Common use of Privacy and Security Safeguards Clause in Contracts

Privacy and Security Safeguards. (a) Participant and IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and IHIN Policies and Standards. (b) Participant and IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through IHIN. (c) Participant shall notify IHIN within five (5) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in IHIN and the resolution of such findings. Participant shall notify IHIN of any Security Incident relating to IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from IHIN within five (5) days, and shall cooperate with IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. IHIN shall notify Participant of any Security Incident relating to the Participant's shared PHI of which IHIN becomes aware, or any unauthorized use or disclosure of Participant's PHI within, or obtained from, IHIN of which IHIN becomes aware, within five (5) days of IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s PHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN on issues related to this Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I of the DURSA (FINAL September 30, 2014); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/ehealthexchange/onboarding/.

Privacy and Security Safeguards. (a) Participant and IHIN OKSHINE shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through IHINOKSHINE, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Participation Agreement or required by law. To that end, each Participant and IHIN OKSHINE shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized PersonnelAdministrative Users, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of protected health information; and (iv) provide appropriate security audit controls and documentation. ; and Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and IHIN Policies and StandardsOKSHINE Policies. (b) Participant and IHIN OKSHINE shall each maintain reasonable and appropriate security practices, in accordance with at least the minimum standards and guidelines in the IHIN OKSHINE Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of IHINOKSHINE. Participant and the IHIN OKSHINE each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through IHINOKSHINE. (c) Participant shall notify IHIN OKSHINE within five (5) days of Participant’s receipt of any adverse audit adverseaudit findings related to Participant’s participation in IHIN OKSHINE and the resolution of such findings. As required through the Business Associate Agreement (Exhibit C), Participant shall notify IHIN OKSHINE of any Security Incident relating to IHIN OKSHINE interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from IHIN OKSHINE within five (5) days, days and shall cooperate with IHIN OKSHINE in investigating the incident and shall take such action to mitigate any breach or suspected breach. IHIN OKSHINE shall notify Participant of any Security Incident relating to the Participant's shared PHI of which IHIN OKSHINE becomes aware, or any unauthorized use or disclosure of Participant's PHI within, or obtained from, IHIN OKSHINE of which IHIN OKSHINE becomes aware, within five (5) days of IHIN OKSHINE becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s PHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN OKSHINE, Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN OKSHINE on issues related to this Participation Agreement and with the eHealth Exchange DURSA; ; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I II of the DURSA (FINAL September 30August 13, 20142019); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/ehealthexchange/onboarding/.;

Privacy and Security Safeguards. (a) Participant and the IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through the IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and the IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and IHIN the Policies and Standards. (b) Participant and the IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of the IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through the IHIN. (c) Participant shall notify the IHIN within five seven (57) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in the IHIN and the resolution of such findings. Participant shall notify the IHIN of any Security Incident relating to the IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from the IHIN within five seven (57) days, and shall cooperate with the IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. The IHIN shall notify Participant of any Security Incident relating to the Participant's shared PHI Shared Protected Health Information of which the IHIN becomes aware, or any unauthorized use or disclosure of Participant's PHI Shared Protected Health Information within, or obtained from, the IHIN of which the IHIN becomes aware, within five seven (57) days of the IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s PHIShared Protected Health Information, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN on issues related to this Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I of the DURSA (FINAL September 30, 2014); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/ehealthexchange/onboarding/.

Privacy and Security Safeguards. (a) Participant and IHIN shall implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, privacy, security, integrity and availability of electronic health information accessible through IHIN, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure otherwise than as permitted by this Agreement or required by law. To that end, each Participant and IHIN shall: (i) provide for appropriate identification and authentication of their Authorized Users and IHIN’s Authorized Personnel, respectively; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to or use of health information; and (iv) provide appropriate security audit controls and documentation. Such safeguards shall comply with HIPAA, all applicable federal, state, and local requirements, and IHIN Policies and Standards. (b) Participant and IHIN shall each maintain reasonable and appropriate security practices, in accordance with the minimum standards and guidelines in the IHIN Security Policies established by the IHIN, with regard to all personnel, systems, physical and administrative processes used by each party to transmit, store and process electronic health information through the use of IHIN. Participant and the IHIN each shall be responsible for establishing and maintaining their respective security management procedures, security incident procedures, contingency plans, audit procedures, facility access controls, workstation use controls and security, device and media controls, authentication procedures, and security policies and procedures to protect electronic health information accessible through IHIN. (c) Participant shall notify IHIN within five (5) days of Participant’s receipt of any adverse audit findings related to Participant’s participation in IHIN and the resolution of such findings. Participant shall notify IHIN of any Security Incident relating to IHIN interface or connection of which Participant becomes aware, or any unauthorized use or disclosure of information within or obtained from IHIN within five (5) days, days and shall cooperate with IHIN in investigating the incident and shall take such action to mitigate any breach or suspected breach. IHIN shall notify Participant of any Security Incident relating to the Participant's shared PHI of which IHIN becomes aware, or any unauthorized use or disclosure of Participant's PHI within, or obtained from, IHIN of which IHIN becomes aware, within five (5) days of IHIN becoming aware of either the Security Incident or unauthorized use or disclosure of Participant’s PHI, and shall cooperate with Participant in investigating the Security Incident and shall take such action to mitigate any breach or suspected breach. (d) When Transacting Message Content over the nationwide eHealth Exchange through IHIN Participant shall (i) comply with all Applicable Law; (ii) reasonably cooperate with IHIN on issues related to this Agreement and with the eHealth Exchange DURSA; (iii) Transact Message Content only for permitted purposes as outlined in Restatement I of the DURSA (FINAL September 30, 2014); (iv) use Message Content received from another Participant in accordance with the terms and conditions of this Agreement; (v) as soon as reasonably practicable but no later than one (1) hour after discovering information that leads an IHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert IHIN to the suspected breach; and twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to IHIN; (vi) refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by IHIN or the Participant Account Administrator; and (vii) comply with the provisions outlined in Restatement I of the DURSA (FINAL September 30, 2014) and the eHealth Exchange Performance and Service Specifications and the Operating Policies and Procedures. These policies are available at the eHealth Exchange website available here: ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/ehealthexchange/onboarding/.