New York City Health and Hospitals Corporation Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement"), effective ("Effective Date"), is entered into by and between , with principal place of business at ("Business Associate") and the New York City Health and Hospitals Corporation, with principal place of business at 125 Worth Street, New York, New York 10013 ("Covered Entity") (each a "Party" and collectively the "Parties").

Business Associate (which, for the purposes of this Business Associate agreement, includes its directors, officers, employees, and third party workforce) is a , and Covered Entity is a public be-nefit corporation providing health care. The Parties have agreement, effective , (the " Agreement") under which Business Associate may use, have access to, or disclose Protected Health In-formation ("PHI") or electronic protected health information ("ePHI") in its performance of the Services described below. Both Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (hereinafter, the "HIPAA Regulations") and acknowledge the respective duties and obligations imposed on them by the privacy and security provisions of the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Title XIII, subtitle D, of the American Recovery and Reinvestment Act of 2009 ("ARRA"), codified at 42 U.S.C. з 17921 et seq. Citations herein to the Code of Federal Regulations refer to the HIPAA Privacy Regulations published on December 28, 2000 and amended on August 14, 2002 and the HIPAA Security Regulations published on February 20, 2003, and shall include all subsequent, updated, amended or revised provisions relating thereto. Terms not otherwise defined herein shall have the meanings ascribed to them in the HIPAA Regulations, including but not limited to 45 C.F.R. зз 160.103, 164.103, 164.304, 164.402, & 164.501 and as provided in the HITECH Act, 42 U.S.C. з 17921. References throughout this Agreement to PHI shall be deemed to include ePHI, where applicable. Unless otherwise noted, all references to PHI in this Agreement are to PHI that Business Associate, or its subcontractors or agents, receives from, creates for, has access to, or maintains or trans-mits on behalf of Covered Entity.

The Parties agree as follows:

1. PERMITTED USES AND DISCLOSURES OF PHI

1.1 Services. Pursuant to the Agreement, Business Associate provides services ("Services") for Covered Entity that may involve the use, access to, or disclosure of PHI.

1.2 Permitted Uses and Disclosures by Business Associate. Except as otherwise specified herein and pursuant to 42 U.S.C. з 17934, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Agreement, provided that such uses or disclosures would not violate the HIPAA Regulations if made by Covered Entity, which may include disclosure of PHI (i) to its employees, subcontractors, and agents, as set forth below, (ii) as directed by Covered Entity, or (iii) as otherwise permitted by the terms of this Agreement. All other uses and disclosures of PHI are prohibited. Unless otherwise limited herein, Business Associate may use PHI of Covered Entity for the following purposes:

a. Disclosure for Management, Administration. Business Associate may use or disclose PHI for proper management and administration of Business Associate as set forth in 45 C.F.R. з 164.504(e)(4).

b. Disclosure to Third Parties for Performance of Agreement. Subject to paragraph 2.1(d) below, Business Associate may disclose the PHI in its possession to third parties for the purpose of performing its duties under the Agreement and this Agreement. The third parties shall provide written assurances of their confidential handling of such PHI, which shall include adherence to the same restrictions and conditions on use and disclosure as apply to Business Associate herein.

c. As Required by Law/Legal Process. Business Associate may use or disclose PHI to ful-fill any present or future legal responsibilities of Business Associate, provided that the disclosures are (i) required by law, as defined in 45 C.F.R. з 164.103, or (ii) required to carry out the legal responsibilities of Business Associate, as provided in 45 C.F.R. з 164.504(e)(4). To the extent permitted by applicable law, prior to disclosing PHI as re-quired by law to a law enforcement, regulatory, administrative, or oversight agency, or in response to a subpoena, court order, civil investigative demand, or other compulsory doc-ument or lawful process, Business Associate shall notify Covered Entity of such pending disclosure and provide reasonable time for Covered Entity to oppose such disclosure, should Covered Entity deem such opposition necessary; provided, however, that if Co-vered Entity does not respond to Business Associate regarding such opposition prior to the date on which such disclosure must be timely made, Business Associate may, in its own discretion, disclose PHI as required by law or such lawful process.

d. Aggregation of Data. Business Associate may aggregate the PHI in its possession with the PHI of other covered entities and provide Covered Entity with data analyses relating to the Health Care Operations of Covered Entity in accordance with 45 C.F.R. з 164.504 (e)(2)(i)(B). Under no circumstances may Business Associate disclose PHI of Covered Entity to any other party or covered entity pursuant to this paragraph without the explicit authorization of Covered Entity.

e. Use of De-identified Data. Business Associate may de-identify PHI and utilize de-iden-tified PHI for purposes other than research, provided that Business Associate (i) de-iden-tifies the PHI pursuant to the HIPAA requirements set out in 45 C.F.R. з 164.514(b) and (ii) provides Covered Entity with appropriate documentation if required by 45 C.F.R. з 164.514(b)(1)(ii). De-identified information does not constitute PHI and, with the ex-ception of paragraph 1.2(f) below, is not subject to the terms of this Agreement.

f. Use of Data for Research Purposes. Business Associate agrees that it will obtain prior approval by Covered Entity for the use or disclosure of PHI or de-identified PHI for re-search purposes. Use or disclosure for research purposes that has not been approved by Covered Entity is strictly prohibited.

2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI

2.1 Responsibilities of the Business Associate. With regard to the uses or disclosures of PHI per-mitted by this Agreement, Business Associate hereby agrees to the following:

PROTECTION OF PHI

a. Report Unauthorized Use. Business Associate agrees to notify Covered Entity of any use or disclosure of PHI by Business Associate, or its third party subcontractors or agents, in

violation of this Agreement of which Business Associate becomes aware. Business As-sociate shall make such notification in writing, to the individuals designated as contacts by Covered Entity in paragraph 5.6 below, within ten (10) business days of having been made aware of the unauthorized use or disclosure.

b. Safeguard PHI. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 to maintain the confidentiality and security of PHI, including ePHI, regardless of media (including written, oral, and electronic) and to pre-vent unauthorized use or disclosure of such PHI by implementing and maintaining appro-priate protection policies and procedures.

c. Mitigate. Business Associate agrees to mitigate, to the extent commercially reasonable, any harmful effects from any unauthorized use or disclosure of PHI by Business Associ-ate or its third party subcontractors or agents.

d. Bind Subcontractors and Agents. In accordance with 42 C.F.R. з 164.502(e)(1)(ii), Bus-iness Associate agrees to require all of its subcontractors and agents that receive, use, maintain, transmit, or have access to PHI under this Agreement to agree, in written satis-factory assurances that conform with 42 C.F.R. з 164.504(e)(5), to adhere to the same re-strictions, conditions, and requirements concerning the use or disclosure of PHI that are imposed by this Agreement on Business Associate with respect to such information.

e. Minimum Necessary Disclosure. In accordance with 45 C.F.R. з 164.502(b), Business Associate agrees to disclose to its subcontractors, agents, or other third parties, and to request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.

f. Return or Destroy. Subject to paragraph 3.4 below, within thirty (30) days of the termi-nation of this Agreement, Business Associate agrees to return to Covered Entity or de-stroy the PHI in its possession and retain no copies (which for purposes of this Agree-ment shall mean destruction of all backup tapes or other media).

g. Breach Notification. In accordance with 42 U.S.C. з 17932(b)&(d) and 45 C.F.R. з 164.410, and subject to the possibility of delay afforded by 42 U.S.C. з 17932(g) and 45 C.F.R. з 164.412, Business Associate shall without unreasonable delay, and in no case later than sixty (60) days after discovery by Business Associate thereof, notify Covered Entity of any breach of Covered Entity&rsquos unsecured PHI. "Breach" as used in this paragraph shall have the meanings provided in 42 U.S.C. з 17921(1) and 45 C.F.R. з 164.402. If Business Associate finds that a breach has occurred, Business Associate shall provide Covered Entity with its analysis of the factors set out in 45 C.F.R. з 164.402(2)(i)-(iv), and all documentation in support thereof, for its determination that PHI has been compromised. If Business Associate finds that a breach has not occurred, in that an acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Regulations has taken place, has been reported to Covered Entity as required by paragraph 2.1(a) of this Agreement, but has been determined by Business Associate not to compromise the security or privacy of the PHI, Business Associate shall never-theless provide Covered Entity, within the applicable notification period specified above, with its analysis of the factors set out in 45 C.F.R. з 164.402(2)(i)-(iv), and all documen-tation in support thereof, for its determination that PHI has not been compromised.

h. Business Associate to Bear Costs Related to Breach. In the event a breach as described above in paragraph 2.1(g) has occurred, Business Associate shall reimburse Covered Entity for all costs incurred by Covered Entity directly related to providing the notice required by 42 U.S.C. з 17932 and 45 C.F.R. зз 164.404&164.406, including if applicable, but not limited to: written notice, substitute notice, additional notice in urgent situations, and notification to media.

i. Miscellaneous HITECH Provisions. Business Associate acknowledges applicability of the business associate contract requirements and additional security and privacy require-ments imposed by the HITECH Act upon Business Associate pursuant to 42 U.S.C. зз 17931 & 17934. Business Associate also acknowledges obligations imposed upon Busi-ness Associate and Covered Entity by 42 U.S.C. з 17935(d), and any implementing regu-lations thereunder, when effective and as applicable.

SECURITY REQUIREMENTS

j. Implement Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, in-tegrity, and availability of the ePHI that it creates, receives, maintains, has access to, or transmits on behalf of Covered Entity. In accordance with зз 164.306, .308, .310, and .312 of the HIPAA Regulations, Business Associate shall:

(i) implement written policies, procedures and practices to provide the foregoing safeguards and furnish copies of same to Covered Entity, or permit Covered En-tity&rsquos access thereto, within 10 business days of Covered Entity&rsquos written request therefor;

(ii) within 10 business days of execution of this Agreement, provide to Covered Entity&rsquos Privacy Officer in writing the name of, and contact information for, Business Associate&rsquos designated HIPAA Security Officer;

(iii) comply with the HHS Office for Civil Rights&rsquo Guidance on Risk Analysis Requirements under the HIPAA Security Rule, and any modifications thereto, originally posted on the HHS/OCR Website on July 14, 2010.

k. Bind Subcontractors and Agents. Business Associate agrees to require all of its subcon-tractors and agents to which it provides ePHI to agree, in writing and in accordance with 45 C.F.R. з 164.504(e)(5), to implement reasonable and appropriate safeguards to pro-tect such ePHI.

l. Report Security Incident. Business Associate agrees to notify Covered Entity of any se-curity incident involving PHI experienced by Business Associate or its subcontractors and agents of which Business Associate becomes aware; provided, however, the Parties acknowledge and agree that this section 2.1(l) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. "Unsuccessful Security Incidents" means, without limitation, pings and other broadcast attacks on Business Associate&rsquos firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access to, use, or disclosure of PHI. Business Associate shall make such notification in writing, to the individuals designated as contacts by Covered Entity in pa-ragraph 5.6 below, within ten (10) business days of having been made aware of the se-

curity incident.

m. Application of HITECH Security Provisions. Pursuant to 42 U.S.C. з 17931, sections 164.308, 164.310, 164.312, and 164.316 of title 45 of the Code of Federal Regulations shall apply to Business Associate.

ACCESS AND AVAILABILITY OF PHI

n. Access for Viewing, Inspection, and Copying by Individual Subject of PHI. Business Associate agrees to make PHI, if maintained by Business Associate in a Designated Re-cord Set, available to Covered Entity for subsequent inspection and copying by the In-dividual subject thereof in accordance with applicable law (including, but not limited to, the HIPAA Regulations, 45 C.F.R. з 164.524).

o. Amendment by Subject of PHI. Upon written notice by Covered Entity, Business Asso-ciate agrees to make PHI, if maintained by Business Associate in a Designated Record Set, available within ten (10) business days to Covered Entity for subsequent amendment by the Individual subject thereof and incorporate any amendments to PHI in accordance with applicable law (including, but not limited to, the HIPAA Regulations, 45 C.F.R. з 164.526).

p. Access by the U.S. Department of Health and Human Services (HHS). Subject to attor-ney-client and any other applicable legal privileges, and pursuant to 45 C.F.R. з 164.504 (e)(2)(ii)(H), Business Associate agrees to make available to the Secretary of HHS all internal practices, books, and records relating to the use or disclosure of PHI so that HHS may determine Covered Entity&rsquos compliance with the HIPAA Regulations.

q. Access for Accounting Purposes. Business Associate agrees to document such disclo-sures of PHI, and information related to such disclosures, as would be required for Co-vered Entity to respond to a request by an Individual for an accounting of disclosures of PHI. Business Associate agrees to provide to Covered Entity, within ten (10) business days of receiving a request in writing therefrom, such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual for an accounting of the disclosures of the Individual&rsquos PHI in accordance with 45 C.F.R. з 164.528.

r. Performance of Covered Entity&rsquos HIPAA Obligations by Business Associate. To the ex-tent, if any, that Business Associate is to carry out one or more of Covered Entity&rsquos obligations under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

QUALIFIED SERVICE ORGANIZATIONS PROVISIONS

s. Business Associate Bound by 42 C.F.R. Part 2. Business Associate acknowledges that if it receives, stores, processes, has access to, maintains, or otherwise deals with any "pati-ent identifying information" or "records" as defined in 42 C.F.R. з 2.11 from an alco-hol/drug abuse "program," as defined in 42 C.F.R. з 2.11, that is federally assisted in a

manner described in 42 C.F.R. з 2.12(b), and that is operated by Covered Entity, Busi-ness Associate is fully bound by the federal regulations governing Confidentiality of Al-cohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.

t. Judicial Proceedings to Obtain Records Covered by 42 C.F.R. Part 2. Business Associ-ate agrees that it will resist in judicial proceedings any efforts to obtain access to "patient identifying information" or "records" as defined in 42 C.F.R. з 2.11 and as received, pro-cessed, stored, or maintained by Business Associate, other than as permitted by the fe-deral regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.

APPLICABILITY OF CERTAIN STATE CONFIDENTIALITY LAWS & REGULATIONS

u. New York State Confidentiality Laws & Regulations. Business Associate agrees to com-ply with all applicable state laws and regulations governing the confidentiality of in-formation provided by Covered Entity including, but not limited to, New York Public Health Law зз 18 (Access to Patient Information) & 2780 et seq. (Confidential HIV Re-lated Information); New York Mental Hygiene Law зз 22.05 (Patient Chemical Depen-dence Services Records) & 33.13 (Confidentiality of Clinical Records); New York Civil Rights Law з 79-l (Confidentiality of Genetic Test Records); and New York General Business Law зз 399-ddd (Confidentiality of Social Security Account Number), 399-h (Disposal of Records Containing Personal Identifying Information), & 899-aa (New York Breach Notification Statute).

v. Breach Notification Under New York Law. Pursuant to New York General Business Law з 899-aa(2)&(3) and in conformity with paragraph 2.1(a) of this Agreement, Busi-ness Associate shall, within ten (10) business days of discovery thereof, notify Covered Entity of any "breach of the security of the system," as defined in New York General Business Law з 899-aa(1)(c), that involves PHI containing individuals&rsquo "private informa-tion," as defined in New York General Business Law з 899-aa(1)(b), that was, or was reasonably believed to be, acquired from Business Associate by a person without valid authorization.

w. Business Associate to Bear Costs Related to Breach. Notwithstanding any other provi-sion of this Agreement to the contrary, Business Associate shall bear all costs related to its breach of private information under New York General Business Law з 899-aa, inclu-ding any and all applicable damages or losses identified in New York General Business Law з 899aa(6). In the event such breach has occurred, Business Associate shall reim-burse Covered Entity for all costs incurred by Covered Entity directly related to provi-ding the notice required by New York General Business Law з 899-aa(5), including if applicable, but not limited to: written notice, electronic notice, telephone notification, substitute notice, and notification to major statewide media.

x. Disposal of PHI Under New York Law. In the event Business Associate chooses to de-stroy the PHI in its possession in compliance with paragraphs 2.1(f) and 3.4 of this Agreement, and said PHI contains "personal identifying information" as defined in New York General Business Law з 399-h(1)(d), Business Associate shall dispose of such in-formation in conformity with New York General Business Law з 399-h(2).

2.2 Responsibilities of the Covered Entity. With regard to the use or disclosure of PHI by Busi-

ness Associate, Covered Entity hereby agrees as follows:

a. Inform Business Associate of Changes in Privacy Notice. Upon request, Covered Entity agrees to furnish Business Associate with a copy of the Notice of Privacy Practices that Covered Entity provides to Individuals pursuant to 45 C.F.R. з 164.520 and to inform Business Associate of any subsequent changes thereto, if such changes affect Business Associate&rsquos permitted or required uses and disclosures of PHI.

b. Inform Business Associate of Changes in Authorizations. Covered Entity agrees to in-form Business Associate of any changes in, or withdrawal of, any authorizations pro-vided to Covered Entity by Individuals in accordance with 45 C.F.R. з 164.508 and pur-suant to which Covered Entity has disclosed PHI to Business Associate, if such changes affect Business Associate&rsquos permitted or required uses and disclosures of PHI.

c. Inform Business Associate of Opt-out Election. Covered Entity agrees to inform Busi-ness Associate of any opt-outs exercised by any Individual from marketing or fundraising activities of Covered Entity pursuant to 45 C.F.R. з 164.514(f), if such opt-outs affect Business Associate&rsquos permitted or required uses or disclosures of PHI.

d. Notify Business Associate of Additional Limitations. Covered Entity agrees to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may affect in any manner the use or disclosure of PHI by Business Associate under this Agreement, inclu-ding, but not limited to, restrictions on use or disclosure of PHI agreed to by Covered En-tity as provided for in 45 C.F.R. з 164.522.

e. Miscellaneous HITECH Provisions. Covered Entity acknowledges applicability of the additional privacy and security requirements imposed by the HITECH Act upon Covered Entity pursuant to 42 U.S.C. з 17921 et seq.

3. TERM AND TERMINATION

3.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this section 3. In ad-dition, certain provisions and requirements of this Agreement shall survive its expiration or other termi-nation in accordance with paragraph 5.1 herein.

3.2 Termination by the Parties. Pursuant to 45 C.F.R. з 164.504(e) and 42 U.S.C. з 17934(b), the Parties hereby acknowledge and agree that in the event one party has or obtains substantial and credible evidence that the other party has violated a material term of this Agreement, non-breaching party shall have the right to investigate such violation, and breaching party shall reasonably cooperate with non-breaching party with respect to such investigation. In the event of a material breach, non-breaching party shall: (i) provide breaching party with written notice of the existence of a material breach; and (ii) afford breaching party an opportunity to cure said material breach within thirty (30) days of receipt of non-breaching party&rsquos written notice. As provided for in 45 C.F.R. з 164.504(e)(2)(iii), failure to cure is grounds for the immediate termination by non-breaching party of this Agreement and any related agreements without penalty or recourse to non-breaching party. Termination of this Agreement by either party shall be in writing.

3.3 Automatic Termination. This Agreement will automatically terminate without any further ac-tion of the Parties upon the termination or expiration of the Agreement.

3.4 Effect of Termination. Upon the event of termination pursuant to this section 3, Business As-sociate agrees to return or destroy all PHI pursuant to 45 C.F.R. з 164.504(e)(2)(ii)(J), if it is feasible to do so. Prior to doing so, Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for Business Associate to return or destroy said PHI, Busi-ness Associate shall notify Covered Entity in writing within thirty (30) days of the termination of this Agreement. Said notification shall include: (i) a statement that Business Associate has determined that it is not feasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such deter-mination. Business Associate further agrees to extend any and all protections, limitations, and restric-tions contained in this Agreement to Business Associate&rsquos use or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is not feasible for Business Associate to obtain from sub-contractors or agents any PHI in the possession of subcontractors or agents, Business Associate shall pro-vide a written explanation to Covered Entity and require subcontractors and agents to agree to extend any and all protections, limitations, and restrictions contained in this Agreement to subcontractors&rsquo or agents&rsquo use or disclosure of any PHI retained after termination of this Agreement, and to limit any further uses or disclosures to the purposes that make return or destruction of the PHI infeasible.

4. INDEMNIFICATION

4.1 Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and Covered Entity&rsquos employees, directors, trustees, officers, agents or other members of its work-force against all losses suffered by Covered Entity, and all liability to third parties, arising from or in connection with any material breach of this Agreement by Business Associate or its employees, directors, officers, subcontractors, agents, or other members of its workforce. Accordingly, Business Associate shall reimburse Covered Entity for any and all losses, liabilities, fines, penalties, costs, or expenses (in-cluding reasonable attorneys&rsquo fees) that may for any reason be imposed upon Covered Entity by reason of any suit, claim, action, proceeding, or demand by any third party that results from such material breach by Business Associate hereunder. Covered Entity hereby represents that it shall be responsible for the acts or omissions of its officers, employees, agents and contracted affiliates in connection with this Agreement. Such representation is based upon and limited to the obligation of the City of New York to defend, indemnify, and hold harmless Covered Entity, its officers, employees, agents and contracted affiliates from any and all liability and damages arising from or in connection with the provision and de-livery of health services. The Parties and their subcontractors or agents shall not be liable to each other under this Agreement for any special, incidental, indirect, punitive, or consequential damages, whether based on breach of contract, warranty, tort, or product liability, and whether or not the Parties have been advised of the possibility of such damages. The Parties&rsquo obligations under this paragraph shall survive the expiration or termination of this Agreement for any reason.

5. MISCELLANEOUS

5.1 Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of paragraphs 2.1 (Responsibilities of the Business Associate, solely with respect to PHI Business Associate retains in accordance with paragraph 3.4 where it is not feasible to return or destroy

such PHI), 3.4 (Effect of Termination), 4.1 (Indemnification), 5.3 (No Third Party Beneficiaries), and 5.9 (Governing Law) shall survive termination of this Agreement indefinitely.

5.2 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A wai-ver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. Notwithstanding the foregoing, in order to ensure that this Agreement at all times remains consistent with applicable law regarding use and disclosure of PHI (including, but not limited to, the HIPAA Regulations, the HITECH Act, and the provisions of federal and New York Law cited in paragraphs 2.1(s)-(x) herein), the Parties agree that this Agreement may be amended from time to time upon written notice from one Party to the other Party requesting such amendment, and with the sub-sequent written agreement of the other Party, as to the revisions required to make this Agreement con-sistent with applicable law.

5.3 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective suc-cessors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

5.4 Interpretation. To the extent that any terms or provisions of this Agreement are ambiguous, such terms or provisions shall be interpreted to allow the Parties to comply with the HIPAA Regulations, the HITECH Act and its implementing regulations, and, where applicable, with the federal and New York State laws and regulations cited in paragraphs 2.1(s)-(x) of this Agreement.

5.5 Effect. The terms and provisions of this Agreement shall supersede any other conflicting or in-consistent terms and provisions in the Agreement, including all documents incorporated therein by reference and all exhibits or other attachments thereto.

5.6 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or overnight courier to such Party&rsquos address given below, or via facsimile to the facsimile telephone numbers, if any, listed below. Notice shall be deemed given three (3) business days after depositing into U.S. Mail pos-tage prepaid, the next business day if sent by overnight courier, and the same day if sent by facsimile.

If to Business Associate, to:

Phone: Fax:

With a copy, which shall not constitute notice, to:

Phone: Fax:

If to Covered Entity, to:

Phone: Fax:

With a copy, which shall not constitute notice, to:

HIPAA Privacy Officer

New York City Health and Hospitals Corporation

160 Water Street, 11th Floor

New York, New York 10038

Phone: (646) 458-3727 Fax: (646) 458-5624

Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner hereinabove provided.

5.7 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.

5.8 Integration. This Agreement embodies and constitutes the entire agreement and understanding between the Parties with respect to the subject matter hereof, supersedes all prior oral or written agree-ments, commitments, and understandings pertaining to the subject matter hereof, and applies with full force and effect to any PHI remaining in Business Associate&rsquos possession that is subject to the survival provision of any previous business associate agreement between the Parties.

5.9 Governing Law.

a. Any action, claim, dispute, or litigation (each hereafter referred to as "action") regarding performance, non-performance, breach, or interpretation of this Agreement or otherwise

arising out of or relating to this Agreement shall be governed by the laws of the State of New York.

b. Any action of whatever nature commenced by or asserted against Covered Entity arising out of or relating to this Agreement shall be brought, heard, and determined exclusively in the City of New York, in the county within the City of New York in which the cause of action arose or, if the cause of action arose outside the City of New York, in the County of New York.

c. If for any reason any action arising out of or related to this Agreement is removed from a court, the venue of which is described in paragraph 5.9(b), to the jurisdiction of a court of the United States, such action shall be heard and determined exclusively in a court of the United States located in the State of New York and the County of New York.

IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf:

NEW YORK CITY

HEALTH AND HOSPITALS CORPORATION

By: ____________________________________

Date: _____________________