Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For the proper management and administration of Business Associate or to carry out its legal responsibilities when: (i) such Disclosure is Required by Law, provided that Business Associate shall not, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person to whom the PHI is being Disclosed that: (i) such person will hold the PHI confidentially; (ii) such person will not Use or Disclose such PHI except as Required by Law or for the purpose(s) for which Business Associate Disclosed it to them, and (iii) such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. 2.1.4. To the extent permitted in the Underlying Agreement or otherwise approved in writing by Covered Entity, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations of Covered Entity provided, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without the express written permission of Covered Entity.

Use and Disclosure of PHI. Business Associate agrees not to Use Except as otherwise permitted by this Agreement, the HIPAA Rules, or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart Eapplicable law, Business Associate will comply with the requirements shall not make any uses or disclosures of Subpart E that apply PHI except as necessary to the provide services to, or on behalf of, Covered Entity as described in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate Associate, or to carry out its legal responsibilities when: (i) responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such Disclosure is Required laws are not preempted by LawHIPAA, provided as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate shall not, without the prior written consent is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Disclose any PHI on it shall comply with the basis that such disclosure is Required by Law without notifying requirements of the Privacy Rule which apply to Covered Entity so that Covered Entity shall have an opportunity to object to in the disclosure and to seek appropriate relief. If Covered Entity objects to performance of such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for reliefobligation(s). Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will cases: 2.1.1 provide Covered Entity with similar notice and opportunity information to object before members of its workforce using or disclosing PHI on regarding the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is being Disclosed disclosed that: (i) such person will hold the PHI confidentiallywill be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) such the person will not Use or Disclose such PHI except as Required by Law or for the purpose(s) for which Business Associate Disclosed it to them, and (iii) such person entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.; and 2.1.4. To 2.1.3 agree to notify the extent permitted in the Underlying Agreement or otherwise approved in writing by Covered Entity, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations Privacy Officer of Covered Entity provided, however, of any instances of which it is aware in which the PHI is used or disclosed for a purpose that Business Associate may is not disclose PHI to any other party otherwise provided for in connection with such Data Aggregation activities without this Agreement or for a purpose not expressly permitted by the express written permission of Covered EntityHIPAA Rules or HITECH Act.

Use and Disclosure of PHI. Business Associate agrees not (i) Except as otherwise limited in this Agreement, Licensed-Only Agent may use or disclose PHI to Use perform functions, activities, or Disclose PHI except: 2.1.1. To provide Services required by services for, or on behalf of, Company as specified in the Underlying Agreement Licensed-Only Agent Agreements, provided that such use or disclosure would not violate the HIPAA Privacy & Security Rules if done by Company or the minimum necessary policies and procedures of Company. Company has the right to amend this Agreement at any time with respect to permitted uses and disclosures by Licensed-Only Agent. (ii) To the extent Business Associate Licensed-Only Agent is to carry out any one or more of Covered Entity's Company’s obligations under Subpart E of 45 C.F.R. 164 Subpart EPart 164, Business Associate will Licensed- Only Agent agrees to comply with the requirements of Subpart E that apply to the Covered Entity Company in performing the performance of such obligations;. 2.1.2. To satisfy (iii) Licensed-Only Agent may use or disclose PHI as required by law. (iv) Licensed-Only Agent shall not use or disclose, and shall ensure that its obligations directors, officers, employees, agents, and subcontractors do not use or disclose, PHI in any manner that would constitute a violation of the HIPAA Privacy Rule or the HITECH Act if done by Company, except that Licensed-Only Agent may use and disclose PHI as permitted under this BAA; 2.1.3. For the HIPAA Privacy Rule for the proper management and administration of Business Associate Licensed-Only Agent or to carry out its the legal responsibilities when: (i) such Disclosure is Required by Lawof Licensed-Only Agent, provided that Business Associate shall not, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required disclosures are: (a) required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require law or (b) Licensed-Only Agent obtains reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person to whom the PHI information is being Disclosed that: (i) such person disclosed that it will hold the PHI confidentially; (ii) such person will not Use remain confidential and used or Disclose such PHI except further disclosed only as Required required by Law law or for the purpose(s) purpose for which Business Associate Disclosed it is disclosed to themthe person, and (iii) such the person will notify Business Associate notifies Licensed-Only Agent of any instances of which it is aware in which the confidentiality of the PHI information has been breached. 2.1.4. To the extent permitted (v) Except as otherwise limited in the Underlying Agreement this Agreement, Licensed-Only Agent may use or otherwise approved in writing by Covered Entity, Business Associate may Use disclose PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations health care operations of Covered Entity provided, however, that Business Associate may not the Company if such services are required under the Licensed-Only Agent Agreements. (vi) Licensed-Only Agent shall neither use nor disclose PHI for the purpose of creating de-identified information that will be used for any purpose other than as directed by Company to any other party carry out the obligations of Licensed-Only Agent set forth in connection with such Data Aggregation activities without this Agreement or the express written permission of Covered Entityapplicable Licensed-Only Agent Agreements, or as required by law.

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out any the legal responsibilities of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, the Business Associate. Disclosure for Proper Management and Administration. Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For may disclose PHI for the proper management and administration of Business Associate or to carry out its the legal responsibilities when: (i) such Disclosure is Required by Lawof the Business Associate, provided that Business Associate shall notthe disclosures are required by law, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation reasonable assurances from the person to whom the PHI information is being Disclosed that: (i) such person disclosed that the information will hold the PHI confidentially; (ii) such person will not Use remain confidential and used or Disclose such PHI except further disclosed only as Required required by Law law or for the purpose(s) purposes for which Business Associate Disclosed it was disclosed to themthe person, and (iii) such the person will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached. 2.1.4Breached. To the extent permitted in the Underlying Agreement Impermissible Use or otherwise approved Disclosure of PHI. Business Associate shall report to DSHS in writing all Uses or disclosures of PHI not provided for by Covered Entitythis Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DSHS, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating shall mitigate, to the Health Care Operations of Covered Entity providedextent practicable, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without harmful effect resulting from the express written permission of Covered Entityimpermissible Use or disclosure.

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized Use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PHI is within its possession and control, even after the termination or expiration of this Contract. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this Contract. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose PHI as necessary to perform the services specified in this Contract or as required by law, and shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out any the legal responsibilities of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, the Business Associate. Disclosure for Proper Management and Administration. Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For may disclose PHI for the proper management and administration of Business Associate or to carry out its the legal responsibilities when: (i) such Disclosure is Required by Lawof the Business Associate, provided that Business Associate shall notthe disclosures are required by law, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation reasonable assurances from the person to whom the PHI information is being Disclosed that: (i) such person disclosed that the information will hold the PHI confidentially; (ii) such person will not Use remain confidential and used or Disclose such PHI except further disclosed only as Required required by Law law or for the purpose(s) purposes for which Business Associate Disclosed it was disclosed to themthe person, and (iii) such the person will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached. 2.1.4Breached. To the extent permitted in the Underlying Agreement Impermissible Use or otherwise approved Disclosure of PHI. Business Associate shall report to DOC in writing all Uses or disclosures of PHI not provided for by Covered Entitythis Contract within one (1) business day of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by DOC, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating shall mitigate, to the Health Care Operations of Covered Entity providedextent practicable, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without harmful effect resulting from the express written permission of Covered Entityimpermissible Use or disclosure.

Use and Disclosure of PHI. Business Associate agrees Manager may use and disclose individually identifiable protected health information (“PHI”) (as defined in HIPAA), whether or not maintained or transmitted by “Electronic Media” (as defined in HIPAA), only as required to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3Agreement, as permitted herein, or required by law, but shall not otherwise use or disclose any PHI. For Manager shall not and shall ensure that its employees, contractors and agents do not use or disclose PHI received from PA or a PC in any manner that would constitute a violation of the “Privacy Standards” (as defined in HIPAA) if so used or disclosed by PA or a PC, except that Manager may use or disclose PHI (i) for Manager’s proper management and administration of Business Associate or administrative services, (ii) to carry out its the legal responsibilities when: of Manager, or (iiii) such Disclosure is Required by Lawto provide data aggregation services relating to the health care operations of PA or the PCs if required under this Agreement, provided that Business Associate any disclosure for such purposes shall not, without be either required by law or to a recipient who has agreed (a) to maintain the prior written consent confidentiality of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person to whom the PHI is being Disclosed that: (i) such person will hold the PHI confidentially; (ii) such person will not Use or Disclose such PHI except and only further use or disclose it as Required required by Law law or for the purpose(s) purposes for which Business Associate Disclosed it was disclosed to themthe recipient, and (iiib) such person will to notify Business Associate of any instances of which it is aware Manager in which the event the confidentiality of such PHI is breached. Manager may de-identify PHI pursuant to the specific requirements of HIPAA; any PHI has been breached. 2.1.4that is fully de-identified pursuant to HIPAA shall no longer be considered PHI. Manager hereby acknowledges that, as between Manager and PA or the PCs, all PHI shall be and remain the sole property of PA or the applicable PC, including any and all forms thereof developed by Manager in the course of its fulfillment of its obligations pursuant to this Agreement. Manager further represents that, to the extent Manager requests that PA or a PC disclose PHI to Manager, such a request is only for the minimum necessary PHI for the accomplishment of Manager’s purpose. To the extent permitted in Manager is to carry out PA’s or a PC’s obligations under the Underlying Agreement or otherwise approved in writing by Covered Entityprivacy provisions of HIPAA, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations of Covered Entity provided, however, that Business Associate may not disclose PHI to any other party in connection Manager shall comply with such Data Aggregation activities without the express written permission of Covered Entityprovisions under HIPAA in performing such obligation.

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is limited to the following permitted and required uses or disclosures of PHI: Duty to Protect PHI. Business Associate must protect PHI from, and will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the Protection of Electronic Protected Health Information) with respect to ePHI, to prevent the unauthorized Use or disclosure of PHI for as long as the PHI is within its possession and control, even after the termination or expiration of this DSA. Minimum Necessary Standard. Business Associate will apply the HIPAA Minimum Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this DSA. See 45 CFR 164.514 (d)(2) through (d)(5). Disclosure as Part of the Provision of Services. Business Associate will only Use or disclose PHI as necessary to perform the services specified in this DSA or as required by law, and will not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses and disclosures set forth below. Use for Proper Management and Administration. Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out any the legal responsibilities of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, the Business Associate. Disclosure for Proper Management and Administration. Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For may disclose PHI for the proper management and administration of Business Associate Associate, subject to HCA approval, or to carry out its the legal responsibilities when: (i) such Disclosure is Required by Lawof the Business Associate, provided that Business Associate shall notthe disclosures are required by law, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation reasonable assurances from the person to whom the PHI information is being Disclosed that: (i) such person disclosed that the information will hold the PHI confidentially; (ii) such person will not Use remain confidential and used or Disclose such PHI except further disclosed only as Required required by Law law or for the purpose(s) purposes for which Business Associate Disclosed it was disclosed to themthe person, and (iii) such the person will notify notifies the Business Associate of any instances of which it is aware in which the confidentiality of the PHI information has been breached. 2.1.4Breached. To Impermissible Use or Disclosure of PHI. Business Associate must report to the extent permitted contact identified in the Underlying Agreement or otherwise approved Subsection 12.1 in writing all Uses or disclosures of PHI not provided for by Covered Entitythis DSA within five (5) business days of becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any Security Incident of which it becomes aware. Upon request by HCA, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating will mitigate, to the Health Care Operations of Covered Entity providedextent practicable, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without harmful effect resulting from the express written permission of Covered Entityimpermissible Use or disclosure.

Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or as Required by Law, Business Associate agrees shall not to Use or Disclose PHI except: 2.1.1. To except as necessary, in its sole discretion, to provide Services required by the Underlying Agreement provided that services to the extent Business Associate is to carry out any or on behalf of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, and shall not Use or Disclose PHI in a manner that would violate the Privacy Rule if Used or Disclosed by Covered Entity. Each such Use or Disclosure must either be Required By Law or in compliance with each applicable requirement of this Agreement, and Business Associate may not Use or Disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity; provided, however, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For may Use and Disclose PHI as necessary for the proper management and administration of Business Associate Associate, or to carry out its legal responsibilities when: (i) such Disclosure is Required by Lawresponsibilities, provided that Business Associate shall not, without and for the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for reliefData Aggregation services described below. Business Associate shall require in such cases obtain reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person or entity to whom the PHI is being Disclosed that: (ia) such person will hold the PHI confidentially; (ii) such person will not Use or Disclose such PHI except be held confidential and further Used and Disclosed only as Required by Law or for the purpose(s) purpose for which Business Associate it was Disclosed it to them, the person or entity; and (iiib) such the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. 2.1.4. To Business Associate may also Disclose PHI to a Subcontractor and may allow the extent permitted Subcontractor to create, receive, maintain or transmit PHI on its behalf, if Business Associate obtains a written agreement with the Subcontractor in accordance with 45 CFR 164.504(e)(1)(i) and this Agreement that the Underlying Agreement or Subcontractor will appropriately safeguard the information. Except as otherwise approved limited in writing by Covered Entitythis Agreement, Business Associate may Use PHI Protected Health Information to provide Data Aggregation services to Covered Entity relating as permitted by 42 CFR 164.504(e)(2)(i)(B). Business Associate shall provide information to members of its workforce Using or Disclosing PHI regarding the Health Care Operations requirements of the Privacy Rule, the Security Rule, and this Agreement. Business Associate agrees to notify the designated Privacy Officer of Covered Entity providedof any instances of which it is aware in which the PHI is Used or Disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Privacy Rule or the Security Rule, howeveror in which a Breach has occurred, that within three (3) business days of becoming aware of the improper Use or Disclosure or Breach. Business Associate may shall not disclose Use or further Disclose PHI other than as permitted or required by this Agreement or as Required By Law. The parties acknowledge that applicable law requires Business Associate to any other party in connection Disclose PHI when required to do so by the Secretary to investigate Business Associate’s compliance with such Data Aggregation activities without regulations promulgated under HIPAA or the express written permission of HITECH Act, or to the Covered Entity, individual who is the subject of the PHI, or the individual’s designee, as necessary to satisfy Covered Entity’s obligations with respect to an individual’s request for an electronic copy of PHI.

Use and Disclosure of PHI. Business Associate agrees not to Use a) BUSINESS ASSOCIATE will hold and keep the PHI strictly confidential and use and/or disclose PHI only as required or Disclose permitted under the terms of the Contract and this Agreement. b) The BUSINESS ASSOCIATE may use and/or disclose the PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For for the proper management and administration of Business Associate the BUSINESS ASSOCIATE, or to carry out its the legal responsibilities when: (i) of the BUSINESS ASSOCIATE. However, such Disclosure is Required use and/or disclosure must be either required by Lawlaw or, provided that Business Associate shall not, without prior to making use of the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from or disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require PHI, the BUSINESS ASSOCIATE must obtain reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation assurance from the person to whom the PHI is being Disclosed thatwill be disclosed that the PHI: (i) such person will hold be held confidentially and used or further disclosed only as required by law or for the PHI confidentiallypurpose for which it was disclosed; and (ii) such the person will not Use or Disclose such PHI except as Required by Law or for to whom it is disclosed agrees to notify the purpose(s) for which Business Associate Disclosed it to them, and (iii) such person will notify Business Associate BUSINESS ASSOCIATE of any instances instance of which it the person is aware in which the confidentiality of the PHI has been breached. 2.1.4c) The BUSINESS ASSOCIATE may use the PHI to provide data aggregation services to the PRACTICE. Data aggregation means, with respect to PHI, the combining of the PHI by the BUSINESS ASSOCIATE with protected health information received by the BUSINESS ASSOCIATE in its capacity as a BUSINESS ASSOCIATE of another health care provider to permit data analysis that relates to the health care operations (excluding genetic information) of the PRACTICE and the other health care provider. d) To the extent permitted the BUSINESS ASSOCIATE is to carry out one or more of Practices obligation(s) under HIPAA Rules; comply with the requirements of Subpart E that apply to the PRACTICE in the Underlying Agreement or otherwise approved performance of such obligation(s). e) BUSINESS ASSOCIATE obligations and permitted uses of PHI are as follows:  Processing insurance claims  Scheduling appointments, electronic billing  Patient health information  EHR information f) BUSINESS ASSOCIATE will ensure that any agents, including subcontractors, to whom it provides in writing by Covered Entity, Business Associate may Use PHI to provide Data Aggregation services the same restrictions and conditions including but not limited to Covered Entity those relating to termination of the Health Care Operations of Covered Entity provided, howevercontract for disclosure, that Business Associate may not disclose PHI apply to BUSINESS ASSOCIATE with respect to such information. BUSINESS ASSOCIATE shall terminate any other party in connection agreement with an agent or subcontractor, if any, who fails to abide by such Data Aggregation activities without the express written permission of Covered Entityrestrictions and obligations.

Use and Disclosure of PHI. Business Associate agrees not to Use or Disclose PHI except: 2.1.1. To provide Services required by the Underlying Agreement provided that to the extent Business Associate is to carry out any of Covered Entity's obligations under 45 C.F.R. 164 Subpart E, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in performing such obligations; 2.1.2. To satisfy its obligations under this BAA; 2.1.3. For the proper management and administration of Business Associate or to carry out its legal responsibilities when: (i) such Disclosure is Required by Law, provided that Business Associate shall not, without the prior written consent of Covered Entity, Disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. If Covered Entity objects to such disclosure, Business Associate shall refrain from disclosing the PHI until Covered Entity has exhausted all alternatives for relief. Business Associate shall require reasonable assurances from persons receiving PHI in accordance with this Section hereof that such persons will provide Covered Entity with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law; or Business Associate obtains written confirmation from the person to whom the PHI is being Disclosed that: (i) such person will hold willhold the PHI confidentially; (ii) such person will not Use or Disclose such PHI except as Required by Law or for the purpose(s) for which Business Associate Disclosed it to them, and (iii) such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. 2.1.4. To the extent permitted in the Underlying Agreement or otherwise approved in writing by Covered Entity, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity relating to the Health Care Operations of Covered Entity provided, however, that Business Associate may not disclose PHI to any other party in connection with such Data Aggregation activities without the express written permission of Covered Entity.