The following privacy notice describes how producers may use and disclose your PHI for purposes of health care operations, and for other purposes that are permitted or required by law. PHI is information about you, including demographic information, that may identify you and that relates to your past, present or future physical condition and related health care services, or payment for health care services.

OBLIGATIONS AND ACTIVITIES OF PRODUCER

Producer shall:

A. Not use or disclose PHI other than as permitted or required by law; Except as otherwise limited, the producer may use or disclose PHI to perform functions, activities, or services for, or on behalf of the covered entity, provided that each use or disclosure would not violate the Privacy Rule. The producer must obtain reasonable assurances from any person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it is aware in which the confidentiality of the information has been breached.

B. Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by law. The producer shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI (e-PHI) that it creates, receives, maintains or transmits on behalf of the consumer.

C. Report to the covered entity immediately any use or disclosure of PHI not permitted or required by law of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.

D. Notify the covered entity of a Breach of Unsecured PHI within 24 hours of the discovery of such Breach, followed by a report in writing, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. The producer’s written notification to the covered entity hereunder shall: a. Be made to the covered entity within 48 hours of the initial oral report, and b. Include the individual whose Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach.

E. In the event of an unauthorized use or disclosure of PHI or a Breach of unsecured PHI, the producer shall mitigate to the extent practicable any harmful effects of said disclosure that are known to it;

F. In accordance with 45 CFR 164.502(e)(l)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the producer agree to the same restrictions, conditions, and requirements that apply to the producer with respect to such information;

G. Within 7 days of request, make available PHI in a Designated Record Set to the covered entity as necessary to satisfy the covered entity’s obligations under 45 CFR 164.524;

H. Make any amendment to PHI in a Designated Record Set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the covered entity’s obligations under 45 CFR 164.526;

I. Maintain and make available, within 7 days after a request for such information, the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy the covered entity’s obligations under CFR 164.528;

J. To the extent the producer us to carry out one or more of the covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s);

K. With respect to any use, disclosure or request for PHI described in 45 CFR 502(b)(1), the producer shall limit the PHI to the extent practicable to the limited data set as defined in 45 CFR 164.514(e)(2) or, if needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request;

L. Make its internal practices, books, and records available to the covered entity for purposes of determining compliance with the HIPAA Rules; and

M. The producer shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent as the covered entity.