This privacy policy describes the practices of athenahealth, Inc. (“we” or “athenahealth”) with regard to information about you that we obtain, either directly or indirectly through you and/or third-party vendors, through the athenaText application (“the application” or “athenaText”). This policy does not apply to (i) other athenahealth platforms (e.g., athenaCollector, athenaClinicals, athenaCommunicator, athenaCoordinator, athenaCoordinator Enterprise, athenaCoordinator Analytics, etc.), (ii) athenahealth.com and other applications that we operate, (iii) information that we obtain outside of the application, or (iv) applications of third parties to which we provide links. We do not control and are not responsible for the privacy practices of, or the data available on or through, the applications of third parties, and we urge you to evaluate the soundness of these practices for yourself.

Please note that this policy does not apply when:

• You have given us your consent to share or use information about you;
• We believe that we need to share information about you to provide a service that you have requested from us or from others;
• We are required by law to disclose information; or
• We believe that it is necessary to protect our rights or to avoid liability or violations of the law.

If you have any questions about this policy or any other aspects of your privacy with respect to athenahealth, please contact us at: athenahealth, Inc., Attn: Chief Compliance Officer, 311 Arsenal Street, Watertown, MA 02472.

California Residents: Pursuant to California’s Shine the Light law, you have the right to request information regarding how athenahealth shares your information with third party vendors, if at all, for their marketing purposes. Please use the above contact address to submit a request.

athenahealth values the privacy of those under the age of 18 and does not wish to obtain any information from or about them through the application. If you are under 18 and are not supervised by an adult, please do not use the application.

The following types of information may be collected through the application:

Information you provide to us:

During the registration process we may ask for any or all of the following information: your name, email address, practice name, date of birth, postal address and/or postal code, profession, specialty, medical school, year of graduation, mobile phone number, NPI and the last four digits of your social security number. During this process, we may also request your photograph to be used in connection with the services; When an application user sets up his or her profile, we ask for his or her name, gender, office contact information, place of residency, year residency completed, practice specialty areas, practice type, taxonomy, place of employment, hospital affiliations, whether he or she is accepting new patients, insurance accepted, languages spoken, and clinical interests which may be then populated into the Provider Directory; Any other information you provide in any athenaText profile/user account may be collected by us. Please note that if you choose not to provide categories of requested information, you may not be able to use certain features of the application.

Information we receive from third parties about you:

We may collect additional information about you from third parties, including the American Medical Association (AMA) to assist us in providing you with services.

Information automatically collected about you:

• Whenever you use our application, we may automatically collect data about your device such as your device ID and related device identifier information (e.g., cookies information, web beacon technologies, IP Address, etc.), and information about how you use our application;
• When you use our mobile application to find medical professionals near you, we collect your precise geolocation data;
• When a user sends a message using the application, the receiver and athenahealth will be able to view if the receiver has viewed the message. Similarly, if a sender’s message fails to deliver, we will be able to view that information;
• Athena will view and monitor which users are logging on to and using the application, and view how frequently such users access the application;
• When you use the application, we may ask for a list of “contacts” and their contact information to enable you to send messages to those contacts through the application;
• We may collect data about the equipment used to visit the application and the patterns of utilization of the application.

athenahealth will not collect personal information unless your voluntary consent has been obtained to track such information.

We use information collected to improve upon the functionality of the application. For example, we may track the number of visitors using certain portions or features of the application to make changes that may be necessary to improve the application’s functionality. We may use information collected from you in order to

• track the popularity of features on the application to guide the development of new features;
• send you related information, including confirmations, technical notices, updates, security alerts, and support and administrative messages;
• send you invitations, by email or other means, from other athenaText users to connect and/or communicate through our application; and
• communicate with you via email, mobile alerts and other messaging services about commercial, non-commercial, sponsored and non-sponsored clinical information.

athenahealth may share your information (i) with other entities if needed to comply with laws or to respond to lawful requests and legal process; (ii) to protect the rights and property of our agents, customers, and others, including to enforce our agreements, policies and terms of use; (iii) with your employer or other entity that contracts for athenaText with athenahealth on your behalf; or (iv) in an emergency to protect the personal safety of athenahealth, its customers, or any person. Finally, your information may be shared in connection with or during negotiation of any merger, financing, acquisition or bankruptcy transaction or proceeding involving sale or transfer of all or a portion of our business or assets to another company.

athenahealth reserves the right to make periodic updates and revisions to this Privacy Policy. Any changes will be posted on this page. Please check this page to review whether any changes have been made to the policy.

References to "Athena", "we", "us" or "our" in these Terms of Use mean athenahealth, Inc., including any company that Athena controls (for example a subsidiary that it owns).

We provide Athena users with access to a wide array of resources which may be provided to you in a variety of mediums and devices now known or hereinafter developed, including mobile applications. These resources include, without limitation, applications and communication tools, including content licensed from our licensors (collectively, the "Services"). For the avoidance of doubt, the Services do not include athenaClinicals®, athenaCollector®, athenaCommunicator®, athenaCoordinator® Enterprise, athenaCoordinator® Analytics, or athenaCoordinator® Core.

The information that we make available through the Services is intended for physicians and other healthcare professionals. While we hope you find the Services helpful, they are not meant to serve as a substitute for your own clinical judgment as a healthcare professional and you should evaluate and independently verify the information and results from Services we provide. We do not provide professional advice or recommend particular products through our Services. If you are a consumer who chooses to use the Services, you do so at your own risk. You should not use the Services to transmit any information requiring urgent attention. Doing so may create a delay in your receiving necessary medical treatment and could result in loss of life, permanent injury or significant deterioration in your health. If you believe you have an urgent medical matter, you should call 911 immediately or proceed to the nearest emergency room. If the matter is not urgent but you need a response in a timely fashion, please contact your healthcare professional’s office directly by telephone during regular business hours.

The Provider Directory is provided for informational purposes only. You assume full responsibility for the communications with any individual you contact through the Provider Directory. The database of information which drives the Provider Directory does not contain sufficient information with which to verify credentials under the standards of the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), National Committee for Quality Assurance (NCQA) of the Utilization Review Accreditation Committee (URAC), and use of the Provider Directory to verify the credentials of physicians is prohibited. The inclusion of a healthcare professional in the Provider Directory is not an endorsement of any such healthcare professional by Athena, any of its licensors, affiliates or any third party sponsor of any component of the Services. Athena does not guaranty the accuracy of the information included in the Provider Directory and assumes no liability for any inaccuracies contained therein.

Athena owns all rights to its logos and trademarks used in connection with the Services. All other logos and trademarks used in connection with the Services are the property of their respective owners.

You acknowledge and agree that the Services and information, content, software and applications presented to you through the Services or used in connection with the Services contain proprietary and confidential information that is protected under U.S. and international intellectual property laws, including copyright, trademarks, service marks, patents or other proprietary rights and laws. Except as expressly authorized by us or our licensors, you agree not to sell, rewrite, modify, reproduce, distribute (via the Internet or other public computer based information system), redistribute, create derivative works (including translating), rent or provide any information presented to you through the Services, in whole or in part, to an unauthorized party. Further, you are prohibited from using, downloading, publishing, republishing, transferring, selling, leasing, licensing, duplicating, or "scraping" for commercial or any other purpose any database, in whole or in part, in any medium whatsoever, underlying any of the Services including, without limitation, the Provider Directory.

The Services are being provided to you on a non-exclusive, non-transferable basis solely for your internal use in the U.S. You may view information provided through the Services online or download or print individual articles for backup or archival purposes only. All copies of the information provided through the Services must include any trademark or copyright notices or disclaimers, and you may not remove any trademark or copyright notices or disclaimers from our or our licensors' materials. We and our licensors reserve all other rights not granted in these Terms of Use. You agree not to access the Services by any means other than through the interface that is provided by us for use in accessing the Services.

Usually, we don't mind if you include a simple link from your website to our website(s). However, you must first ask our permission if you intend to frame our website(s) or incorporate all or a portion of our website(s) into a different site or product in such a way that is not clear to the users that we are the source of the content. You are not allowed to link to us if you engage in the publication or promotion of illegal, obscene, or offensive content, or if the link in any way negatively impacts on our reputation.

You may be required to create an Athena account in order to access the Services. By creating an account, you represent and warrant that all information that you provide on the registration form is current, complete and accurate to the best of your knowledge. You agree to maintain and properly update your registration information so that it remains current, complete and accurate at all times. During the registration process, you may be required to choose a password. You acknowledge and agree that Athena may rely on this password to identify you. You are responsible for all use of your Athena account, regardless of whether you authorized such access or use, and for ensuring that all use of your account complies fully with the provisions of these Terms of Use. You agree to notify Athena immediately of all unauthorized use of your account and if the security or secrecy of your account login information has been compromised. You may be held responsible for any losses incurred by Athena or any other user of the Service that are in any way related to your failure to maintain the security of your account information.

By using the Services, you represent that you are 18 years of age or older.

You are responsible for all communications, information, data, text, music, sound, graphics, messages and other material ("Content") that you upload, post, transmit, email or otherwise distribute using the Services. Neither we nor our licensors are responsible for the consequences of the Content posted by you or any other party through the Services, and as such, do not guarantee the accuracy, integrity or quality of such Content. You understand that by using the Services, you may be exposed to Content that is offensive or objectionable. In no event will we be liable in any way for any Content or for any loss or damage of any kind incurred as a result of the use of any Content uploaded, posted, transmitted, emailed or otherwise made available through the Services. In cases where you feel threatened or believe someone else is in danger, you should contact your local law enforcement agency immediately. If you think there is a medical emergency, call your doctor or 911 immediately.

When you use the Services, you agree not to:

1. Violate local, state, national, or international laws;
2. Post, upload, email, transmit or otherwise distribute any Content that infringes on the intellectual property rights of others or on the privacy or publicity rights of others;
3. Post, upload, email, transmit or otherwise distribute any Content that is unlawful, harmful, obscene, defamatory, threatening, harassing, abusive, slanderous, hateful, or embarrassing to any other person or entity as we may determine in our sole discretion;
4. Harm minors in any way;
5. Post advertisements or solicitations of business;
6. Forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Services;
7. Post, upload, email, transmit or otherwise distribute chain letters, pyramid schemes, unsolicited or unauthorized advertising or spam;
8. Impersonate another person or business entity or stalk or otherwise harass another person;
9. Post, upload, email, transmit or otherwise distribute viruses or other harmful computer code designed to interrupt, destroy or limit the use of any computer software or hardware;
10. Harvest or otherwise collect information about others, including email addresses;
11. Allow any other person or entity to use your identification;
12. Interfere with or disrupt the Services or computers, networks or other hardware connected to the Services, or disregard any requirements or policies of networks connected to the Services;
13. Engage in any other conduct that restricts or inhibits any other person from using or enjoying the Services, or which, in our sole judgment, exposes us or our licensors, customers or suppliers to any liability or detriment of any type;
14. Fail to respect other members' privacy. This includes revealing another user's password, phone number, address, or any other personally identifiable information;
15. Create member names, or post, solicit or send messages, text or photographs that are sexually explicit, that denigrate, threaten, abuse or harm others in any way; or

We may (but are not obligated to) do any or all of the following without notice:

1. Record or pre-screen the dialogue through the Services;
2. Investigate an allegation that a communication does not conform to the terms of this section and determine in our sole discretion to remove or request the removal of the Content;
3. Remove Content which is abusive, objectionable, illegal, or disruptive, or that otherwise fails to conform with these Terms of Use;
4. Terminate your access to any or all Services upon our determination that you have violated these Terms of Use; or
5. Edit Content.

You agree that you must evaluate, and bear all risks associated with, the use of any Content, including any reliance on the accuracy, completeness, or usefulness of such Content. You acknowledge, consent and agree that we may investigate your use of the Services in order to determine whether a violation of the Terms of Use has occurred or to comply with any applicable law, regulation, governmental request or legal process.

You agree and acknowledge that the processing and transmission of content transmitted in connection with the Services, including your Content, may involve transmissions over various networks and devices and modifications may be required for such transmissions.

When you submit information to areas of the Services that are publicly available, you give us an irrevocable, perpetual license to use, reproduce, modify, adapt, publicly perform and publicly display that information in connection with the Services. See our Privacy Policy section below for an explanation of how we use information that you provide to the Services and your rights to change or delete it. We ask that you not post any messages with misleading, false, or inappropriate language or statements. We reserve the right to remove any Content that we deem offensive or fraudulent at any time without your consent, as further described below. We cannot and do not assume any responsibility or liability for any information you submit in connection with the Services, or your or third parties' use or misuse of information transmitted or received using the Services.

When you use our mobile applications, in addition to information described in our Privacy Policy, such as your profile and contact information, we automatically collect certain information from your device including your precise geolocation, information about your device such as the device type, device ID, operating system, wireless service provider and information about the operation of our application and your usage of our application, including features you used, pages you viewed, and when and for how long you used the application. By using Athena mobile applications, you agree that Athena may collect this information and use, transmit, process, and store that information as described in Athena’s Privacy Policy including to provide and improve our Services.

Athena does not make any representations or guaranty about whether the Services are adequate to meet your privacy and security compliance obligations under HIPAA or any other standards, laws, rules or regulations. You are responsible for assessing your privacy and security needs and determining whether your use of our Services is appropriate to comply with your obligations.

You can review our Privacy Policy here.

You acknowledge that Athena may establish general practices and limits concerning use of the Services, including without limitation the maximum number of days that messages, postings or other uploaded Content will be retained by the Services, the maximum number of messages that may be sent from or received by an account on the Services, the maximum size of any message that may be sent from or received by an account on the Services, the maximum disk space that will be allotted on Athena’s servers on your behalf, and the maximum number of times (and the maximum duration for which) you may access the Services in a given period of time. You agree that Athena has no responsibility or liability for the deletion or failure to store any messages and other communications or other Content maintained or transmitted by the Services. You acknowledge that Athena reserves the right to modify these general practices and limits from time to time.

In addition to complying with these Terms and Conditions, with respect to your use of the Services, you are wholly responsible for complying with any applicable compliance, security and termination of access policies, including but not limited to any employer or affiliate policies governing the use, disclosure and/or storage of content on your mobile device. Athena has no responsibility or liability for your failure to comply with such applicable policies. Athena does not monitor the employment status or appropriateness of user access to the Services.

You expressly agree that Athena may preserve any transmittal or communication by you through the Services, or any service offered through the Services, and may disclose that information if legally required to do so or if Athena determines that the disclosure is reasonably necessary to enforce these Terms of Use or to protect any rights hereunder or to respond to claims of wrongdoing by others. Please visit our Privacy Policy for our complete policy on what information we collect, how we may use that information and when we share it.

When using the Services, information will be transmitted over a medium that may be beyond the control of Athena, our licensors or suppliers. Accordingly, neither Athena, its licensors nor suppliers assume liability for or relating to the delay, failure, interruption or corruption of any data or other information transmitted in connection with your use of the Services. You are responsible for obtaining and maintaining all connectivity, computer software, hardware and other equipment needed to access the Services and all charges related to the same.

We control those components of the Services made available through our respective websites from our offices within the Commonwealth of Massachusetts in the U.S. The Services are to be used only in the U.S. Since the laws of each state or country able to access the Services may differ, by accessing the Services, you agree that the statutes and laws of the Commonwealth of Massachusetts, without regard to choice of laws principles, will apply to all matters relating to use of the Services. No waiver of any of these Terms of Use shall be deemed a further or continuing waiver of such terms or any other term. We make no representation that materials made available through the Services are appropriate or available for use in other locations, and accessing them from territories where their contents are illegal is prohibited. If you access the Services from outside the U.S., you are responsible for compliance with the laws of your jurisdiction.

We may also take any legal action we think is appropriate. If your violation of these Terms of Use causes harm to others, you agree to hold us and our licensors and affiliates harmless against any liability for that harm. If there is any dispute between us concerning these Terms of Use or your use of the Services, you agree to submit the dispute to non-binding mediation, followed by binding arbitration. Both the mediation and the arbitration will be governed under the rules of the American Arbitration Association, and the venue for the arbitration will be Massachusetts.

You agree that we may, under certain circumstances and without prior notice, discontinue, temporarily or permanently, the Services (or any part thereof) or eliminate your account, any associated email address, and remove any information you uploaded or provided to the Services with or without notice. Cause for termination shall include, but not be limited to, (a) breaches or violations of these Terms of Use or other incorporated agreements or guidelines, (b) requests or inquiries by law enforcement or other government agencies, (c) a request by you (self-initiated account deletions), (d) discontinuance or material modification to the Services (or any part thereof), (e) unexpected technical or security issues or problems, (f) extended periods of inactivity, and/or (g) your engagement in fraudulent or illegal activities. You agree that all terminations for cause shall be made at our sole discretion, and neither we nor our licensors shall be liable to you or any third party for any termination of your account, any associated email address, or access to the Services or any portion thereof.

The following provisions survive the expiration or termination of these Terms of Use for any reason whatsoever: Liability, Member Conduct, Proprietary Rights, Indemnity, Laws that Govern this Agreement and Consequences.

Your use of the Services is at your own risk. The Services and information included therein are provided on an "as is" basis. WE AND OUR LICENSORS AND SUPPLIERS, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, ACCURACY, NON-INFRINGEMENT OF THIRD PARTIES' RIGHTS, FITNESS FOR PARTICULAR PURPOSE AND THAT THE SERVICES WILL MEET YOUR REQUIREMENTS AS AN END USER OF THE SERVICES. NEITHER ATHENA NOR ITS LICENSORS OR SUPPLIERS WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE.

Without limiting the foregoing, we, our licensors, and our suppliers make no representations or warranties about the accuracy, reliability, completeness, currentness, or timeliness of the Services or information contained therein. The Services may contain links to websites, other applications or information collected from other parties. Athena does not sponsor, operate, control or endorse any of these sites or applications, nor the information, products or services provided by such third parties, nor does Athena make any guarantee, warranty or representation regarding the accuracy of information collected from such third parties or any guarantee, warranty or representation regarding any equipment utilized by the user in connection with the Services that has not been provided by Athena.

In no event will we, our licensors, our suppliers, or any third parties mentioned on our website(s) be liable for any damages (including, without limitation, incidental, consequential and special damages, personal injury/wrongful death, lost profits for sequence, accuracy or completeness of information included in the Services, or damages resulting from lost data or business interruption) resulting from the use of, misuse of, inability to use or interpretation of the information contained in the Services or information contained therein, whether based on warranty, contract, tort, or any other legal theory, and whether or not we, our licensors, our suppliers, or any third parties mentioned within the Services are advised of the possibility of such damages. We, our licensors, our suppliers, or any third parties mentioned within the Services shall be liable only to the extent of actual damages incurred by you, not to exceed U.S. $100. We, our licensors, our suppliers, or any third parties mentioned within the Services are not liable for any personal injury, including death, caused by your use or misuse of the Services or any information contained therein. Any claims arising in connection with your use of the Services must be brought within one (1) year of the date of the event giving rise to such action occurred. Remedies under these Terms of Use are exclusive and are limited to those expressly provided for in these Terms of Use.

You agree to defend, indemnify, and hold us and our officers, directors, employees, agents, licensors, and suppliers, harmless from and against any claims, actions or demands, liabilities and settlements including without limitation, reasonable legal and accounting fees, resulting from, or alleged to result from, your violation of these Terms of Use.

Some of the Services implement the Google Maps web mapping service. Your use of Google Maps is subject to Google's terms of use, located here.

Except as expressly provided in a particular "legal notice" on the website, these Terms of Use constitutes the entire agreement between you and Athena with respect to your use (and prior use) of the Services. If any provision of these Terms of Use is deemed to be unenforceable as written by a court of competent jurisdiction, the parties intend that such provision shall be modified to the extent necessary to make the provision enforceable. If the provision cannot be modified in this manner to make it enforceable, the parties intend that the provision shall be removed and the remaining provisions shall remain in full force and effect.

When using the athenaText application, the additional terms found here and the Business Associate Agreement found here apply.

Enter your mobile number into the athenaText application to receive a standard rate alert for verifying the application. Receive 2 messages per request. Text STOP to 67588 to opt out. Text HELP to 67588 for help or call 1-800-230-2150 for more information. Message and Data Rates May Apply. Participating carriers include: Alltel, AT&T, MetroPCS, Cricket, T-Mobile, U.S. Cellular, Sprint, Boost, Virgin Mobile and Verizon Wireless.

For customer support please call 1-800-230-2150 or email athenaText Support.

For purposes of this BAA:

1. “Agreement” means the Athena Terms of Use located here.
2. “Athena” means athenahealth, Inc., a Delaware corporation;
3. “BAA” means this Business Associate Agreement;
4. The following terms used in this BAA shall have the same meaning as those terms under HIPAA: Breach; Business Associate; Designated Record Set; HITECH Act; and Unsecured PHI;
5. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and associated regulations, as they may be amended from time to time;
6. “PHI” means “protected health information” as that term is used under HIPAA;
7. “Privacy Rule” means the privacy standards in 45 C.F.R. Part 160 and Part 164, subparts A and E;
8. “Security Rule” means the Security Standards in 45 C.F.R. Part 160 and Part 164, subparts A and C;
9. “User” means the end-user who has registered or subscribed to the Services (as defined in the Agreement);
10. “User PHI” means PHI that Athena receives from the User through its use of the Services.

Athena will:

1. not use or disclose User PHI except (i) as required or permitted by law, (ii) as permitted under the terms of the Agreement or any permission of User under the Agreement, or (iii) as incidental under HIPAA to another permitted use or disclosure;
2. use reasonable and appropriate safeguards to prevent use or disclosure of User PHI other than as provided in the Agreement;
3. implement administrative, physical, and technical standards in accordance with the Security Rule to protect the confidentiality, integrity, and availability of User PHI in electronic form (“EPHI”);
4. not use or disclose User PHI in a manner that Athena knows would violate the requirements of HIPAA if done by User
5. mitigate, to the extent practicable, any harmful effect of a use or disclosure of User PHI by Athena that is known to Athena to be in violation of the requirements of the Agreement;
6. report to User as soon as practicable and as required by HIPAA and the HITECH Act any known use or disclosure of User PHI by Athena not as provided by the Agreement and any “Security Incident” with respect to User EPHI as defined in the Security Rule. Additionally, Athena will notify User of any Breach of Unsecured PHI, and such notification shall be made without unreasonable delay following the date of discovery to enable User to comply with the Breach disclosure requirements under the HITECH Act. Athena shall include within such notice identification, to the extent possible, of each individual whose Unsecured PHI has been, or is reasonably believed by Athena to have been, accessed, used, or disclosed through the Breach and any other valuable information known to Athena that User is required to include in its notice to affected individuals. The reporting requirement set forth hereunder shall include, without limitation, disclosures that Athena is aware of that would need to be included in User’s accounting of disclosures under HIPAA and/or HITECH Act, provided that Athena is required by HIPAA and the HITECH Act as a business associate of User to include such disclosures;
7. at the request of User, provide access to User PHI in a Designated Record Set to User or, as properly directed by User, to an individual in order to meet the requirements under 45 C.F.R. §164.524;
8. at the request of User, make any amendment to such User PHI in a Designated Record Set that User properly directs or agrees to pursuant to 45 C.F.R. §164.526
9. make its internal practices, books and records relating to the use and disclosure of User PHI available to the Secretary of Health and Human Services for purposes of the Secretary’s determination of User’s compliance with HIPAA requirements;
10. document such disclosures of User PHI and information related to such disclosures as would be required for User to respond to a request by an individual for an accounting of disclosures of it in accordance with 45 C.F.R. §164.528;
11. provide to User information collected in accordance with this Article to permit User to respond to an appropriate request for an accounting of disclosures of User PHI in accordance with 45 C.F.R. §164.528; and
12. to the extent that Athena is to carry out any User obligation(s) under the HIPAA Privacy Standards, comply with the requirements of the HIPAA Privacy Standards that apply to User in the performance of such obligation(s).

User will:

1. not request, direct, or cause Athena to use or disclose PHI unless the use or disclosure is in compliance with applicable law relating to the privacy and security of patient data and is the minimum amount necessary for the legitimate purpose of such use or disclosure;
2. notify Athena of any limitation in its notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Athena’s use or disclosure of User PHI;
3. notify Athena of any changes in, or revocation of permission by, an individual to use or disclose User PHI, to the extent that such changes may affect Athena’s use or disclosure of User PHI; and
4. notify Athena of any restriction on the use or disclosure of User PHI that User has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Athena’s use or disclosure of User PHI.

Athena’s use and disclosure of User PHI is permitted for the following purposes:

1. to provide the Services;
2. as expressly permitted in the Agreement;
3. as required by law
4. to provide data aggregation services as permitted by 45 C.F.R. §164.504(e)(2)(i)(B);
5. for the proper management and administration of Athena, including, without limitation, making and maintaining reasonable business records of transactions in which Athena has participated or the Services have been used (including back-up documentation); and
6. to de-identify User PHI and use such de-identified information in accordance with 45 C.F.R. §164.514(b).

To the extent that it discloses User PHI pursuant to the purpose in Article 4(c) or (e) that is not also for another of the purposes under Article 4, Athena will

1. obtain reasonable assurances from the person or entity to whom the PHI is disclosed that such person or entity will maintain confidentiality of the PHI and not use or further disclose it except as required by law or for the purpose for which it was disclosed to the person or entity and
2. require the person or entity to whom the PHI is disclosed to notify Athena of any instances of which that person or entity is aware in which the confidentiality of such information has been breached.

Upon termination of the Agreement, Athena will return, destroy, or continue to extend protections to and limit the use and disclosure of User PHI to the extent required by and in accordance with 45 C.F.R. §164.504(e)(2)(ii)(I), provided that the parties agree that it is not feasible in light of reasonable business requirements, regulatory compliance requirements, and the rights and obligations under the Agreement for Athena to return or destroy its business records and transaction databases, including, but not limited to, records and databases of transactions for which User has used the Services or in which Athena has engaged on behalf of User or records and databases that reflect the use of the Services and information that User or Athena has entered into Athena’s products in the course of the Agreement to enable or perform the Services.

Any material default by Athena of its obligations under Articles 2, 4 and 5 will be deemed a default of a material provision of the Agreement, and, if cure of such default and termination of the Agreement are not feasible, User may report the default to the U.S. Secretary of Health and Human Services.

Subject to the other requirements and limitations of this BAA, the business records of Athena and all other records, electronic or otherwise, created or maintained by Athena in performance of the Agreement will be and remain the property of Athena, even though they may reflect or contain User PHI or other information concerning or provided by User. All de-identified information created by Athena in compliance with the Agreement will belong exclusively to Athena, provided that User will not hereby be prevented from itself creating and using its own de-identified information.