Common use of Safeguards and Security Clause in Contracts

Safeguards and Security. 7.2.1. Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of the information other than as provided for by this Addendum and the Agreement. Such safeguards shall be, at a minimum, at Federal Information Processing Standards (“FIPS”) Publication 199 protection levels. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of Subpart C of 45 C.F.R. Part 164, in compliance with 45 C.F.R. § 164.316. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities. 7.2.2. Business Associate shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework as it may be updated from time to time. Examples of industry- recognized security frameworks include but are not limited to: 7.2.2.1. NIST SP 800-53 - National Institute of Standards and Technology Special Publication 800-53 7.2.2.2. FedRAMP - Federal Risk and Authorization Management Program 7.2.2.3. PCI - PCI Security Standards Council 7.2.2.4. ISO/ESC 27002 - International Organization for Standardization / International Electrotechnical Commission standard 27002 7.2.2.6. IRS PUB 1075 - Internal Revenue Service Publication 1075

Safeguards and Security. 7.2.1. Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of the information other than as provided for by this Addendum and the AgreementBAA. Such safeguards shall be, at a minimum, at Federal Information Processing Standards (“FIPS”) Publication 199 protection levels. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of Subpart C of 45 C.F.R. Part 164, in compliance with 45 C.F.R. § 164.316. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the Business Associate’s operations and the nature and scope of its activities. 7.2.2. Business Associate shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework as it may be updated from time to time. Examples of industry- industry-recognized security frameworks include but are not limited to: 7.2.2.1. NIST SP 800-53 - National Institute of Standards and Technology Special Publication 800-53 7.2.2.2. FedRAMP - Federal Risk and Authorization Management Program 7.2.2.3. PCI - PCI Security Standards Council 7.2.2.4. ISO/ESC 27002 - International Organization for Standardization / International Electrotechnical Commission standard 27002 7.2.2.6. IRS PUB 1075 - Internal Revenue Service Publication 1075

Safeguards and Security. 7.2.1. Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of the information other than as provided for by this Addendum and the Agreement. Such safeguards shall be, at a minimum, at Federal Information Processing Standards (“FIPS”) Publication 199 protection levels. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of Subpart C of 45 C.F.R. Part 164, in compliance with 45 C.F.R. § 164.316. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities. 7.2.2. Business Associate shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework as it may be updated from time to time. Examples of industry- industry-recognized security frameworks include but are not limited to: 7.2.2.1. NIST SP 800-53 - National Institute of Standards and Technology Special Publication 800-53 7.2.2.2. FedRAMP - Federal Risk and Authorization Management Program 7.2.2.3. PCI - PCI Security Standards Council 7.2.2.4. ISO/ESC 27002 - International Organization for Standardization / International Electrotechnical Commission standard 27002 7.2.2.6. IRS PUB 1075 - Internal Revenue Service Publication 1075

Safeguards and Security. 7.2.1. Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of the information other than as provided for by this Addendum and the Agreement. Such safeguards shall be, at a minimum, at Federal Information Processing Standards (“FIPS”) Publication 199 protection levels. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of Subpart C of 45 C.F.R. Part 164, in compliance with 45 C.F.R. § 164.316. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities. 7.2.2. Business Associate shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework as it may be updated from time to time. Examples of industry- industry-recognized security frameworks include but are not limited to: 7.2.2.1. NIST SP 800-53 - National Institute of Standards and Technology Special Publication 800-53 7.2.2.2. FedRAMP - Federal Risk and Authorization Management Program 7.2.2.3. PCI - PCI Security Standards Council 7.2.2.4. ISO/ESC 27002 - International Organization for Standardization / International Electrotechnical Commission standard 27002 7.2.2.6. IRS PUB 1075 - Internal Revenue Service Publication 1075