HIPAA Business Associate Agreement

THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is between The State of Tennessee, Division of TennCare ("TennCare" or "Covered Entity"), located at 310 Great Circle Road, Nashville, TN 37243 and ("Business Associate"), located at , including all office locations and other business locations at which Business Associate data may be used or maintained. Covered Entity and Business Associate may be referred to herein individually as "Party" or collectively as "Parties."

BACKGROUND

The Parties acknowledge that they are subject to the Privacy and Security Rules (45 C.F.R. Parts 160 and 164) promulgated by the United States Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, and as amended by the final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH). If Business Associate provides services to Covered Entity pursuant to one or more contractual relationships, said Agreements are detailed below and hereinafter referred to as "Service Agreements."

LIST OF AGREEMENTS AFFECTED BY THIS HIPAA BUSINESS ASSOCIATE AGREEMENT:

In the course of performing services under a Service Agreement, Business Associate may come into contact with, use, or disclose Protected Health Information ("PHI"). Said Service Agreements are hereby incorporated by reference and shall be taken and considered as a part of this document the same as if fully set out herein.

In accordance with the federal privacy and security rules and regulations set forth at 45 C.F.R. Part 160 and Part 164, Subparts A, C, D and E, which require Covered Entity to have a written memorandum with each of its Business Associates, the Parties wish to establish satisfactory assurances that Business Associate will appropriately safeguard PHI that Business Associate may receive (if any) from or on behalf of Covered Entity, and, therefore, execute this Agreement.

1. DEFINITIONS

All capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined in 45 C.F.R. Parts 160 through 164 or other applicable law or regulation. A reference in this Agreement to a section in the Privacy or Security Rule means the section as in effect or as amended.

1.1 "Commercial Use" means obtaining PHI with the intent to sell, transfer or use it for commercial, or personal gain, or malicious harm; sale to third party for consumption, resale, or processing for resale; application or conversion of data to make a profit or obtain a benefit contrary to the spirit of this Agreement, including but not

limited to presentation of data or examples of data in a conference or meeting setting where the ultimate goal is to obtain or gain new business.

1.2 "Confidential Information" shall mean any non-public, confidential or proprietary information, whether written, graphic, oral, electronic, visual or fixed in any tangible medium or expression, which is supplied by TennCare to the Business Associate under this Agreement. Any information, whether written, graphic, oral, electronic, visual or fixed in any tangible medium or expression, relating to individuals enrolled in the TennCare program ("TennCare enrollees"), or relating to individuals who may be potentially enrolled in the TennCare program, which is provided to or obtained through the Business Associate&rsquos performance under this Agreement, shall also be treated as "Confidential Information" to the extent that confidential status is afforded such information under state and federal laws or regulations. All confidential information shall not be subject to disclosure under the Tennessee Public Records Act.

1.3 "Electronic Signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

1.4 "Marketing" shall have the meaning under 45 C.F.R. § 164.501 and the act or process of promoting, selling, leasing or licensing any TennCare information or data for profit without the express written permission of TennCare.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Privacy Rule)

2.1 Compliance with the Privacy Rule. Business Associate shall fully comply with the requirements under the Privacy Rule applicable to "business associates," as that term is defined in the Privacy Rule and not use or further disclose PHI other than as permitted or required by this Agreement, the Service Agreements, or as required by law. In case of any conflict between this Agreement and the Service Agreements, this Agreement shall govern.

2.2 HITECH Act Compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH) was adopted as part of the American Recovery and Reinvestment Act of 2009. HITECH and its implementing regulations impose new requirements on Business Associates with respect to privacy, security, and Breach notification. Business Associate hereby acknowledges and agrees that to the extent it is functioning as a Business Associate of Covered Entity, Business Associate shall comply with any applicable provisions of HITECH. Business Associate and the Covered Entity further agree that the provisions of HIPAA and HITECH that apply to business associates and that are required to be incorporated by reference in a business associate agreement have been incorporated into this Agreement between Business Associate and Covered Entity. Should any provision not be set forth specifically, it is as if set forth in this Agreement in its entirety and is effective as of the Applicable Effective Date, and as amended.

2.3 Business Management. Business Associate may use and disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may provide data aggregation services relating to the Health Care Operations of TennCare, or as required by law. Business Associate is expressly prohibited from using or disclosing PHI other than as permitted by this Agreement, any associated Service Agreements, or as otherwise permitted or required by law, and is prohibited from uses or disclosures of PHI that would not be permitted if done by the Covered Entity.

2.4 Privacy Safeguards and Policies. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Service Agreement(s), this Agreement or as required by law. This includes the implementation of Administrative, Physical, and Technical Safeguards to reasonably and appropriately protect the Covered Entity&rsquos PHI against any reasonably anticipated threats or hazards, utilizing the technology commercially available to the Business Associate (See also Section 3.2). The Business Associate shall

maintain appropriate documentation of its compliance with the Privacy Rule, including, but not limited to, its policies, and procedures, records of training and sanctions of members of its Workforce.

2.5 Business Associate Contracts. Business Associate shall require any agent, including a Subcontractor, to whom it provides PHI received from, maintained, created or received by Business Associate on behalf of Covered Entity, or that carries out any duties for the Business Associate involving the use, custody, disclosure, creation of, or access to PHI or other confidential TennCare information, to agree, by written agreement with Business Associate, to substantially similar, but not less stringent restrictions and conditions that apply through this Agreement to Business Associate with respect to such information except for the provision at section 4.6, which shall only apply to the Business Associate notwithstanding the requirements in this section 2.5.

2.6 Mitigation of Harmful Effect of Violations. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

2.7 Reporting of Violations in Use and Disclosure of PHI. Business Associate shall require its employees, agents, and Subcontractors to promptly report to Business Associate immediately upon becoming aware of any use or disclosure of PHI in violation of this Agreement and to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement. The Business Associate shall report such violation to Covered Entity immediately upon becoming aware of, and in no case later than 48 hours after discovery.

2.8 Breach of Unsecured Protected Health Information. As required by the Breach Notification Rule, Business Associate shall, and shall require its Subcontractor(s) to, maintain systems to monitor and detect a Breach of Unsecured PHI, whether in paper or electronic form.

2.8.1 Business Associate shall provide to Covered Entity notice of a Breach of Unsecured PHI immediately upon becoming aware of the Breach, and in no case later than 48 hours after discovery.

2.8.2 Business Associate shall cooperate with Covered Entity in timely providing the appropriate and necessary information to Covered Entity.

2.8.3 Covered Entity shall make the final determination whether the Breach requires notification to affected individuals and whether the notification shall be made by Covered Entity or Business Associate.

2.9 Access of Individual to PHI and other Requests to Business Associate. If Business Associate receives PHI from Covered Entity in a Designated Record Set, Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity in order to meet its requirements under 45 C.F.R. § 164.524. If Business Associate receives a request from an Individual for a copy of the Individual's PHI, and the PHI is in the sole possession of the Business Associate, Business Associate will provide the requested copies to the Individual in a timely manner. If Business Associate receives a request for PHI not in its possession and in the possession of the Covered Entity, or receives a request to exercise other Individual rights as set forth in the Privacy Rule, Business Associate shall promptly forward the request to Covered Entity. Business Associate shall then assist Covered Entity as necessary in responding to the request in a timely manner. If a Business Associate provides copies of PHI to the Individual, it may charge a reasonable fee for the copies as the regulations shall permit.

2.10 Requests to Covered Entity for Access to PHI. The Covered Entity shall forward to the Business Associate in a timely manner any Individual&rsquos request for access to or a copy (in any form they choose, provided the PHI is readily producible in that format) of their PHI that shall require Business Associate&rsquos participation, after which the Business Associate shall provide access to or deliver such information as follows:

(a) The Parties understand that if either Party receives a request for access to or copies of PHI from an Individual which the Party may complete with only its own onsite information, the time for such response shall be thirty (30) days, with notification to the Covered Entity upon completion.

(b) If the Covered Entity receives a request and requires information from the Business Associate in addition to the Covered Entity&rsquos onsite information to fulfill the request, the Business Associate shall have fifteen (15) days from date of Covered Entity&rsquos notice to provide access or deliver such information to the Covered Entity so that the Covered Entity may timely respond to the Individual within the thirty (30) day requirement of 45 C.F.R. § 164.524.

(c) If the Party designated above as responding to the Individual&rsquos request is unable to complete the response to the request in the time provided, that Party shall provide the Individual, or Individual&rsquos designee, with a written statement of the reasons for the delay and the date by which the Party will complete its action on the request. The Party may extend the response time once for no more than thirty (30) additional days.

(d) Business Associate is permitted to send an Individual or Individual&rsquos designee unencrypted emails including Electronic PHI if the Individual requests it, provided the Business Associate has advised the Individual of the risk and the Individual still prefers to receive the message by unencrypted email.

2.11 Individuals&rsquo Request to Amend PHI. If Business Associate receives PHI from Covered Entity in a Designated Record Set, Business Associate agrees to make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526, regarding an Individual&rsquos request to amend PHI. The Business Associate shall make the amendment promptly in the time and manner designated by Covered Entity, but shall have thirty (30) days&rsquo notice from Covered Entity to complete the amendment to the Individual&rsquos PHI and to notify the Covered Entity upon completion.

2.12 Recording of Designated Disclosures of PHI. Business Associate shall document any and all disclosures of PHI by Business Associate or its agents, including information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

2.13 Accounting for Disclosures of PHI. The Business Associate agrees to provide to Covered Entity or to an Individual, or Individual&rsquos designee, in time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. The Covered Entity shall forward the Individual&rsquos request requiring the participation of the Business Associate to the Business Associate in a timely manner, after which the Business Associate shall provide such information as follows:

(a) If Covered Entity directs Business Associate to provide an accounting of disclosures of the Individual&rsquos PHI directly to the Individual, the Business Associate shall have sixty (60) days from the date of the Individual&rsquos request to provide access to or deliver such information to the Individual or Individual&rsquos designee. The Covered Entity shall provide notice to the Business Associate in time to allow the Business Associate a minimum of thirty (30) days to timely complete the Individual&rsquos request.

(b) If the Covered Entity elects to provide the accounting to the Individual, the Business Associate shall have thirty (30) days from date of Covered Entity&rsquos notice of request to provide information for the Accounting to the Covered Entity so that the Covered Entity may timely respond to the Individual within the sixty (60) day period.

(c) If either of the Parties is unable to complete the response to the request in the times provided above, that Party shall notify the Individual with a written statement of the reasons for the delay and the date by which the Party will complete its action on the request. The Parties may extend the response time once for no more than thirty (30) additional days.

(d) The accounting of disclosures shall include at least the following information:

(1) date of the disclosure;

(2) name of the third party to whom the PHI was disclosed,

(3) if known, the address of the third party;

(4) brief description of the disclosed information; and

(5) brief explanation of the purpose and basis for such disclosure.

(e) The Parties shall provide one (1) accounting in any twelve (12) months to the Individual without charge. The Parties may charge a reasonable, cost-based fee, for each subsequent request for an accounting by the same Individual if he/she is provided notice and the opportunity to modify his/her request. Such charges shall not exceed any applicable State statutes or rules.

2.14 Minimum Necessary. Business Associate shall use reasonable efforts to limit any use, disclosure, or request for use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of the Privacy Rule.

2.14.1 Business Associate represents to Covered Entity that all its uses and disclosures of, or requests for, PHI shall be the minimum necessary in accordance with the Privacy Rule requirements.

2.14.2 Covered Entity may, pursuant to the Privacy Rule, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate.

2.14.3 Business Associate shall adequately and properly maintain all PHI received from, or created or received on behalf of, Covered Entity.

2.15 Privacy Compliance Review upon Request. Business Associate agrees to make its internal practices, books and records, including policies, procedures, and PHI, relating to the use and disclosure of PHI received from, created by or received by Business Associate on behalf of Covered Entity available to the Covered Entity or to the Secretary of the United States Department of Health in Human Services or the Secretary&rsquos designee, in a time and manner designated by the requester, for purposes of determining Covered Entity&rsquos or Business Associate&rsquos compliance with the Privacy Rule.

2.16 Cooperation in Privacy Compliance. Business Associate agrees to fully cooperate in good faith and to assist Covered Entity in complying with the requirements of the Privacy Rule.

3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Security Rule)

3.1 Compliance with Security Rule. Business Associate shall fully comply with the requirements under the Security Rule applicable to "Business Associates," as that term is defined in the Security Rule. In case of any conflict between this Agreement and Service Agreements, this Agreement shall govern.

3.2 Security Safeguards and Policies. Business Associate shall implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule. This includes specifically, but is not limited to, the utilization of technology commercially available at the time to the Business Associate to protect the Covered Entity&rsquos PHI against any reasonably anticipated threats or hazards. The Business Associate understands that it has an affirmative duty to perform a regular review or assessment of security risks, conduct active risk management and supply best efforts to assure that only authorized persons and devices access its computing systems and information storage, and that only authorized transactions are allowed. The Business Associate will maintain appropriate documentation of its compliance with the Security Rule.

3.3 Security Provisions in Business Associate Contracts. Business Associate shall ensure that any agent to whom it provides Electronic PHI received from, maintained, or created for Covered Entity or that carries out any duties for the Business Associate involving the use, custody, disclosure, creation of, or access to PHI supplied by Covered Entity, shall execute a bilateral contract (or the appropriate equivalent if the agent is a government entity) with Business Associate, incorporating substantially similar, but not less stringent restrictions and conditions in this Agreement with Business Associate regarding PHI except for the provision in Section 4.6.

3.4 Reporting of Security Incidents. The Business Associate shall track all Security Incidents as defined and as required by HIPAA and shall periodically report such Security Incidents in summary fashion as may be requested by the Covered Entity. The Covered Entity shall not consider as Security Incidents, for the purpose of reporting, external activities (port enumeration, etc.) typically associated with the "footprinting" of a computing environment as long as such activities have only identified but not compromised the logical network perimeter, including but not limited to externally facing firewalls and web servers. The Business Associate shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for Business Associate&rsquos operations. However, the Business Associate shall expediently notify the Covered Entity&rsquos Privacy Officer of any related Security Incident, immediately upon becoming aware of any unauthorized acquisition including but not limited to use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware.

3.4.1 Business Associate identifies the following key contact persons for all matters relating to this Agreement:

Business Associate shall notify Covered Entity of any change in these key contacts during the term of this Agreement in writing within ten (10) business days.

3.5 Contact for Security Incident Notice. Notification for the purposes of Sections 2.8and 3.4 shall be in writing made by email/fax, certified mail or overnight parcel immediately upon becoming aware of the event, with supplemental notification by facsimile and/or telephone as soon as practicable, to:

TennCare Privacy Officer

310 Great Circle Rd.

Nashville Tennessee 37243

Phone: (615) 507-6697

Facsimile: (615) 734-5289

Email: Privacy.Tenncare@tn.gov

3.6 Security Compliance Review upon Request. Business Associate shall make its internal practices, books, and records, including policies and procedures relating to the security of Electronic PHI received from, created by or received by Business Associate on behalf of Covered Entity, available to the Covered Entity or to the Secretary of the United States Department of Health in Human Services or the Secretary&rsquos designee, in a time and manner designated by the requester, for purposes of determining Covered Entity&rsquos, Business Associate&rsquos compliance with the Security Rule.

3.7 Cooperation in Security Compliance. Business Associate shall fully cooperate in good faith to assist Covered

Entity in complying with the requirements of the Security Rule.

3.8 Refraining from intimidation or retaliation. A Covered Entity or Business Associate may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any Individual or other person for-- (a) Filing of a complaint under 45 C.F.R. § 160.306 ; (b) testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing; or (c) opposing any act or practice made unlawful, provided the Individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of HIPAA.

4. USES AND DISCLOSURES BY BUSINESS ASSOCIATE

4.1 Use and Disclosure of PHI for Operations on Behalf of Covered Entity. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform Treatment, Payment or Health Care Operations for, or on behalf of, Covered Entity as specified in Service Agreements, provided that such use or disclosure would not violate the Privacy and Security Rule, if done by Covered Entity.

4.2 Other Uses of PHI. Except as otherwise limited in this Agreement, Business Associate may use PHI within its Workforce as required for Business Associate's proper management and administration, not to include Marketing or Commercial Use, or to carry out the legal responsibilities of the Business Associate.

4.3 Third Party Disclosure Confidentiality. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law, or, if permitted by law, this Agreement, and the Service Agreement, provided that, if Business Associate discloses any PHI to a third party for such a purpose, Business Associate shall enter into a written agreement with such third party requiring the third party to: (a) maintain the confidentiality, integrity, and availability of PHI and not to use or further disclose such information except as required by law or for the purpose for which it was disclosed, and (b) notify Business Associate of any instances in which it becomes aware in which the confidentiality, integrity, and/or availability of the PHI is Breached immediately upon becoming aware.

4.4 Other Uses Strictly Limited. Nothing in this Agreement shall permit the Business Associate to share PHI with Business Associate&rsquos affiliates or contractors except for the purposes of the Service Agreement(s) between the Covered Entity and Business Associate(s) identified in the "LIST OF AGREEMENTS AFFECTED BY THIS HIPAA BUSINESS ASSOCIATE AGREEMENT" on page one (1) of this Agreement.

4.5 Covered Entity Authorization for Additional Uses. Any use of PHI or other confidential TennCare information by Business Associate, its Subcontractors, its affiliate or Contractor, other than those purposes of this Agreement, shall require express written authorization by the Covered Entity, and a Business Associate agreement or amendment as necessary. Activities which are prohibited include, but not are not limited to, Marketing or the sharing for Commercial Use or any purpose construed by Covered Entity as Marketing or Commercial use of TennCare enrollee personal or financial information with affiliates, even if such sharing would be permitted by federal or state laws.

4.6 Prohibition of Offshore Disclosure. Nothing in this Agreement shall permit the Business Associate to share, use or disclose PHI in any form via any medium with any third party beyond the boundaries and jurisdiction of the United States without express written authorization from the Covered Entity.

4.7 Prohibition of Other Uses and Disclosures. Business Associate shall not use or disclose PHI that is Genetic Information for underwriting purposes. Moreover, the sale, marketing or the sharing for commercial use or any

purpose construed by Covered Entity as the sale, marketing or commercial use of TennCare enrollee personal or financial information with affiliates, even if such sharing would be permitted by federal or state laws, is prohibited.

4.8 Data Use Agreement - Use and Disclosure of Limited Data Set. Business Associate may use and disclose a Limited Data Set that Business Associate creates for Research, public health activity, or Health Care Operations, provided that Business Associate complies with the obligations below. Business Associate may not make such use and disclosure of the Limited Data Set after any cancellation, termination, expiration, or other conclusion of this Agreement.

4.9 Limitation on Permitted Uses and Disclosures. Business Associate will limit the uses and disclosures it makes of the Limited Data Set to the following: Research, public health activity, or Health Care Operations, to the extent such activities are related to covered functions, including business planning and development such as conducting cost-management and planning-related analysis related to managing and operating Business Associates functions, formulary development and administration, development and improvement of methods of payment or coverage policies, customer service, including the provision of data analysis for policy holders, plan sponsors, or other customers, to the extent such activities are related to covered functions, provided that PHI is not disclosed and disclosure is not prohibited pursuant to any other provisions in this Agreement related to Marketing or Commercial use.

4.10 Business Associate shall enter into written agreements that are substantially similar to this Business Associate Agreements with any Subcontractor or agent which Business Associate provides access to Protected Health Information.

4.11 Business Associates shall implement and maintain information security policies that comply with the HIPAA Security Rule.

5. OBLIGATIONS OF COVERED ENTITY

5.1 Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of Privacy Practices produced by Covered Entity in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.

5.2 Notice of Changes in Individual&rsquos Access or PHI. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate&rsquos permitted or required uses.

5.3 Notice of Restriction in Individual&rsquos Access or PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use of PHI.

5.4 Reciprocity for Requests Received by Business Associate. The Parties agree that this Section (Section 5) is reciprocal to the extent Business Associate is notified or receives an inquiry from any Individual within Covered Entity&rsquos covered population.

6. TERM AND TERMINATION

6.1 Term. This Agreement shall be effective as of the date on which it has been signed by both parties and shall terminate when all PHI which has been provided, regardless of form, by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if the Parties agree that it is unfeasible to return or destroy PHI, subsection 6.3.5 below shall apply.

6.2 Termination for Cause. This Agreement authorizes and Business Associate acknowledges and agrees Covered Entity shall have the right to terminate this Agreement and Service Agreement in the event Business Associate fails to comply with, or violates a material provision of this Agreement and any provision of the Privacy and Security Rules.

6.2.1 Upon Covered Entity&rsquos knowledge of a Breach by Business Associate, Covered Entity shall either:

(a) Provide notice of breach and an opportunity for Business Associate to reasonably and promptly cure the breach or end the violation, and terminate this BAA if Business Associate does not cure the breach or end the violation within the reasonable time specified by Covered Entity; or

(b) Immediately terminate this BAA if Business Associate has breached a material term of this BAA and cure is not possible.

6.3 Effect of Termination. Upon termination of this Agreement for any reason, except as provided in subsections 6.3.2 and 6.3.5 below, Business Associate shall at its own expense either return and/or destroy all PHI and other confidential information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision applies to all confidential information regardless of form, including but not limited to electronic or paper format. This provision shall also apply to PHI and other confidential information in the possession of sub-contractors or agents of Business Associate.

6.3.1 The Business Associate shall consult with the Covered Entity as necessary to assure an appropriate means of return and/or destruction and shall notify the Covered Entity in writing when such destruction is complete. If information is to be returned, the Parties shall document when all information has been received by the Covered Entity.

6.3.2 This provision (Section 6.3 and its subsections) shall not prohibit the retention of a single separate, archived file of the PHI and other confidential TennCare information by the Business Associate if the method of such archiving reasonably protects the continued privacy and security of such information and the Business Associate obtains written approval at such time from the Covered Entity. Otherwise, neither the Business Associate nor its Subcontractors and agents shall retain copies of TennCare confidential information, including enrollee PHI, except as provided herein in subsection 6.3.5.

6.3.3 The Parties agree to anticipate the return and/or the destruction of PHI and other TennCare confidential information, and understand that removal of the confidential information from Business Associate&rsquos information system(s) and premises will be expected in almost all circumstances. The Business Associate shall notify the Covered Entity whether it intends to return and/or destroy the confidential with such additional detail as requested. In the event Business Associate determines that returning or destroying the PHI and other confidential information received by or created for the Covered Entity at the end or other termination of the Service Agreement is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction unfeasible.

6.3.4 Except for Business Associate Agreements in effect prior to April 21, 2005 when the Security Rule became effective, for the renewal or amendment of those same Agreements, or for other unavoidable circumstances, the Parties contemplate that PHI and other confidential information of the Covered Entity shall not be merged or aggregated with data from sources unrelated to that Agreement, or Business Associate&rsquos other business data, including for purposes of data backup and disaster recovery, until the parties identify the means of return or destruction of the TennCare data or other confidential information of the Covered Entity at the conclusion of the Service Agreement, or otherwise make an express alternate agreement consistent with the provisions of Section 6.3 and its subsections.

6.3.5 Upon written mutual agreement of the Parties that return or destruction of PHI is unfeasible and upon

express agreement as to the means of continued protection of the data, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction unfeasible, for so long as Business Associate maintains such PHI.

7. MISCELLANEOUS

7.1 Regulatory Reference. A reference in this Agreement to a section in the Privacy and/or Security Rule means the section as in effect or as amended.

7.2 Amendment. The Parties agree to take such action to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy and Security Rules and the Health Insurance Portability and Accountability Act, Public Law 104-191. Business Associate and Covered Entity shall comply with any amendment to the Privacy and Security Rules, the Health Insurance Portability and Accountability Act, Public Law 104-191, and related regulations upon the effective date of such amendment, regardless of whether this Agreement has been formally amended, including, but not limited to, changes required by the American Recovery and Reinvestment Act of 2009, Public Law 111-5.

7.3 Survival. The respective rights and obligations of Business Associate under Confidentiality and Section6.3 of this Agreement shall survive the termination or expiration of this Agreement.

7.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and the Business Associate to comply with the Privacy and Security Rules.

7.5 Headings. Paragraph Headings used in this Agreement are for the convenience of the Parties and shall have no legal meaning in the interpretation of the Agreement.

7.6 Notices and Communications. All instructions, notices, consents, demands, or other communications required or contemplated by this Agreement shall be in writing and shall be delivered by electronic mail, hand, by facsimile transmission, by overnight courier service, or by first class mail, postage prepaid, addressed to the respective party at the appropriate facsimile number or address as set forth below, or to such other party, facsimile number, or address as may be hereafter specified by written notice. (For purposes of this section, effective notice to "Respective Party" is not dependent on whether the person named below remains employed by such Party.) The Parties agree to use their best efforts to immediately notify the other Party of changes in address, telephone number, and fax numbers and to promptly supplement this Agreement as necessary with corrected information.

Notifications relative to Sections 2.8 and 3.4 of this Agreement must also be reported to the Privacy Officer pursuant to Section 3.5.

COVERED ENTITY: BUSINESS ASSOCIATE:

Stephen Smith, Director

Division of TennCare

310 Great Circle Rd.

Nashville, TN 37243

Fax: (615) 253-5607

All instructions, notices, consents, demands, or other communications shall be considered effectively given as of the date of hand delivery; as of the date specified for overnight courier service delivery; as of three (3) business days after the date of mailing; or on the day the facsimile transmission is received mechanically by the facsimile machine at the receiving location and receipt is verbally confirmed by the sender.

7.7 Transmission of PHI or Other Confidential Information. Regardless of the transmittal methods

permitted above, Covered Entity and Business Associate agree that all deliverables set forth in this Agreement that are required to be in the form of data transfers shall be transmitted between Covered Entity and Business Associate via the data transfer method specified in advance by Covered Entity. This may include, but shall not be limited to, transfer through Covered Entity&rsquos SFTP system. Failure by the Business Associate to transmit such deliverables in the manner specified by Covered Entity may, at the option of the Covered Entity, result in liquidated damages if and as set forth in one (1) or more of the Service Agreements between Covered Entity and Business Associate listed above. All such deliverables shall be considered effectively submitted upon receipt or recipient confirmation as may be required.

7.8 Strict Compliance. No failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of any other Party shall affect, or constitute a waiver of, any Party's right to insist upon such strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance with any provision of this Agreement shall affect, or constitute a waiver of, any Party's right to demand strict compliance with all provisions of this Agreement.

7.9 Severability. With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such court's determination. In the event that any provision of this Agreement cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every other provision of this Agreement shall remain in full force and effect.

7.10 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee except to the extent that Tennessee law has been pre-empted by HIPAA and HITECH and without giving effect to principles of conflicts of law. Jurisdiction shall be Davidson County, Nashville, Tennessee, for purposes of any litigation resulting from disagreements of the parties for purpose of this Agreement and the Service Agreement (s).

7.11 Compensation. There shall be no remuneration for performance under this Agreement except as specifically provided by, in, and through, existing administrative requirements of Tennessee State government and Services Agreement(s) referenced herein.

7.12 Validity of Execution. Unless otherwise agreed, the parties may conduct the execution of this Business Associate Agreement transaction by electronic means. The parties may agree that an electronic record of the Agreement containing an Electronic Signature is valid as an executed Agreement.

IN WITNESS WHEREOF, the Parties execute this Agreement to be valid and enforceable from the last date set out below:

DIVISION OF TENNCARE BUSINESS ASSOCIATE

By: By:

Stephen Smith, Director

Date: Date:

Division of TennCare _______________________________________

310 Great Circle Road _______________________________________

Nashville, TN 37243

Fax: (615) 253-5607