Not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall use and disclose PHI only to perform the Services for or on behalf of the Covered Entity, and in a manner consistent with the Covered Entity's minimum necessary standards.

Use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity, as required by 45 CFR Part 164, Subpart C.

• 256-bit SSL/TLS encryption for all PHI in transit
• Encryption at rest for all stored PHI
• Role-based access controls limiting PHI access to authorized personnel only
• Automatic session timeouts and audit logging
• Annual security risk assessments
• Employee HIPAA training and confidentiality agreements

Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, including through a written agreement no less protective than this Agreement.

Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including Breaches of Unsecured PHI, without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. Such notification shall include, to the extent possible:

• Identification of each individual whose PHI was or may have been affected
• Description of the Breach, including date of Breach and date of discovery
• Description of the types of PHI involved
• Steps the Business Associate is taking to investigate and mitigate the Breach
• Contact information for individuals with questions

Make available to the Covered Entity such information as is necessary to permit the Covered Entity to respond to requests by individuals for access to their PHI, in accordance with 45 CFR § 164.524. Business Associate shall provide access to PHI in a designated record set to the Covered Entity within 30 days of a request.

Make PHI available for amendment and incorporate any amendments to PHI as directed by the Covered Entity, in accordance with 45 CFR § 164.526.

Maintain and make available the information required to provide an accounting of disclosures of PHI, in accordance with 45 CFR § 164.528, for a period of six (6) years from the date of creation or last effective date, whichever is later.

Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity available to the U.S. Secretary of Health and Human Services for purposes of determining the Covered Entity's compliance with HIPAA.

Upon termination of this Agreement, at the option of the Covered Entity, return or destroy all PHI received from, or created or received by Business Associate on behalf of, the Covered Entity that the Business Associate still maintains in any form. Business Associate shall certify in writing that no PHI is retained after such return or destruction. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

This Agreement shall be effective as of the date of last signature below ("Effective Date") and shall remain in effect until terminated by either party as provided in this Section, or until all PHI provided by the Covered Entity to Business Associate is destroyed or returned to the Covered Entity.

Either party may terminate this Agreement immediately if the other party materially breaches a provision of this Agreement and the breaching party fails to cure the breach within 30 days of written notice from the non-breaching party.

Either party may terminate this Agreement upon 60 days written notice to the other party.

Upon termination, Business Associate shall return or destroy all PHI as required by Section 2.9. Provisions of this Agreement that by their nature should survive termination shall survive, including obligations regarding breach notification, accounting, and PHI destruction.

This Agreement shall be governed by the laws of the State of Texas and applicable federal law, including HIPAA and the HITECH Act. Any dispute arising under this Agreement shall be resolved in Harris County, Texas.

This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings of the parties.

This Agreement may be amended only by a written instrument signed by both parties. The parties agree to amend this Agreement as necessary to comply with changes in applicable law, including changes to HIPAA regulations.

Any reference in this Agreement to a section of HIPAA, the HITECH Act, or any other applicable regulation means the section currently in effect or as amended, and includes any guidance issued thereunder.

Each party agrees to indemnify and hold harmless the other party and its officers, directors, employees, and agents from and against any claims, liabilities, damages, and expenses (including reasonable attorneys' fees) arising from that party's breach of this Agreement or negligence.

Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties and their respective successors and permitted assigns.