By assenting to the Terms and Conditions: (i) Any Provider who has authorized a vendor to utilize the Portal on behalf of the Provider is affirming to myNEXUS that the Provider has entered into a HIPAA compliant “Business Associate Agreement” as described below, with that vendor; and (ii) Any vendor acting on behalf of a Provider is affirming to myNEXUS that it has entered into a “Business Associate Agreement”, as described below, with the Provider who has authorized the vendor access to the Portal on the Provider’s behalf. Providers and vendors who access the portal on behalf of Providers may be referred to collectively as “Portal Users.” “Protected Health Information” shall have the same definition as that found in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), any successor federal statute, and the rules and regulations promulgated thereunder, all as may be amended or supplemented from time to time. A “Business Associate” is a person or entity, other than a member of the workforce of the Provider, who performs functions or activities on behalf of, or provides certain services to, the Provider that involves access by the Business Associate to Protected Health Information (“PHI”). A “Business Associate” also includes subcontractors that create, receive, maintain, or transmit protected health information on behalf of a Business Associate. Federal regulations require that Providers and the Business Associate enter into a “Business Associate Agreement” to ensure that the Business Associate will appropriately safeguard protected health information. A HIPAA-compliant “Business Associate Agreement” is an agreement between a Provider and Business Associate that defines the parameters of the Business Associate’s rights and obligations with respect to PHI and meets the requirements of 45 C.F.R. §164.504. In the event the Portal User creates, receives, maintains, or otherwise is exposed to PHI, personally identifiable aggregate patient or other medical information, Portal User shall: (i) Not use or further disclose the PHI, except as permitted by federal or state law; (ii) Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by the Terms and Conditions; (iii) Report immediately to myNEXUS any security incident or other use or disclosure of PHI not permissible under the Terms and Conditions of which Portal User becomes aware; (iv) Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are provided the Terms and Conditions and agree to the same restrictions and conditions; (v) Make its internal practices, books, and records that relate to the use and disclosure of PHI available to myNEXUS for purposes of determining compliance with the Terms and Conditions. The notification shall include but not be limited to a description of the categories of information that were, or are reasonably believed, to have been acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired, or as otherwise provided for by applicable law. In addition to the above stated requirements, and to the extent permitted by law, the Provider and/or vendor shall indemnify and hold harmless myNEXUS for any breach of security by the Provider and/or vendor, its sub-contractors, or its employees or agents. The Portal User is expected to comply with all state, local and federal privacy and security laws. In the event of overlapping regulations, the User will adhere to the most restrictive.