Common use of Use and Disclosure of PHI Clause in Contracts

Use and Disclosure of PHI. MMBS may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS shall not use or disclose PHI received from the Medical Practice in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS carries out any of the Medical Practice’s obligations under the HIPAA Privacy Rule, MMBS shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice in the performance of such obligations. Without limiting the generality of the foregoing, MMBS is permitted to use or disclose PHI as set forth below: (a) MMBS may use PHI internally for MMBS’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS may disclose PHI to a third party for MMBS’s proper management and administration, provided that the disclosure is Required by Law or MMBS obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS may use, create, sell, disclose to third parties and otherwise exploit de- identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS Cue may use and disclose PHI as permitted or required under this Agreement (including this Addendum) these Terms or as Required by Law, Law but shall not otherwise use or disclose any PHI. MMBS Cue shall not use or disclose PHI received from the Medical Practice Your Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Your Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this Addendumthese BA Terms). To the extent MMBS Cue carries out any of the Medical PracticeYour Covered Entity’s obligations under the HIPAA Privacy Ruleprivacy standards, MMBS Cue shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice Your Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Cue is permitted to use or disclose PHI as set forth below: (a) MMBS i. Cue may use PHI internally for MMBSCue’s proper management and administrative services administration or to carry out its Cue’s legal responsibilities; (b) MMBS ii. Cue may disclose PHI to a third party for MMBS▇▇▇’s proper management and administration, provided that the disclosure is Required by Law or MMBS Cue obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Your Covered Entity of any instances of which the person third party is aware in which the confidentiality of the PHI has been breached; (c) MMBS iii. Cue may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of Your Covered Entity if required or permitted under these Terms; (d) MMBS iv. Cue may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Cue may use, create, sell, use or disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law; v. Cue may submit PHI for reporting to federal, state, or local public health authorities when permitted or required; vi. MMBS owns all rightCue may use and disclose PHI to request an authorization, title consent or other form of permission from an Individual and interest may use and disclose PHI in accordance with any such de-identified health information permission obtained from an Individual; and vii. Cue may use and any datadisclose PHI (including, information without limitation, a Limited Data Set) for Research as permitted by HIPAA and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreementother applicable law.

Use and Disclosure of PHI. MMBS Cue may use and disclose PHI as permitted or required under this Agreement (including this Addendum) these Terms or as Required by Law, Law but shall not otherwise use or disclose any PHI. MMBS Cue shall not use or disclose PHI received from the Medical Practice Your Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Your Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this Addendumthese BA Terms). To the extent MMBS Cue carries out any of the Medical PracticeYour Covered Entity’s obligations under the HIPAA Privacy Ruleprivacy standards, MMBS Cue shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice Your Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Cue is permitted to use or disclose PHI as set forth below: (a) MMBS i. Cue may use PHI internally for MMBSCue’s proper management and administrative services administration or to carry out its Cue’s legal responsibilities; (b) MMBS ii. Cue may disclose PHI to a third party for MMBSCue’s proper management and administration, provided that the disclosure is Required by Law or MMBS Cue obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Your Covered Entity of any instances of which the person third party is aware in which the confidentiality of the PHI has been breached; (c) MMBS iii. Cue may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of Your Covered Entity if required or permitted under these Terms; (d) MMBS iv. Cue may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Cue may use, create, sell, use or disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law; v. Cue may submit PHI for reporting to federal, state, or local public health authorities when permitted or required; vi. MMBS owns all rightCue may use and disclose PHI to request an authorization, title consent or other form of permission from an Individual and interest may use and disclose PHI in accordance with any such de-identified health information permission obtained from an Individual; and vii. Cue may use and any datadisclose PHI (including, information without limitation, a Limited Data Set) for Research as permitted by HIPAA and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreementother applicable law.

Use and Disclosure of PHI. MMBS AASM may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any PHI. MMBS AASM shall not use or disclose PHI received from the Medical Practice User in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice User (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS AASM carries out any of the Medical PracticeUser’s obligations under the HIPAA Privacy Ruleprivacy standards, MMBS AASM shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice User in the performance of such obligations. Without limiting the generality of the foregoing, MMBS AASM is permitted to use or disclose PHI as set forth below: (a) MMBS AASM may use PHI internally for MMBSAASM’s proper management and administrative services administration or to carry out its legal responsibilities;. (b) MMBS AASM may disclose PHI to a third party for MMBSAASM’s proper management and administration, provided that the disclosure is Required by Law or MMBS AASM obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS AASM of any instances of which the person third party is aware in which the confidentiality of the PHI has been breached;. (c) MMBS AASM may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of User if required or permitted under this Agreement. (d) MMBS Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Business Associate may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS gMed may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS gMed shall not use or disclose PHI received from the Medical Practice Client in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Client (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS gMed carries out any of the Medical PracticeClient’s obligations under the HIPAA Privacy Rule, MMBS gMed shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice Client in the performance of such obligations. Without limiting the generality of the foregoing, MMBS gMed is permitted to use or disclose PHI as set forth below: (a) MMBS gMed may use PHI internally for MMBSgMed’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS gMed may disclose PHI to a third party for MMBSgMed’s proper management and administration, provided that the disclosure is Required by Law or MMBS gMed obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS gMed of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS gMed may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS gMed may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS gMed under this Agreement, MMBS gMed may use, create, sell, disclose to third parties and otherwise exploit de- identified health information for any purposes not prohibited by law. MMBS gMed owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS gMed with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS Modernizing Medicine may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS Modernizing Medicine shall not use or disclose PHI received from the Medical Practice in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS Modernizing Medicine carries out any of the Medical Practice’s obligations under the HIPAA Privacy Rule, MMBS Modernizing Medicine shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Modernizing Medicine is permitted to use or disclose PHI as set forth below: (a) MMBS Modernizing Medicine may use PHI internally for MMBSModernizing Medicine’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS Modernizing Medicine may disclose PHI to a third party for MMBSModernizing Medicine’s proper management and administration, provided that the disclosure is Required by Law or MMBS Modernizing Medicine obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Modernizing Medicine of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS Modernizing Medicine may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS Modernizing Medicine may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS Modernizing Medicine under this Agreement, MMBS Modernizing Medicine may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.purposes

Use and Disclosure of PHI. MMBS Company may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any PHI. MMBS Company shall not use or disclose PHI received from the Medical Practice Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS Company carries out any of the Medical PracticeCovered Entity’s obligations under the HIPAA Privacy Rule, MMBS Company shall comply with the requirements of the HIPAA Privacy Rule PrivacyRule that apply to the Medical Practice Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Company is permitted to use or disclose PHI as set forth below: (a) MMBS Company may use PHI internally for MMBSCompany’s proper management and administrative services administration or to carry out its legal responsibilities;. (b) MMBS Company may disclose PHI to a third party for MMBSCompany’s proper management and administration, provided that the disclosure is Required by Law or MMBS Company obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Company of any instances of which the person is aware in which the confidentiality of the PHI has been breached;. (c) MMBS Company may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of Covered Entity if required or permitted under this Agreement. (d) MMBS Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Business Associate may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS Subcontractor may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any PHI. MMBS Subcontractor shall not use or disclose PHI received from the Medical Practice in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Service Company or the Covered Entities (except as set forth in Sections 2.1(a), (b) and (c) of this AddendumAgreement). To the extent MMBS Subcontractor carries out any of Business Associate’s or the Medical Practice’s Covered Entities’ obligations under the HIPAA Privacy Ruleprivacy standards, MMBS Subcontractor shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice Service Company or the Covered Entities (as applicable) in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Subcontractor is permitted to use or disclose PHI as set forth below: (a) MMBS Subcontractor may use PHI internally for MMBSSubcontractor’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS Subcontractor may disclose PHI to a third party for MMBSthe Subcontractor’s proper management and administration, provided that the disclosure is Required by Law or MMBS Subcontractor obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI it was disclosed to the third party and (3) notify MMBS the Service Company of any instances of which the person third party is aware in which the confidentiality of the PHI has been breached; (c) MMBS Subcontractor may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of the Service Company or the Covered Entities if required or permitted under this Agreement; (d) MMBS Subcontractor may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Subcontractor may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For ; and (e) Subcontractor may use PHI about an Individual to request the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration Individual’s authorization to use or earlier termination of this Agreementdisclose PHI.

Use and Disclosure of PHI. MMBS may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS shall not use or disclose PHI received from the Medical Practice in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS carries out any of the Medical Practice’s obligations under the HIPAA Privacy Rule, MMBS shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice in the performance of such obligations. Without limiting the generality of the foregoing, MMBS is permitted to use or disclose PHI as set forth below: (a) MMBS may use PHI internally for MMBS’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS may disclose PHI to a third party for MMBS’s proper management and administration, provided that the disclosure is Required by Law or MMBS obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS Cue may use and disclose PHI as permitted or required under this Agreement (including this Addendum) these Terms or as Required by Law, Law but shall not otherwise use or disclose any PHI. MMBS Cue shall not use or disclose PHI received from the Medical Practice Your Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Your Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this Addendumthese BA Terms). To the extent MMBS Cue carries out any of the Medical PracticeYour Covered Entity’s obligations under the HIPAA Privacy Ruleprivacy standards, MMBS Cue shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice Your Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Cue is permitted to use or disclose PHI as set forth below: (a) MMBS i. Cue may use PHI internally for MMBSCue’s proper management and administrative services or to carry out its legal responsibilities;administration or (b) MMBS ii. Cue may disclose PHI to a third party for MMBS▇▇▇’s proper management and administration, provided that the disclosure is Required by Law or MMBS Cue obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Your Covered Entity of any instances of which the person third party is aware in which the confidentiality of the PHI has been breached; (c) MMBS iii. Cue may use PHI to provide Data Aggregation services as defined by HIPAA; andrelating to the Health Care Operations of Your Covered Entity if required or permitted under these Terms; (d) MMBS iv. Cue may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS Cue may use, create, sell, use or disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited purpose permitted by law; v. Cue may submit PHI for reporting to federal, state, or local public health authorities when permitted or required; vi. MMBS owns all rightCue may use and disclose PHI to request an authorization, title consent or other form of permission from an Individual and interest may use and disclose PHI in accordance with any such de-identified health information permission obtained from an Individual; and vii. Cue may use and any datadisclose PHI (including, information without limitation, a Limited Data Set) for Research as permitted by HIPAA and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreementother applicable law.

Use and Disclosure of PHI. MMBS Business Associate may use and disclose PHI as permitted or required under the Terms of Use, this Agreement (including this Addendum) or BAA and as Required by Law, but shall not otherwise use or disclose any PHI. MMBS Business Associate shall not use or disclose PHI received from the Medical Practice Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this AddendumBAA). To the extent MMBS Business Associate carries out any of the Medical PracticeCovered Entity’s obligations under the HIPAA Privacy Ruleprivacy standards, MMBS Business Associate shall comply with the requirements of the HIPAA Privacy Rule privacy standards that apply to the Medical Practice Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Business Associate is permitted to use or disclose PHI as set forth below: (a) MMBS Business Associate may use PHI internally for MMBS’s its proper management and administrative services or to carry out its legal responsibilities; (b) MMBS Business Associate may disclose PHI to a third party for MMBSBusiness Associate’s proper management and administration, provided that the disclosure is Required by Law or MMBS Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Business Associate of any instances of which the third person is aware in which the confidentiality of the PHI has been breached;; and (c) MMBS Business Associate may use PHI to provide Data Aggregation services as defined by HIPAA; and (d) MMBS may use PHI HIPAA and to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS under this Agreement, MMBS may use, create, sell, disclose to third parties and otherwise exploit de- identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Use and Disclosure of PHI. MMBS Company may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS Company shall not use or disclose PHI received from the Medical Practice Client in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice Client (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent MMBS Company carries out any of the Medical PracticeClient’s obligations under the HIPAA Privacy Rule, MMBS Company shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice Client in the performance of such obligations. Without limiting the generality of the foregoing, MMBS Company is permitted to use or disclose PHI as set forth below: (a) MMBS Company may use PHI internally for MMBSCompany’s proper management and administrative services or to carry out its legal responsibilities; (b) MMBS Company may disclose PHI to a third party for MMBSCompany’s proper management and administration, provided that the disclosure is Required by Law or MMBS Company obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS Company of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (c) MMBS Company may use PHI to provide Data Aggregation services as defined by HIPAA; and; (d) MMBS Company may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS Company under this Agreement, MMBS Company may use, create, sell, disclose to third parties and otherwise exploit de- commercialize de-identified health information for any purposes not prohibited by law. MMBS Company owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS Company with such de-identified health information. For the avoidance of doubt, the second and third sentences of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement; (e) Company may use and disclose PHI to develop, create, improve, update or otherwise change currently contracted for or new products and services for Client and other customers of Company; (f) Company may use and disclose PHI for purposes of obtaining an authorization to use and disclose PHI or any other permission from an individual and (g) Company may use and disclose PHI for Research purposes as permitted by applicable law.

Use and Disclosure of PHI. MMBS TSI may use and disclose PHI as permitted or required under this BA Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. MMBS TSI shall not use or disclose PHI received from the Medical Practice End User in any manner that would constitute a violation of HIPAA if so used or disclosed by the Medical Practice End User (except as set forth in Sections 2.1(a1.1(b), (bc), (d) and (ce) of this AddendumBA Agreement). To the extent MMBS TSI carries out any of the Medical PracticeEnd User’s obligations under the HIPAA Privacy Rule, MMBS TSI shall comply with the requirements of the HIPAA Privacy Rule that apply to the Medical Practice End User in the performance of such obligations. Without limiting the generality of the foregoing, MMBS TSI is permitted to use or disclose PHI as set forth below: (a) MMBS TSI and its Subcontractors may use and disclose PHI to carry out TSI’s duties and obligations and exercise their rights under the ▇▇▇▇. (b) TSI and its Subcontractors may use PHI internally for MMBSTSI’s or the Subcontractor’s proper management and administrative services or to carry out its their legal responsibilities; (bc) MMBS TSI and its Subcontractors may disclose PHI to a third party for MMBSTSI’s or the Subcontractor’s proper management and administration, provided that the disclosure is Required by Law or MMBS TSI or the Subcontractor, as applicable, obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify MMBS notify, as applicable, TSI or the Subcontractor of any instances of which the person is aware in which the confidentiality of the PHI has been breached; (cd) MMBS TSI and its Subcontractors may use PHI to provide Data Aggregation services as defined by HIPAAservices; and (de) MMBS TSI and its Subcontractors may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of MMBS TSI under this Agreementthe ▇▇▇▇, MMBS TSI may use, create, sell, disclose to third parties and otherwise exploit de- de-identified health information for any purposes not prohibited by law. MMBS owns all right, title and interest in such de-identified health information and any data, information and material created by MMBS with such de-identified health information. For the avoidance of doubt, the second and third sentences sentence of this Section 2.1(d1.1(e) shall survive the expiration or earlier termination of the ▇▇▇▇ or this BA Agreement.