Common use of PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE Clause in Contracts

PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE. (a) Except as otherwise limited in this Addendum, CONEXIS may use or disclose PHI, provided that such use or disclosure of PHI would not violate the Privacy Rule or the HITECH Act, as follows: (a) as permitted or required in this Addendum and in the Agreement; (b) as otherwise permitted by the Privacy Rule and the HITECH Act and any accompanying regulations; (c) as Required by Law; (d) for the proper management and administration of CONEXIS; (e) to fulfill any present or future legal responsibilities of CONEXIS; (f) for Data Aggregation services to the Plan (as defined in 45 CFR § 164.501); or (g) any use and disclosure of PHI that has been de-identified in accordance with 45 CFR § 164.514. (b) CONEXIS agrees to document any disclosures of PHI and the information related to such disclosures to respond to an accounting of disclosures of PHI if requested by the Plan in accordance with 45 CFR §164.528, and to provide such documentation to the Plan as it may request from time to time. (c) In the event that CONEXIS maintains PHI in a Designated Record Set, CONEXIS agrees to provide access to such PHI that it maintains in a Designated Record Set to the Individual to whom the PHI relates in accordance with 45 CFR § 164.524. Furthermore, at the reasonable request of the Plan, CONEXIS agrees to make amendments to PHI that it maintains in a Designated Record Set as directed by the Plan and to reasonably incorporate any amendments to PHI in accordance with 45 CFR § 164.526. (d) CONEXIS may disclose PHI to its agents or subcontractors with a bona fide need to know such PHI, but only if, prior to such disclosure, such agents or subcontractors provide reasonable assurances that they will agree to substantially the same restrictions and conditions that apply to CONEXIS with respect to such PHI, including electronic PHI. (e) CONEXIS may disclose the PHI revealed to it by the Plan if and to the extent that such disclosure is required by law or court order or as otherwise permitted by law. Further, CONEXIS agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by CONEXIS on behalf of the Plan available to the Secretary, as requested by the Plan or designated by the Secretary, for purposes of the Secretary determining the Plan’s compliance with the Privacy Rule. (f) In accordance with 45 CFR §164.520, and to the extent that such a limitation may affect the Business Associate’s use or disclosure of PHI, Employer, acting on behalf of the Plan, agrees to notify CONEXIS of any limitation(s) in the notice of privacy practices required by the Privacy Rules, including, without limitation, any changes in or revocation of permission by an Individual to use or disclose PHI. Employer, acting on behalf of the Plan, also agrees to notify CONEXIS of any restriction to the use or disclosure of PHI that Employer has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect CONEXIS’ use or disclosure of PHI. Employer acknowledges and agrees that CONEXIS is not bound by any such restrictions that impact CONEXIS’ use or disclosure of PHI to the extent such restrictions are not otherwise required by the HIPAA Privacy Rules and/or the HITECH Act and CONEXIS has not consented to such restrictions in advance. CONEXIS agrees not to unreasonably withhold consent. (g) CONEXIS agrees to mitigate, to the extent practicable, any harmful effect that is known to CONEXIS and/or its agents or subcontractors of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum. (h) CONEXIS agrees to take steps to implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI maintained by CONEXIS on behalf of the Plan. CONEXIS will report to the Plan’s designated representative any use or disclosure of PHI otherwise than as provided by this Agreement, including any Security Incident, as soon as reasonably possible of becoming aware of such use or disclosure. As of the Compliance Date of 42 U.S.C. § 17931 and the regulations issued thereunder, CONEXIS agrees to comply with the Security Rule requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and ▇▇▇.▇▇▇.▇▇ addition, CONEXIS hereby agrees that it shall report to the Plan’s designated representative, without unreasonable delay, but not longer than 30 days following its discovery of any incident that, in CONEXIS’ reasonable determination, constitutes a Privacy Breach of Unsecured PHI. CONEXIS shall provide such notice to the Plan’s designated representative in accordance with 45 CFR 164.410 of the Breach Notification Rules, subject to the law enforcement delay set forth in 45 CFR 164.412. In addition, CONEXIS may, in its sole discretion, provide any of the following notices of any incident that constitutes a Privacy Breach for which CONEXIS is required to provide notice to the Plan’s designated representative as set forth herein: (i) notice to affected individuals, including any substitute notice as necessary in accordance with 45 CFR 164.404 (ii) if required (and the to the extent permitted under applicable law), immediate notice to the Secretary of the Department of Health and Human Services (“HHS”), including maintaining a log or other documentation of Privacy Breaches to be provided to the Secretary on an annual basis in accordance with 45 CFR 164.408 and (iii) if required, notice to a media outlet in accordance with 45 CFR 164.406.

PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE. (a) Except as otherwise limited in this AddendumAgreement, CONEXIS O.C.A. may use or disclose PHI, provided that such use or disclosure of PHI would not violate the Privacy Rule or the HITECH ActRule, as follows: (a) as permitted or required in this Addendum and in to perform the Agreementagreed upon services for the Group Health Plan; (b) as otherwise permitted by the Privacy Rule and the HITECH Act and any accompanying regulationsRule; (c) as Required by Law; (d) for the proper management and administration of CONEXISO.C.A.; (e) to fulfill any present or future legal responsibilities of CONEXISO.C.A.; (f) for Data Aggregation services to the Plan (as defined in 45 CFR § 164.501); or (g) any use and disclosure of PHI that has been de-identified in accordance with 45 CFR § 164.514. (b) CONEXIS O.C.A. agrees to document any disclosures of PHI and the information related to such disclosures to respond to an accounting of disclosures of PHI if requested by the Plan in accordance with 45 CFR §164.528, and to provide such documentation to the Plan as it may request from time to time. (c) In the event that CONEXIS O.C.A. maintains PHI in a Designated Record Set, CONEXIS O.C.A. agrees to provide access to such PHI that it maintains in a Designated Record Set to the Individual to whom the PHI relates in accordance with 45 CFR § 164.524. Furthermore, at the reasonable request of the Plan, CONEXIS O.C.A. agrees to make amendments to PHI that it maintains in a Designated Record Set as directed by the Plan and to reasonably incorporate any amendments to PHI in accordance with 45 CFR § 164.526. (d) CONEXIS O.C.A. may disclose PHI to its agents or subcontractors with a bona fide need to know such PHI, but only if, prior to such disclosure, such agents or subcontractors provide reasonable assurances that they will agree to substantially the same restrictions and conditions that apply to CONEXIS O.C.A. with respect to such PHI, including electronic PHI. (e) CONEXIS O.C.A. may disclose the PHI revealed to it by the Plan if and to the extent that such disclosure is required by law or court order or as otherwise permitted by law. Further, CONEXIS agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by CONEXIS on behalf of the Plan available to the Secretary, as requested by the Plan or designated by the Secretary, for purposes of the Secretary determining the Plan’s compliance with the Privacy Rule. (f) In accordance with 45 CFR §164.520, and to the extent that such a limitation may affect the Business Associate’s use or disclosure of PHI, Employer, acting on behalf of the Plan, agrees to notify CONEXIS of any limitation(s) in the notice of privacy practices required by the Privacy Rules, including, without limitation, any changes in or revocation of permission by an Individual to use or disclose PHI. Employer, acting on behalf of the Plan, also agrees to notify CONEXIS of any restriction to the use or disclosure of PHI that Employer has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect CONEXIS’ use or disclosure of PHI. Employer acknowledges and agrees that CONEXIS is not bound by any such restrictions that impact CONEXIS’ use or disclosure of PHI to the extent such restrictions are not otherwise required by the HIPAA Privacy Rules and/or the HITECH Act and CONEXIS has not consented to such restrictions in advance. CONEXIS agrees not to unreasonably withhold consent. (g) CONEXIS agrees to mitigate, to the extent practicable, any harmful effect that is known to CONEXIS and/or its agents or subcontractors of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum. (h) CONEXIS agrees to take steps to implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI maintained by CONEXIS on behalf of the Plan. CONEXIS will report to the Plan’s designated representative any use or disclosure of PHI otherwise than as provided by this Agreement, including any Security Incident, as soon as reasonably possible of becoming aware of such use or disclosure. As of the Compliance Date of 42 U.S.C. § 17931 and the regulations issued thereunder, CONEXIS agrees to comply with the Security Rule requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and ▇▇▇.▇▇▇.▇▇ addition, CONEXIS hereby agrees that it shall report to the Plan’s designated representative, without unreasonable delay, but not longer than 30 days following its discovery of any incident that, in CONEXIS’ reasonable determination, constitutes a Privacy Breach of Unsecured PHI. CONEXIS shall provide such notice to the Plan’s designated representative in accordance with 45 CFR 164.410 of the Breach Notification Rules, subject to the law enforcement delay set forth in 45 CFR 164.412. In addition, CONEXIS may, in its sole discretion, provide any of the following notices of any incident that constitutes a Privacy Breach for which CONEXIS is required to provide notice to the Plan’s designated representative as set forth herein: (i) notice to affected individuals, including any substitute notice as necessary in accordance with 45 CFR 164.404 (ii) if required (and the to the extent permitted under applicable law), immediate notice to the Secretary of the Department of Health and Human Services (“HHS”), including maintaining a log or other documentation of Privacy Breaches to be provided to the Secretary on an annual basis in accordance with 45 CFR 164.408 and (iii) if required, notice to a media outlet in accordance with 45 CFR 164.406.O.

PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE. (a) Except as otherwise limited in this Addendum, CONEXIS FLEX may use or disclose PHI, provided that such use or disclosure of PHI would not violate the Privacy Rule or the HITECH ActRule, as follows: (a) as permitted or required in this Addendum and in the Agreement; (b) as otherwise permitted by the Privacy Rule and the HITECH Act and any accompanying regulationsRule; (c) as Required by Law; (d) for the proper management and administration of CONEXISFLEX; (e) to fulfill any present or future legal responsibilities of CONEXISFLEX; (f) for Data Aggregation services to the Plan (as defined in 45 CFR § 164.501); or (g) any use and disclosure of PHI that has been de-identified in accordance with 45 CFR § 164.514. (b) CONEXIS FLEX agrees to document any disclosures of PHI and the information related to such disclosures to respond to an accounting of disclosures of PHI if requested by the Plan in accordance with 45 CFR §164.528164. 528, and to provide such documentation to the Plan as it may request from time to time. (c) In the event that CONEXIS FLEX maintains PHI in a Designated Record Set, CONEXIS FLEX agrees to provide access to such PHI that it maintains in a Designated Record Set to the Individual to whom the PHI relates in accordance with 45 CFR § 164.524. Furthermore, at the reasonable request of the Plan, CONEXIS FLEX agrees to make amendments to PHI that it maintains in a Designated Record Set as directed by the Plan and to reasonably incorporate any amendments to PHI in accordance with 45 CFR § 164.526. (d) CONEXIS FLEX may disclose PHI to its agents or subcontractors with a bona fide need to know such PHI, but only if, prior to such disclosure, such agents or subcontractors provide reasonable assurances that they will agree to substantially the same restrictions and conditions that apply to CONEXIS FLEX with respect to such PHI, including electronic PHI. (e) CONEXIS FLEX may disclose the PHI revealed to it by the Plan if and to the extent that such disclosure is required by law or court order or as otherwise permitted by law. Further, CONEXIS FLEX agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by CONEXIS FLEX on behalf of the Plan available to the Secretary, as requested by the Plan or designated by the Secretary, for purposes of the Secretary determining the Plan’s compliance with the Privacy Rule. (f) In accordance with 45 CFR §164.520, and to the extent that such a limitation may affect the Business Associate’s use or disclosure of PHI, EmployerClient, acting on behalf of the Plan, agrees to notify CONEXIS FLEX of any limitation(s) in the notice of privacy practices required by the Privacy Rules, including, without limitationlimit at ion, any changes in or revocation of permission by an Individual to use or disclose PHI. EmployerClient, acting on behalf of the Plan, also agrees to notify CONEXIS FLEX of any restriction to the use or disclosure of PHI that Employer Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect CONEXIS’ use FLEX’s us e or disclosure of PHI. Employer Client acknowledges and agrees that CONEXIS FLEX is not bound by any such restrictions that impact CONEXIS’ FLEX’s use or disclosure of PHI to the extent such restrictions are not otherwise required by the HIPAA Privacy Privac y Rules and/or the HITECH Act and CONEXIS FLEX has not consented to such restrictions in advance. CONEXIS FLEX agrees not to unreasonably withhold consent. (g) CONEXIS agrees to mitigate, to the extent practicable, any harmful effect that is known to CONEXIS and/or its agents or subcontractors of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum. (h) CONEXIS FLEX agrees to take steps to implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI maintained by CONEXIS FLEX on behalf of the Plan. CONEXIS FLEX will report to the Plan’s designated representative any use or disclosure of PHI otherwise than as provided by this Agreement, including any Security Incident, as soon as reasonably possible of becoming aware of such suc h use or disclosure. As of the Compliance Date of 42 U.S.C. § 17931 and the regulations issued thereunder, CONEXIS agrees to comply with the Security Rule requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and ▇▇▇.▇▇▇.▇▇ addition, CONEXIS (i) FLEX hereby agrees that it shall report to the Plan’s designated representative, without unreasonable delay, but not longer than 30 60 days following its discovery of any incident that, in CONEXIS’ FLEX’s reasonable determination, constitutes a Privacy Breach of Unsecured PHI. CONEXIS FLEX shall provide such notice to the Plan’s designated representative in accordance with 45 CFR 164.410 of the Breach Notification Rules, subject to the law enforcement delay set forth in 45 CFR 164.412. In addition, CONEXIS FLEX may, in its sole discretion, provide any of the following notices of any incident that constitutes a Privacy Breach for which CONEXIS FLEX is required to provide notice to the Plan’s designated representative as set forth herein: (i) notice to affected individuals, including any substitute notice as necessary in accordance with 45 CFR 164.404 (ii) if required (and the to the extent permitted under applicable law)required, immediate notice to the Secretary of the Department of Health and Human Services (“HHS”), including maintaining a log or other documentation of Privacy Breaches to be provided to the Secretary on an annual basis in accordance with 45 CFR 164.408 and (iii) if requiredrequired and to the extent permitted by law, notice to a media outlet in accordance with 45 CFR 164.406. (h) Notices to Plan and Client. (i) Immediately following execution of this Addendum, Client will provide FLEX with written notice identifying the Plan’s and the Client’s designated representative for purposes of receiving notices required by FLEX under this Addendum. (ii) Client agrees to provide prompt written notice to FLEX of any changes to the names or positions of employees identified by Client as a designated representative of the Client and/ or the Plan. FLEX shall have no duty to inquire whether the list of Designated Persons is accurate. (iii) Client shall indemnify and hold FLEX, its employees, agents and Affiliates harmless for any and all liability FLEX may incur as a result of any improper use or disclosure of PHI by Client or a designated representative. (i) To the extent applicable, FLEX, the Client and the Plan agree to comply with the provisions of the Electronic Data Interchange Rule with respect to PHI disclosed by the parties. .