090 401

HIPAA Standards and Practices Page 1 of 2

Privacy of Patient Records - STANDARD This clinic is committed to treating patients with respect. Information of a personal nature with which the Institute has been entrusted in the course of treatment, referred to here as protected health information (PHI), will be kept confidential, consistent with the rule of law and the standards of professional practice. In particular, these Standards and Practices are intended to assure that the treatment services of this clinic are in all cases performed in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Privacy of Patient Records - PRACTICE 1. Written files containing PHI must be secured in locked cabinets when not in use. The primary storage cabinets for these files should be housed in a locked room or in an area away from public access. Computerized PHI must be maintained in a secure database with access limited by passwords and/or log-on codes as appropriate. Computer screens should be positioned to assure that unauthorized persons are unable to view PHI. All staff having access to PHI must exercise discretion when using PHI in conversations. 2. A Notice of Privacy Practices, accompanied by the Practices Regarding Disclosure of Patient Health Information notice, will be provided to patients at registration with specific information regarding the handling of PHI. The patient will be asked to acknowledge receipt of the information in writing, and such acknowledgement will be kept on file for six years. 3. Patients will be asked to indicate on the HIPAA Notice if Privacy Practices form if any discretion is necessary when being contacted to remind them of their scheduled appointment via their home telephone. Contact and address information will be routinely verified as part of scheduling office visits to assure current patient information. 4. PHI may be used routinely for treatment, payment, and quality monitoring activities. In addition, PHI may be used or disclosed without an individuals written authorization in the following circumstances: Uses and disclosures required by law Uses and disclosures for public health activities Disclosures about victims of abuse, neglect or domestic violence Disclosures for judicial and administrative proceedings Disclosures for law enforcement purposes Uses and disclosures about decedents Uses and disclosures for cadaver organ, eye or tissue donation purposes Uses and disclosures to avert a serious threat to health or safety Disclosures for workers compensation 7. Non-routine requests for PHI must be approved by the Clinic Administrator, and may require specific authorization by the patient. An individuals authorization to disclose PHI should be submitted on the Disclosure Request Form, specifying the information being requested for disclosure, the recipient of the information, expiration date, a statement of the patients right to revoke, and dated signature. Professional judgment should be used to limit disclosure to the minimum necessary information needed to accomplish the purpose specified in the authorization. Minimum necessary does not apply to health care providers providing treatment to a mutual patient. A request for disclosure of PHI may be denied by the Clinic Administrator for extreme reasons, such as information that may endanger life or well-being. 8. Individuals can request an account of PHI disclosures made by this clinic in the six years prior to the request. Accounting does not need to include disclosures of PHI in the following instances: For treatment, payment, and health care operations; To the individual; To persons involved in the individuals care; For national security or intelligence purposes; To correctional institutions or law enforcement officials; Information accrued prior to the HIPAA compliance date.

C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

9. In some circumstances, PHI may be used once it has been stripped of all elements that could potentially identify the individual who is the subject of the protected information. Identifiers that must be stripped include: Name All address information eMail addresses Dates (except year) Social Security Number Medical record numbers Health plan beneficiary numbers Account numbers Certificate numbers License numbers Vehicle identifiers Facial photographs Telephone numbers Device identifiers URLs IP addresses Biometric identifiers Zip code (if the geographic unit includes fewer than 20,000)

5. Patients have a right to request restrictions on the use and disclosure of their PHI, although this clinic is not required to agree with the requested restrictions. Requests should be submitted by the patient on a Restriction Request Form. The patients practitioner and the Clinic Administrator will confer about such requests. Their decision to comply with or deny the requested restriction should be documented on the form, with one copy kept on file and another returned to the patient. The agreement will be binding except in emergency situations, and may be terminated upon notifying the individual, or if the individual consents to or requests termination. Requests that are denied may be appealed to the Administrator/Practitioner. 6. State law pertaining to parent/guardian authorization takes precedence over the HIPAA requirements in #5 above governing requests for restrictions on disclosure. Where state law is silent, practitioners may use common sense to make decisions to release PHI to parents or guardians of minors.

Any other unique identifying number, characteristic, or code that in the judgment of the health care provider could be used alone or in combination with other information to identify an individual who is a subject of the information.

090 401

HIPAA Standards and Practices Page 2 of 2

10. This clinic must act on requests for on-site review of PHI within 30 days of receipt, and 60 days otherwise. Upon prior approval from the individual, fees may be applied to the cost of copying, mailing, and summary preparation where the cost is significant. By law, individuals do not have the right to access the following PHI: Psychotherapy notes information pertaining to criminal, civil, or administrative actions PHI lawfully prohibited from release because it is subject to or exempted from Clinical Laboratory Improvements Amendments (CLIA) Information created by someone other than the provider or given to the provider under a promise not to release 17. Personnel of this clinic are expected to act objectively when interacting with patients about the administration of HIPAA requirements. Staff are not permitted to intimidate, threaten, coerce, discriminate, or retaliate against any patient who chooses to exercise his or her rights under these privacy regulations. This clinic may not condition treatment, payment, or eligibility for any benefits by pressing an individual to waive his or her right to file a complaint with the Department of Health and Human Services. 18. Minor changes in these standards and practices that do not materially affect the content of the Notice of Privacy Practices may be made at any time. The date of the form can be determined by referencing the last section of the form number. Substantive changes will be documented by the Administrator/Practitioner, implemented with a new form number date, and updates communicated to all individuals who are currently in treatment. Each revision will be chronicled in a volume for referencing changes, and shall be accessible to the treatment center for a period of 6 years from its effective date. 19. State law that is more stringent (i.e. provides more protection for the individual) than HIPAA, takes precedence over the federal legislation. In situations where the HIPAA regulations are more stringent, or state law is unclear, HIPAA governs state law. 20. A patient wishing to file a complaint or appeal with the Secretary of DHHS will be provided contact information and advised of the 180-day time frame for filing complaints. All workforce personnel shall fully cooperate with the investigation of any complaint or appeal. Currently the Office of Civil Rights is the division of DHHS that is handling complaints: Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Room 509F, HHH Building Washington, D.C. 20201 OCR Hotlines-Voice: 1 (800) 368-1019

C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

11. Patients have a right to be involved in amending their PHI, and should be informed of that right in the Notice of Privacy Practices. Requests to amend information must be submitted in writing to the Clinic Administrator, along with the reason for the amendment, and responded to within 60 days of receipt. On receipt of a request, the Clinic Administrator will consult with the patients practitioner. If the amendment is granted, this clinic will notify the individual and, to the extent possible, all parties who received the un-amended information. For denied requests, the Clinic Administrator will provide the individual with timely written notice explaining the reason for denial and his or her right to appeal to the Administrator/Practitioner. Amendment documentation must be retained for six-years. 12. Circumstances where individuals do not have amendment rights include: Information not created by the health care provider (unless the patient claims the originator of the PHI is no longer available to amend) The PHI is not part of the designated record set The PHI was unavailable for inspection The PHI is accurate and complete

13. The Administrator/Practitioner shall be the designated Privacy Official, with responsibility for developing and implementing HIPAA privacy policies and procedures, monitoring changes in the law in order to update any relevant policies. The Clinic Administrator shall be responsible for maintaining current copies of policies and procedures, keeping accurate records of HIPAA compliance, and shall be the primary contact person to respond to inquiries relating to internal privacy practices. 14. The Clinic Administrator has the responsibility to train staff in these policies and procedures and to document this training in the employees personnel files. New staff should be trained in these policies and procedures within 30 days of hire, and will be required to sign the Employee Agreement Form. Minor infractions of these policies and procedures should be addressed with a verbal warning and viewed as an opportunity to educate. Gross infractions of policies and procedures are subject to disciplinary action, up to and including termination of employment. 15. Organization(s) not directly involved with patient care but having access to PHI must sign a Business Associate Contract upon initial contracting or at contract renewal. The Administrator/Practitioner will assure that these contracts are implemented. Examples of such organizations may include building maintenance and janitorial services, data managers, and financial auditors, to the extent they have access to PHI. 16. Complaints from patients regarding the handling of their PHI should be submitted in writing to the Clinic Administrator, who should attempt to resolve the complaint in a timely fashion. The Clinic Administrator will document all complaints received in a separate complaint file and track the disposition of these complaints. Should the patient not be satisfied with how his or her complaint was resolved, an appeal can be submitted in writing to the Administrator/Practitioner who should provide an unbiased opinion within 30 days of the appeal. Outcomes of any complaints or appeals should be documented in writing, a copy furnished to the individual, and the documentation of the review must be retained for six years.

090 401

HIPAA Security
Individual Patient Identifiable Health Information must be kept secure and confidential at all times, whether stored or transmitted electronically. Information may be in physical form (i.e. paper, charts) or digital format. This document describes steps to keep confidential information secure.
HIPAA Security requirements are subdivided into the following seven categories; Employees; Computer; Agreements; Faxes; eMail; Patient Records; Emergencies 1. 2. 3. 4. 5. 6. 7.

Faxes
If your office transmits anything by a facsimile machine you will need to: Make sure your fax machine is in a secure area (out of view from patients). Have all faxes relating to patient records stamped confidential. Maintain a log of faxes sent and received. Have an identifiable header on each sheet sent from your office. Have a confidential statement on the bottom of each fax that includes any private patient information. Have electronic-digitized signature. Copy of Fax Confidentiality Notice:

Employees
1. 2.
C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

The training in the security policies related to the individual job description of each employee. The procedures to be followed and completed at the termination of the workforce (it must include the return of all keys and revocation of any and all computer access). Medical information and their transcriptions and how to keep them secure. Janitorial staff (limited access of work and medical files and the areas where these are stored).

3. 4.

The information contained in this facsimile document is confidential and may have ClinicPatient privileged information that is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received the facsimile in error please immediately notify us by phone or return the original message to us at the address above via the postal service. Thank you.

Computer
1. 2. 3. 4. 5. 6. 7. 8. 9. Each person must have user name (Login). Password (changed every 60 days, between 6-9 characters. You will need to maintain a user log (who used computer when; include this in your Compliance Manual). You will need to have a Virus Protection Program. The computer will need to be in secure area out of view of publicly accessible areas. You will need a firewall in your computer program. You will need to store your backup material in a remote (i.e., not in your office) protected area. You will need to use only authorized or licensed software. There will need to be documentation maintained so ID could be audited. 1. 2. 3. 4. 1. 2. 3.

eMail
They must contain a confidentiality statement (formal policy for transfers of Patient Health Information outside the office). The workforce must be trained in a procedure for handling emails. Model Confidentiality Notice to be included in emails:

The information contained in this electronic message may contain protected health information confidential under applicable law, and is intended only for the use of the individual or entity named above. If you are a recipient of this message and are not the intended recipient, you are hereby notified that any dissemination copy of disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify (your office name, address and phone) and purge the communication immediately with making any copy of distribution.

Patient Records
Protection against unauthorized access, tampering or theft. Maintained in an orderly manner that electronically or physically allows for auditing. There must be a policy and procedure for long-term storage. No patient file is to be left unattended or open to any unauthorized workforce or individuals.

10. You will need an emergency plan covering the protection of the computer records. 11. There must be a procedure for workforce termination and the revocation of computer access. 12. After business hours access should be limited. 13. Auto log off password screen saver. 14. Backup records must be stored in a safe protected area. 15. You may need a program to digitize signatures.

Agreements
This section concerns your clinic agreements with any outside business entity that may advertently or inadvertently have access to Patient Private Health information such as computer technical support companies, cleaning companies, etc. A business associate agreement for each such company must be included in your compliance manual. 1. 2. 3.

Emergencies
Patient Health Information must be protected during and after emergency events. Procedures to identify, document, monitor and respond to security. Report suspicious computer network activity to appropriate authority.

090 401

HIPAA Notice of Privacy Practices

This notice, and the accompanying Practices Regarding Disclosure of Patient Health Information notice, describe how health information about you may be used and disclosed, and how you can get access to your health information. Please review this information carefully.
Understanding your health record
A record is made each time you visit this clinic. Your symptoms, the practitioners judgments, and a plan of treatment are recorded. This record serves as a basis for planning your care and treatment at future visits, and also serves as a means of communication among other health professionals who may contribute to your care. Understanding what information is retained in your record and how that information may be used will assist you to ensure it is accurate and make informed decisions about who, what, when, where, and why others may be allowed access to your health information.

Clinic responsibilities
This clinic is required to maintain the privacy of your health information and to provide you with this notice of our privacy practices. We are required to follow the terms of this notice and to notify you if we are unable to grant your request to disclose or restrict disclosure of your health information to others. This clinic reserves the right to change its practices and promises to make a good faith effort to notify you of any changes. Other than for the reasons described in this notice, this clinic agrees not to use or disclose your health information without your authorization. TO RECEIVE ADDITIONAL INFORMATION OR REPORT A PROBLEM, you may contact this clinic. If you believe your privacy rights have been violated, you have the right to file a complaint with us and/or with the U.S. Secretary of Health and Human Services with no fear of retaliation by this office. I, (please print name):

Understanding your health information rights

C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

Your health record is the physical property of this clinic, but the content is about you, and therefore belongs to you. You have the right to review or obtain a paper copy of your health record, and to request that appropriate amendments be made to your health record. You have the right to request restrictions on certain uses and disclosures of your information, to authorize disclosure of the record to others, and be given an account of those disclosures. Other than activity that has already occurred, you may revoke any further authorizations to use or disclose your health information. Should we need to contact you, you have the right to request communication by alternate means or to alternate locations.

have received a copy of this Notice of Privacy Practices and the accompanying Practices Regarding Disclosure of Patient Health Information. I understand my health information will be used and disclosed consistent with these Notices. Client/Patient Signature:

Discretion Request
In accordance with HIPAA, you may indicate if any discretion is necessary when being contacted to remind you of your scheduled appointment via your home telephone. Date: Please use discretion when contacting me by phone: If yes, explain: No Yes

Signature of Witness:

Date:

090 401

HIPAA Practices Regarding Disclosure of Patient Health Information

Your health information will be routinely used for treatment, payment, and quality-monitoring, and your consent, or the opportunity to agree or object, is not required in these instances:
Treatment Information obtained by your practitioner at this clinic will be entered in your record and used to plan the course of treatment. Your health information may be shared with others involved in your care or providing consultation about your treatment. Your practitioners own expectations and those of others involved in your care may also be recorded. Payment Your record will be used to receive payment for services rendered by this clinic. A bill may be sent to either you or a third-party payer with accompanying documentation that identifies you, your diagnosis and/or practitioners impressions, and procedures performed.
C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

It is this clinics practice to consider the following as routine uses and disclosures for which specific authorization will not be requested. You have the right to request restrictions on these uses. Otherwise, this clinic will request your authorization whenever disclosure of personal health information is necessary to parties other than those referenced here. Business Associates Some or all of your health information may be subject to disclosure through contracts for services to assist this office in providing health care. To protect your health information, we require these business associates to follow the same standards held by this office through terms detailed in a written agreement. Communications with Family Using best judgment, a family member, close personal friend identified by you, personal representative, or other persons responsible for your care may be notified or given information about your care to assist them in enhancing your well-being or to confirm your whereabouts. Marketing and Fundraising This clinic may send information to you about treatment alternatives and other healthrelated benefits that you may find useful. This clinic may also contact you to request your charitable support in order to keep patient fees reasonable and provide for continuing practitioner training and research. Persons contacting you are employees of this clinic and will know only that you have been a patient but have no access to your medical records.

Quality Monitoring The staff in this office will use your health information to assess the care you received and compare your treatment outcome to others. Your information may be reviewed for risk management or quality improvement purposes in our efforts to continually improve the quality and effectiveness of the care and services we provide. In addition, the following disclosures are required by law and do not require your consent: Food and Drug Administration (FDA) This office is required by law to disclose health information to the FDA related to any adverse effects of food, supplements, products, and product defects for surveillance to enable product recalls, repairs, or replacements. Workers Compensation This office will release information to the extent authorized by law in matters of workers compensation. Public Health This office is required by law to disclose health information to public health and/or legal authorities charged with tracking reports of birth and morbidity. This office is further required by law to report communicable disease, injury, or disability. Law Enforcement 1. 2. Your health information will be disclosed in response to a valid subpoena for law enforcement purposes, as required under state or federal law. In the event that a staff member or business associate of this office believes in good faith that one or more patients, workers, or the general public are endangered due to suspected unlawful conduct of a practitioner or violations of professional or clinical standards, provisions of federal law permit the disclosure of your health information to appropriate health oversight agencies, public health authorities, or attorneys.

090 401

HIPAA
Last Name: First Name: MI: Date:

Restriction Request
I understand that my health information is private and that use of my health information must be consistent with this clinics Notice of Privacy Practices. I also understand that I am entitled to request restrictions on certain uses and disclosures of my health information. I wish to make the following request(s), and understand that each request may be approved or denied by the clinic administrator.
Restriction Request (1) Restriction Request (3)

Client/Patient Signature:
C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

Client/Patient Signature: Date: Restriction denied Restriction implemented Reason for denial: Date: Restriction denied

Restriction implemented Reason for denial:

Staff Signature: Date:

Staff Signature: Date:

Restriction Request (2)

Restriction Request (4)

Client/Patient Signature: Restriction implemented Reason for denial: Date: Restriction denied

Client/Patient Signature: Restriction implemented Reason for denial: Date: Restriction denied

Staff Signature: Date:

Staff Signature: Date:

090 401

HIPAA
Last Name: First Name: MI: Date:

Employee Agreement
This clinic considers the security and confidentiality of protected health information (PHI) a matter of high priority. Any employee that has access to patient medical files and information will be held responsible for safeguarding the information and maintaining strict confidentiality. In order to be granted access to PHI, you must agree unconditionally to the following standards:
1. Respect the rules governing the use of PHI as outlined in the HIPAA Standards and Practices form, and only utilize that information as is necessary in the performance of duties. Do not remove PHI from where it is housed except in the performance of duties. Respect the procedures established by this clinic governing access to computerized PHI and do not release individually- assigned passwords or access codes to anyone, allow another access to this information under false pretenses, or utilize the passwords or access codes of others employed by this clinic. Respect the ownership of proprietary software by not making unauthorized copies for personal use. Advocate for improved security measures where necessary to prevent the unauthorized use of information stored physically or electronically by this clinic. Do not seek personal benefit or permit others to personally benefit from work-related access to PHI or the use of equipment available in the performance of duties. Protect the integrity of PHI by not including, or causing to be included false, inaccurate, or misleading information. Handle, maintain, and dispose of patient PHI according to the policies established by this clinic. Do not divulge information that identifies PHI. Report any violation of this agreement. Date:

2. 3.

I fully understand that the information I may have access to in the performance of my duties contains sensitive and confidential patient-specific details of treatment, payment and the health care operations of this clinic. By signing this agreement, I acknowledge the responsibility placed on me as an employee of this clinic and understand that my access to tangible and automated PHI is subject to the scrutiny of this clinic.
Employee Signature:

C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

4. 5.

Date: Signature of Witness:

6. 7. 8. 9.

090 401

HIPAA
Last Name: First Name: MI: Date:

Disclosure Request
I understand that my health information is private and that use of my health information must be consistent with this clinics Notice of Privacy Practices. I further understand that certain disclosures of my health information may only be provided by my written consent. I therefore make the following request, and understand I may revoke this consent at any time except to the extent that action has been taken in reliance on it.
I, request or authorize this clinic to disclose to (name of person or agency):

the following information (nature of disclosure):

for the purpose of (need for disclosure):

C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

This consent expires automatically upon the following date, event or condition:

Client/Patient Signature:

Date:

Office Use Only

Disclosure implemented Disclosure denied Reason for Denial:

Staff Signature:

Date:

090 401

HIPAA Business Associate Contract Page 1 of 2

This contract is entered into (date): Between (hereinafter referred to as 'Business Associate'): And (hereinafter referred to as 'this clinic'). WITNESSETH

WHEREAS, this clinic will make available and/or transfer to Business Associate certain information, in conjunction with goods or services that are confidential and must be afforded special treatment and protection. WHEREAS, Business Associate will have access to and/or receive from this clinic certain information that can be used or disclosed only in accordance with this contract and the Department of Health and Human Services privacy regulations.
Agreement Terms & Conditions
C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

Term The term of this contract shall commence on this date and shall expire when all information provided by this clinic to Business Associate is destroyed or returned to this clinic. Specific Purpose The Business Associate shall be permitted to use and/or disclose information provided or made available from this clinic for the following specific purposes which are within the scope of the Business Associates representation of this clinic: Limitations On Use Or Disclosure Business Associate agrees to the limitations on use and disclosure as established under the terms of this contract and agrees to establish and maintain appropriate safeguards to prevent the use or disclosure of information. Business Associate will refrain from use or disclosure of the information provided or made available other than as expressly permitted or required under this contract. Permitted Use Or Disclosure Business Associate is permitted to use or disclose information if necessary to properly manage and/or administer its commerce or if required to carry out the legal responsibilities of Business Associate, provided the disclosure is required by law, and to provide data aggregation services relating to the health care operations of this clinic (defined by 45 C.R.R.164.501). Reports Of Improper Use Or Disclosure Business Associate agrees to immediately report to this clinic any and all discovery, use, or disclosure of information not specified in this contract. Subcontractors And Agents Business Associate agrees that any and all information provided or made available to its subcontractors or agents is subject to the approval of this clinic and that any third party agreement shall be executed under the same terms, conditions, and restrictions on the use and disclosure of information as agreed upon in this contract between this clinic and Business Associate. Rights Of Individuals To Access Information Business Associate hereby agrees to make available and provide individuals the right to access protected health information in accordance with 45 F.R.R. 164.524. An agreement to release information is subject to the terms of this contract, and Business Associate may use the same contract language substituting its name in place of this clinic, where appropriate. Business Associate agrees to cooperate in making protected health information available to individuals for amendment and agrees to document explicit modifications by the individual in accordance with 45 C.F.R. 164.526. Business Associate agrees to provide an account of protected health information disclosures to an individual in accordance with 45 C.F.R. 164.528.

Right To Access By The US Department Of Health And Human Services Business Associate hereby agrees to make its internal practices, books, and records relating to the use or disclosure of information gained or received under the terms of this contract available to the Secretary or the Secretary's designee for the purpose of determining compliance with the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Mitigation Procedures Business Associate agrees to have procedures in place to alleviate, to the maximum extent practicable, any deleterious effects from the use or disclosure of protected health information in a manner contrary to the terms of this contract or according to the privacy regulations under the Health Insurance Portability and Accountability Act. Sanction Procedures Business Associate agrees to develop and implement a punitive course of action for its employees, subcontractors, or agents who violate the terms of this contract or the privacy regulations under the Health Insurance Portability and Accountability Act. Property Rights The shared information, including identified protected health information, shall be and remains the property of this clinic. Business Associate agrees that it acquires no title or rights to an individuals protected health information as a result of this contract. Contract Termination Business Associate agrees that this clinic has the right to immediately terminate the contract and seek relief under the disputes article if this clinic determines that Business Associate has violated a material term of this contract. Return Or Destruction Of Information Upon contract termination, Business Associate hereby agrees to return or destroy all information received or created on behalf of this clinic. Business Associate agrees not to retain any copies of the information after termination of contract. If return or destruction of the information is not feasible, Business Associate agrees to extend the protections outlined in this contract and agrees to limit all further use or disclosure. Business Associate agrees to provide this clinic with written authorization for destroyed information. Grounds For Breach Non-compliance by Business Associate with any terms of this contract or the privacy regulations under the Health Insurance Portability and Accountability Act will automatically be considered grounds for breach. Disputes Any controversy or claim arising from or relating to the terms defined under this contract are subject to settlement by compulsory arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association, except for injunctive relief.

090 401

HIPAA Business Associate Contract Page 2 of 2

Injunctive Relief Notwithstanding any rights or remedies provided for in this contract, this clinic retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of information by Business Associate or any agent, contractor, or third party that received information from Business Associate. Notices Under the terms of this contract, either party shall be deemed as being given notice if mailed first class United States mail, postage prepaid, as follows: For This Clinic Contact Person: Clinic: Address:
C o p y r i g h t O M c l i n i c , L LC . A l l r i g h t s r e s e r v e d . w w w. o m c l i n i c . o r g

Good Faith The parties agree to exercise good faith in the performance of the contract. Attorney Fees Each party agrees to bear its own legal expenses and any other cost incurred for actions or proceedings brought about by the enforcement of this contract, or from an alleged dispute, breach, default, misrepresentation, or injunctive action associated with the provisions of this contract. ENTIRE AGREEMENT The terms of this contract consist of this document and constitute the entire agreement between the stated parties. The terms of this contract shall be binding on the parties. Neither party has the authority to reassign this agreement without the others written consent. IN WITNESS WHEREOF This clinic and Business Associate have caused this contract to be signed and delivered by their duly authorized representatives: For This Clinic

City: State: Phone: For Business Associate Contact Person: Clinic: Address: Date: Signature: City: State: Phone: Notification Of Change Of Address This clinic or Business Associate may at any time change its address for notification purposes by mailing a notice stating the change and setting forth the new address. ZipCode: Printed Name: Title: ZipCode: Date: Signature: Printed Name: Title:

For Business Associate