacy Rule, and any limitation(s) in its changes or limitations to such notice of privacy practices, as required by under 45 C.F.R. § 164.520, to the extent that such limitation(s) changes or limitations may affect Business Associate’s use or Disclosure disclosure of the PHI;. C. notify (d) Notify Business Associate of any restriction(s) restriction on the use or Disclosure disclosure of PHI that Covered Entity has agreed to in accordance or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction(s) restriction may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security disclosure of PHI transmitted to under this BAA. (e) Notify Business Associate pursuant of any changes in or revocation of permission by an individual to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until use or disclose PHI, if such PHI is received by change or revocation may affect Business Associate;'s permitted or required uses and disclosures of PHI under this BAA. E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to 4.2 Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. Entity shall not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as may otherwise be provided by under Section 4 3 of this BAA.

Obligations of Covered Entity. The Covered Entity hereby agrees to:represents and warrants that it has the right and authority to disclose PHI to Business Associate for Business Associate to perform its obligations and provide services to the Covered Entity, and the Covered Entity will not request Business Associate to use or disclose PHI in any manner that would violate HIPAA, other applicable laws or the Covered Entity’s privacy notice, if done by the Covered Entity. A. (a) The Covered Entity will provide Business Associate with the notice of privacy practices applicable to the Covered Entity as required by 45 C.F.R. § 164.520, and thereafter notify Business Associate of any changes to that notice if such changes affect Business Associate’s permitted or required uses and disclosures. Business Associate acknowledges that, as of the date of execution of this Agreement, the Covered Entity has provided its notice of privacy practices to Business Associate in accordance with this subsection. (b) The Covered Entity will provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose his or her PHI, to the extent that if such change or revocation may changes affect Business Associate’s use permitted or Disclosure of PHI;required uses and disclosures. B. (c) The Covered Entity will notify Business Associate Associate, in writing writing, of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, restriction to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure disclosure of PHI that the Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that 164.522 if such restriction(s) may changes affect Business Associate’s use permitted or Disclosure of PHI;required uses and disclosures. D. be responsible for using appropriate safeguards to maintain and ensure (d) To the confidentialityextent required under the HIPAA Rules, privacy and security of PHI transmitted to the Covered Entity will request from Business Associate pursuant to this BAA and only the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such minimum PHI is received by Business Associate; E. be responsible necessary for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. not request Business Associate to use perform or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as may otherwise be provided by Section 4 of this BAAfulfill a specific function required or permitted hereunder.

Obligations of Covered Entity. If deemed applicable by Covered Entity, Covered Entity hereby agrees toshall: A. notify 1. provide Business Associate a copy of its Notice of Privacy Practices (“Notice”) produced by Covered Entity in accordance with 45 C.F.R. §164.520 as well as any changes to such Notice; 2. provide Business Associate with any changes in, or revocation of, permission authorizations by an Individual Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or disclose PHIrequired uses and/or disclosures; 3. notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. §164.522, to the extent that such change or revocation restriction may affect Business Associate’s use or Disclosure disclosure of PHI; B. notify Business Associate in writing of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. 4. not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity; 5. notify Business Associate of any amendment to PHI to which Covered Entity has agreed, except that affects a designated record set, as may otherwise be provided defined in 45 C.F.R. §164.501 (“Designated Record Set”), as maintained by Section 4 Business Associate; 6. if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of this BAAits policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and 7. direct, review, and control notification made by the Business Associate to individuals regarding a breach, as defined in 45 C.F.R. §164.402 (“Breach”), of their unsecured PHI, as defined in 45 C.F.R. §164.402 (“Unsecured PHI”), in accordance with the requirements set forth in 45 C.F.R. §164.404.

Obligations of Covered Entity. 4.1. Covered Entity hereby agrees to:is responsible for implementing appropriate privacy and security safeguards in order to protect Covered Entity’s PHI in compliance with all applicable law, to include HIPAA, and this BAA. Without limitation, Covered Entity will (a) utilize the highest level of audit logging in connection with Covered Entity’s use of the AIRS Service, and (b) maintain the maximum retention of logs in connection with Covered Entity’s use of the AIRS Service. A. 4.2. Covered Entity warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing PHI on the AIRS Server. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change or revocation changes may affect Business Associate’s use or Disclosure disclosure of PHI;. B. 4.3. Covered Entity will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate to violate this BAA or any applicable law. Covered Entity shall notify Business Associate in writing of any limitation(s) changes in its notice of privacy practices, as required by 45 C.F.R. § 164.520, practices to the extent that such limitation(s) limitation may affect Business Associate’s use or Disclosure disclosure of PHI. Covered Entity shall provide such notice no later than fifteen (15) days prior to the effective date of the PHI;limitation. C. notify Business Associate of any restriction(s) on the use or Disclosure of PHI that 4.4. Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. will not request or cause Business Associate to make a use or disclose any disclosure of PHI in any a manner that would does not be permissible under the Privacy Rule if done by Covered Entitycomply with HIPAA, except as may otherwise be provided by Section 4 of this BAA, or applicable law.

Obligations of Covered Entity. Covered Entity hereby agrees towill: A. notify 4.1 not disclose to Business Associate of any changes inmore PHI than the Minimum Necessary required to enable Business Associate to carry out the services for which it is contracted to provide Covered Entity, or revocation of, permission by an Individual to use or disclose PHI, to the extent that and only when such change or revocation may affect disclosure is required and will limit Business Associate’s access to Covered Entity’s ePHI to only such PHI as is needed to carry out Business Associate’s activities required to support the Agreement and this Addendum. The term Minimum Necessary is construed in accordance with the requirements in Section 13405 (b) of the HITECH Act, or as otherwise specified in the HIPAA Regulations. 4.2 have in place appropriate privacy and security safeguards to prevent the unauthorized use and disclosure of PHI and will use appropriate administrative, technical, and physical safeguards consistent with 45 C.F.R. §§ 164.308, 164.310 and 164.312 to protect the confidentiality, integrity, and availability of ePHI it receives from or Disclosure transmits to Business Associate; will adopt, maintain, and update written policies and procedures consistent with the requirements of PHI;45 C.F.R. § 164.316 with respect to such safeguards; and will impose appropriate sanctions against applicable employees, as appropriate, in the event such employee uses or discloses PHI in violation of the provisions of this Addendum. B. 4.3 notify Business Associate in writing of any limitation(sany: (a) limitations in its notice of privacy practices, as required by practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation(s) limitation may affect Business Associate’s use or Disclosure disclosure of the PHI; C. notify Business Associate of any restriction(s(b) on restrictions to the use or Disclosure disclosure of PHI that to which Covered Entity is subject or to which Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) restriction may affect Business Associate’s use or Disclosure disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. (c) changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. 4.4 obtain any authorization or consents as may be required by law for any of the uses or disclosures of PHI pursuant to the Services. 4.5 not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as may otherwise be provided by Section 4 of this BAA.

Obligations of Covered Entity. If deemed applicable by Covered Entity, Covered Entity hereby agrees toshall: A. notify 1. provide Business Associate a copy of its Notice of Privacy Practices (“Notice”) produced by Covered Entity in accordance with 45 C.F.R. 164.520 as well as any changes to such Notice; 2. provide Business Associate with any changes in, or revocation of, permission authorizations by an Individual Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or disclose PHIrequired uses and/or disclosures; 3. notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that such change or revocation restriction may affect Business Associate’s use or Disclosure disclosure of PHI; B. notify Business Associate in writing of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. 4. not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity; 5. notify Business Associate of any amendment to PHI to which Covered Entity has agreed, except as may otherwise be provided that affects a Designated Record Set maintained by Section 4 Business Associate; 6. if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of this BAAits policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and 7. direct, review and control notification made by the Business Associate to individuals regarding a Breach of their Unsecured PHI in accordance with the requirements set forth in 45 C.F.R. §164.404.

Obligations of Covered Entity. (a) Covered Entity hereby agrees to:shall notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. A. (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change or revocation changes may affect Business Associate’s use or Disclosure disclosure of PHI;. B. notify Business Associate in writing of any limitation(s(c) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. Covered Entity shall notify Business Associate of any restriction(s) on restriction to the use or Disclosure disclosure of PHI that Covered Entity has agreed pursuant to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) restriction may affect Business Associate’s use or Disclosure disclosure of PHI;. D. be responsible for using appropriate safeguards to maintain (d) Except as set forth in Section 4(b) and ensure the confidentialitySection 4(c) of this BA Agreement, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. Entity shall not request Business Associate to use or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. (e) To the extent required under the HIPAA Rules, except as Covered Entity will request from Business Associate only the minimum PHI necessary for Business Associate to perform or fulfil a specific function required or permitted hereunder. (f) Covered Entity represents and warrants that any and all consents, authorizations, or other permissions necessary under HIPAA for Business Associate to perform its obligations and provide services to the Covered Entity under the Client Services Agreement or the this BA Agreement have been properly secured. (g) Covered Entity may otherwise be provided not transmit PHI subject to a restriction, to the extent that restriction would affect Business Associate’s use/disclosure of the PHI, unless legally required to do so, without prior written permission by Section 4 of this BAABusiness Associate.

Obligations of Covered Entity. 1. Covered Entity hereby agrees to:shall notify and consult with Business Associate as to any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information and provide a reasonable period of time for Business Associate to address such limitations. Business Associate is not obligated to agree to any limitations that cannot be supported by its then-current business operations. To the extent that Business Associate will incur any costs in connection with complying with such limitations, then Covered Entity will pay for such costs. Covered Entity shall notify and consult with Business Associate as to any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522 or Section 13405(a) of the HITECH Act, as codified at 42 U.S.C. § 17935(a), and regulations promulgated thereto, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity will provide a reasonable period of time for Business Associate to address such restrictions. Business Associate is not obligated to agree to any restrictions that cannot be supported by its then-current business operations. To the extent that Business Associate will incur any costs in connection with complying with such restrictions, then Covered Entity will pay for such costs. A. 2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHIProtected Health Information, to the extent that such change or revocation changes may affect Business Associate’s use or Disclosure disclosure of PHI;Protected Health Information. B. notify Business Associate in writing 3. Except as provided above regarding data aggregation and management and administrative activities of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure of PHI that , Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction(s) may affect Business Associate’s use or Disclosure of PHI; D. be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA and the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such PHI is received by Business Associate; E. be responsible for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. shall not request Business Associate to use or disclose any PHI Protected Health Information in any manner that would not be permissible under the Privacy Rule HIPAA Rules if done by Covered Entity, except as may otherwise be provided by Section 4 of this BAA.

Obligations of Covered Entity. The Covered Entity hereby agrees to:Component represents and warrants that it has the right and authority to disclose PHI to Business Associate for Business Associate to perform its obligations and provide services to the Covered Component, and the Covered Component will not request Business Associate to use or disclose PHI in any manner that would violate HIPAA, other applicable laws or the Covered Component’s privacy notice, if done by the Covered Component. A. (a) The Covered Component will provide Business Associate with the notice of privacy practices applicable to the Covered Component as required by 45 C.F.R. § 164.520, and thereafter notify Business Associate of any changes to that notice if such changes affect Business Associate’s permitted or required uses and disclosures. Business Associate acknowledges that, as of the date of execution of this Agreement, the Covered Component has provided its notice of privacy practices to Business Associate in accordance with this subsection. (b) The Covered Component will provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose his or her PHI, to the extent that if such change or revocation may changes affect Business Associate’s use permitted or Disclosure of PHI;required uses and disclosures. B. (c) The Covered Component will notify Business Associate Associate, in writing writing, of any limitation(s) in its notice of privacy practices, as required by 45 C.F.R. § 164.520, restriction to the extent that such limitation(s) may affect Business Associate’s use or Disclosure of the PHI; C. notify Business Associate of any restriction(s) on the use or Disclosure disclosure of PHI that the Covered Entity Component has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that 164.522 if such restriction(s) may changes affect Business Associate’s use permitted or Disclosure of PHI;required uses and disclosures. D. be responsible for using appropriate safeguards to maintain and ensure (d) To the confidentialityextent required under the HIPAA Rules, privacy and security of PHI transmitted to the Covered Component will request from Business Associate pursuant to this BAA and only the Service Agreement in accordance with the standards and requirements of the Privacy Rule until such minimum PHI is received by Business Associate; E. be responsible necessary for managing all of its users of the Services including their qualified access, password restrictions, inactivity timeouts, and their ability to download and otherwise process PHI; F. reimburse Business Associate for all reasonable costs related to a query, audit, or investigation triggered by this BAA that are due to Covered Entity’s actions or inactions and are outside the scope of the Services normally performed (such costs may include, but are not limited to, lost employee productivity, employee wages, and any external consultant required to prepare or interact with auditors); and G. not request Business Associate to use perform or disclose any PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as may otherwise be provided by Section 4 of this BAAfulfill a specific function required or permitted hereunder.