General Terms and Conditions of Service

These General Terms and Conditions of Service govern Cafe Health's provision of services to you, the client, and shall be read in conjunction with each Order Form, which identifies the services ("Services") purchased by you, as well as each Funding Agreement (if applicable). Some of these terms and conditions may not be applicable to you or the purchased Services.

Plan Administrator; Fiduciary

You acknowledge and agree that you are the "plan administrator" and "fiduciary" within the meaning of the Employee Retirement Income Security Act of 1974, as amended ("ERISA") (to the extent such law applies) of any and all employee benefit plans or programs (each a "Plan" or, collectively, the "Plans") sponsored by you, and that Cafe Health is an independent contractor engaged to perform the agreed upon Services.

Term

The term of the provision of each Service is set forth on the applicable Order Form. These General Terms and Conditions of Service shall remain in effect for so long as Cafe Health provides Services pursuant to any Order Form. The term of each Service shall automatically renew for successive one (1) year periods, unless earlier terminated by either party as set forth below.

Fees; Payment

You shall pay Cafe Health the fees (“Fees”) listed in the relevant Order Form pursuant to the payment method set forth therein (unless otherwise specified). All undisputed Fees shall be paid net thirty (30) days from the invoice date (unless otherwise specified). You must submit written notice to Cafe Health and provide supporting documentation as to any Fees you dispute within thirty (30) days from the date of the invoice. Cafe Health shall provide a written response within thirty (30) days of receipt of the notice. Upon resolution, you shall pay any and all outstanding amounts due and owing within five (5) business days of such resolution. Cafe Health shall have the right to increase Fees after the first year of Service on an annual basis by three percent (3%). The new Fees shall take effect on the first day of second year of Service and each annual date thereafter. All services not set forth in the Order Form may be subject to additional fees (e.g. additional services required as a result of legislative changes, correction services, customization, etc.).

Any payments received that do not include the information necessary to identify the invoice to which the payment is to be applied will be applied at Cafe Health’ discretion. Cafe Health is not responsible for reconciling such payments against information you may be maintaining separately.

The Fees described herein represent only those fees charged by Cafe Health to you. They do not include or cover fees and/or charges that a third party service provider, including a Health Savings Account (“HSA") custodian bank, may directly charge your employee participants for services they receive from such third parties. Any and all such fees and charges that may be charged to an individual, including deductions made from an individual’s account (e.g., an HSA) or otherwise, by such third party service provider are detailed in the individual agreement(s) entered into by and between the third party service provider, including an HSA custodian bank, and each individual employee participant, which may include but are not limited to Accountholder Agreements, Participant Terms and Conditions and other ancillary agreements.

Taxes; Regulatory Fees.

You shall be responsible for, and shall promptly pay or reimburse Cafe Health for any taxes, as well as any benefit or plan-related charge, surcharge or assessment, imposed as a result of the provision of Services by Cafe Health.

Benefit Claims Funding

You shall timely provide to Cafe Health all benefit claims funding amounts ("Funding"). You acknowledge and agree that any Funding submitted by you to Cafe Health: (i) shall be comprised of general assets; (ii) does not consist of Plan assets or participant/employee contributions, whether made by salary reduction or otherwise, within the meaning of ERISA, without regard to whether ERISA applies, and is not otherwise subject to any restrictions; and (iii) shall not be segregated or set aside in a trust or escrow account by Cafe Health. You agree to pay Cafe Health the entire amount delivered, or deliverable, to participants in any Plan, regardless of whether you collect sufficient payroll deductions from your participants.

Maintenance

Cafe Health reserves the right to perform routine system (both web and IVR) maintenance during off-hours (normally between 9 PM and 5 AM ET). Any longer maintenance period will be posted on Cafe Health' website.

Termination

Termination for Convenience. Either party may terminate a Service without cause after completion of the first year of the initial term of that Service upon at least thirty (30) days' prior written notice to the other party.

Termination for Material Breach. Either party may terminate a Service with cause upon thirty (30) days' prior written notice to the defaulting party if such material breach is not cured within that period, if curable.

Termination for Bankruptcy, Insolvency, or Business Wind Down. Either party may terminate a Service immediately if either party (i) voluntarily files for bankruptcy; (ii) declares insolvency; (iii) takes action to commence winding down its business; or (iv) is named as a defendant in any involuntary bankruptcy or insolvency proceeding.

Termination Due to Legislative and/or Regulatory Changes. Either party shall have the right to terminate a Service if a material change to such Service is required as a result of a legislative and/or regulatory change. Upon receipt of written notice of such change, the parties shall meet and confer in good faith. If the parties do not reach agreement on any such modification of the Service, then either party shall have the right to terminate the Service thereafter upon thirty (30) days' prior written notice to the other party.

Effect of Termination. Upon termination of a Service, all rights and licenses granted to you with respect to that Service shall immediately terminate. You shall be responsible to pay all amounts due and owing upon termination. You shall have the ability to access and download your records and reports via Cafe Health' website up through the date of termination.

Intellectual Property

Ownership. Cafe Health owns and shall retain all right, title and interest (including, without limitation, all intellectual property rights) in and to all software, web pages, documents, processes, and other information, equipment and materials used in connection with the provision of Services hereunder, including, without limitation, those developed by Cafe Health for use by you, participants and beneficiaries (the "Cafe Health System").

Grant of License. Cafe Health grants you, as well as the participants and beneficiaries, a limited, non-exclusive, non-transferable license to access and use the Cafe Health System during the applicable term, solely and exclusively: (i) in accordance with these General Terms and Conditions of Service and any instructions, user guides, and policies made available by Cafe Health; and (ii) for the purpose of receiving the Services provided by Cafe Health. Without limiting the generality of the foregoing, you shall not, (i) without Cafe Health' prior written consent, disclose or provide access to the Cafe Health System to any unauthorized third parties, or (ii) duplicate the Cafe Health System (or any associated materials) or use the same in connection with any other benefits program (including your programs).

Exclusion. All other rights, license and title in and to the Cafe Health System not expressly granted hereunder shall remain the property of Cafe Health.

Exclusive Warranty

Cafe Health warrants that the Services will be performed in accordance with generally accepted industry practices and with reasonable skill and care. THE CAFE HEALTH SYSTEM AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY FURTHER WARRANTY OF ANY KIND (EXPRESS OR IMPLIED) INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WHICH WARRANTIES ARE HEREBY EXPRESSLY DISCLAIMED.

Indemnification

Each party shall indemnify, defend and hold harmless the other party and its officers, directors, shareholders, employees and agents ("Indemnified Parties") from and against claims and proceedings for actual damages or losses (including legal fees and expenses) arising out of any actual or alleged: (i) breach by such party of its obligations hereunder; (ii) negligence or willful misconduct of such party or its employees, officers or agents; (iii) failure of such party to comply with applicable law (except, with respect to Cafe Health, if such act or omission taken by Cafe Health is pursuant to your instructions); or (iv) claims in which one party is named or joined with the other party when such party has not engaged in any wrongful acts. In addition, you shall indemnify, defend and hold harmless Cafe Health Indemnified Parties for any act or omission taken by Cafe Health pursuant to your instructions. The Indemnified Parties will promptly notify the indemnifying party of any claim. The indemnifying party shall assume and have sole control of the defense of such claim; provided, however, that neither party may settle any claim without the prior written consent of the other party if such settlement exposes the other party to any liability.

Limitation of Liability

IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOST BUSINESS, LOSS OF DATA OR COST OF SUBSTITUTE SERVICES) ARISING OUT OF OR IN CONNECTION WITH ANY AGREEMENT BETWEEN THE PARTIES, THE CAFE HEALTH SYSTEM OR THE SERVICES PERFORMED THEREUNDER UNDER ANY THEORY OF LIABILITY (WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE). IN ADDITION, EXCEPT FOR BREACHES OF CONFIDENTIALITY OR PRIVACY, CAFE HEALTH SHALL ONLY BE LIABLE TO YOU FOR ANY DIRECT DAMAGES IN AMOUNT EQUAL TO (A) ACTUAL DAMAGES OR (B) THE FEES PAYABLE TO CAFE HEALTH FOR THE SERVICE(S) GIVING RISE TO THE CLAIM DURING THE PLAN YEAR IN WHICH THE EVENT OCCURS, WHICHEVER IS LESS.

Confidentiality

Confidential Information. Each party acknowledges that performance of Services may involve access to and disclosure of Confidential Information that belongs to the other party. "Confidential Information" means any non-public confidential or proprietary information, including, without limitation, business and financial information; policies and procedures; operations; customer and potential customer names; suppliers and vendor names; trade secrets; trade dress; patent applications; inventions disclosures; and, with respect to Plan participants and beneficiaries, personal identification information. Confidential Information does not, however, include any information that: (i) was publicly available or released to the public domain at any time prior to disclosure by one party, (ii) becomes publicly known or generally available after disclosure by one party through no wrongful action or inaction of the other party, (iii) information that is in the party's possession or known by the party at any time prior to the time of disclosure; (iv) is rightfully disclosed to the party by a third party that is not subject to any restrictions; or (v) a party can demonstrate was independently developed by that party without use of the other party's Confidential Information.

Restricted Use. No Confidential Information shall be disclosed to any third party other than representatives of such party who have a "need to know" such Confidential Information, provided that such representatives are informed of the confidentiality provisions hereof and agree to abide by them.

Disclosure. In the event a party is required by law to disclose Confidential Information, the disclosing party shall immediately notify the other party in writing, describing the circumstances of and extent of the disclosure.

Return or Destruction. Upon termination of all Order Forms, each party, upon the request of the other, will return or destroy all copies of all of the other's Confidential Information in its possession or control (unless impracticable), except to the extent such Confidential Information must be retained pursuant to applicable law or a party's document retention policy.

Remedies. The parties acknowledge that compliance with the provisions of the foregoing paragraphs are necessary to protect their businesses and goodwill and that any actual or prospective breach will irreparably cause damage to them, for which money damages may not be adequate. Therefore, the parties agree that if one of them breaches, or attempts to breach, the confidentiality obligations set forth herein, the other party shall be entitled to obtain temporary, preliminary and/or permanent equitable relief, without bond, to restrain such breach, together with any and all other legal and equitable remedies available under applicable law or as set forth herein.

Privacy

In addition to any confidentiality obligations set forth herein, any personally identifiable information (e.g., name, address, age, and social security number) collected or obtained by Cafe Health in the course of performing Services (the "Privacy Restricted Data") will be collected, stored, maintained, accessed, used and disclosed in accordance with any applicable federal, state and local privacy laws that govern the collection, storage, maintenance, access, use or disclosure of such Privacy Restricted Data (the "Privacy Laws"). Cafe Health shall, at all times, perform Services so as not to cause you to be in violation of the Privacy Laws. Cafe Health shall be fully responsible for any collection, access, use and disclosure of Privacy Restricted Data that is based on its actions or inactions that are in violation of any Privacy Laws. Cafe Health shall notify you as soon as administratively practicable of any breaches of security that may result or may have resulted in the unauthorized collection, access, use or disclosure of Privacy Restricted Data that is, or may be, in violation of any Privacy Laws. Cafe Health shall make all reasonable efforts to assist you in relation to the investigation and remedy of any such breach of security and any resulting claim, allegation, action, suit, proceeding or litigation with respect to Cafe Health' unauthorized collection, access, use or disclosure of Privacy Restricted Data that is in violation of any Privacy Laws. Cafe Health shall be responsible for the cost of its violation of any Privacy Laws with respect to the Privacy Restricted Data, including, without limitation, remedial activity, notification of Plan participants and beneficiaries, and fines and/or penalties.

Miscellaneous

Publicity. With your prior consent, Cafe Health shall be permitted to use your name and logo in sales presentations and in any filings with the Securities and Exchange Commission, and shall be permitted to reference your name in any of its earnings calls.

Subcontractors. Cafe Health utilizes subcontractors to perform certain Services. Cafe Health shall be liable for the acts or omissions of its subcontractors. For clarification, HSA custodian banks and/or trustees are not subcontractors of Cafe Health and any agreement(s), including an Accountholder Agreement, entered into between the custodian bank and each individual HSA accountholder controls the terms under which the HSA is maintained by the custodian bank, including the rights of the custodian bank to charge fees or other amounts to individual HSA accountholders for services.

Massachusetts Data Security Regulations (201 CMR 17.00). Cafe Health certifies that it has in place and shall maintain during the provision of Services, a written comprehensive security program that is in compliance with the provisions of 201 CMR 17.00, et seq., at http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

Tennessee Insurance Code, Sections 56-6-403 through 56-6-409. Cafe Health certifies that it shall provide Services in compliance with the provisions of Sections 56-6-403 through 56-6-409 of the Tennessee Insurance Code at http://www.lexisnexis.com/hottopics/tncode/, as applicable.

Third Party Sender. As a Third Party Sender under National Automated Clearing House Association ("NACHA") rules and regulations, you acknowledge and agree that Cafe Health must perform a certain level of due diligence on you and that part of such diligence requires that you make certain representations and warranties in order for Cafe Health to be able to originate ACH transactions on your behalf. Accordingly, you (i) authorize Cafe Health to originate transactions on your behalf, (ii) agree to be bound by applicable NACHA rules, (iii) agree not to originate transactions that violate U.S. laws, and (iv) agree to provide written notice to Cafe Health if there are any restrictions on the type of transactions that may be originated and, if there are, to describe such restrictions. You further acknowledge and agree that in addition to other termination rights outlined herein, that Cafe Health has the right to terminate or suspend the Services if you violate any applicable NACHA rules. You additionally acknowledge and agree that Cafe Health and the originating depository financial institution have the right to audit your compliance with the NACHA Rules and the terms of this provision with reasonable notice, during normal business hours.

Records Maintenance and Disposition. Cafe Health shall keep and archive records of information and data regarding you and your Plan(s) that it obtains in connection with the provision of Services hereunder (collectively "Service Records") for the longer of seven (7) years or the period required by applicable law.

Escheatment. You shall be solely responsible for compliance with all escheatment obligations.

Assignment. Neither of us may assign any of our rights and obligations in connection with the provision of Services without the prior written consent of the other, which consent shall not be unreasonably withheld. These General Terms and Conditions of Service shall be binding upon and shall inure to the benefit of a party's authorized successors and assigns.

Notices. All notices shall be made in writing and delivered (i) in person, (ii) by certified mail, return receipt requested, (iii) by traceable overnight delivery or (iv) by electronically confirmed facsimile or electronic mail, followed immediately by U.S. Mail c/o Café Health LLC 3015 E Weldon Ave Phoenix, AZ 85016, Attn: Legal Department, or to you at the address listed on the Order Form. A signed receipt shall be obtained where a notice is delivered in person. Notice will be effective upon delivery.

Force Majeure. Neither party shall be liable in any way for any delay or any failure of performance of a Service, or for any loss or damage related thereto, due to any cause beyond its reasonable control, including, without limitation, acts of nature, terrorism, civil unrest, war (whether declared or not) or the Government, earthquakes, fire, floods, degradation or disruption of any communication service not under a party's control, loss of electrical power, congestion, failure or other inability to access the Internet or disruption in the financial markets or the banking system.

Amendments. These General Terms and Conditions, as well as any Order Form or Funding Agreement, may only be amended in a writing signed by both parties. Notwithstanding the foregoing, Cafe Health may make non-material change to these General Terms and Conditions of Service at any time by posting revised General Terms and Conditions of Service at https://www.Cafe Health.com/employer/terms_conditions.htm. A non-material change is any modification that does not have an adverse impact on you or the Services provided hereunder. You are responsible for regularly reviewing this site to obtain timely notice of such amendments. You shall be deemed to accept the amended General Terms and Conditions of Service by your continued receipt of Services if you do not notify Cafe Health of your good faith objection within thirty (30) days after such amended terms and conditions have been posted. If Cafe Health does not agree to waive the amended terms and conditions to which you object, either party shall have the right to immediately terminate Services without penalty.

Waiver. Any waiver of any provision set forth herein, or any Order Form and/or Funding Agreement, shall be effective only if in writing and signed by both parties. Failure of either party to insist on performance of any term or condition, or to exercise any right or privilege, shall not be construed as a continuing or future waiver of such term, condition, right or privilege.

Governing Law. Any claims arising under or related to the provision of Services shall be governed by the laws of the State of Arizona, without regard to its conflicts of laws principles.

Severability. If any provision in these General Terms and Conditions of Service, an Order Form and/or Funding Agreement is held to be invalid or unenforceable, such provision shall be deemed deleted and the remaining provisions shall continue in full force and effect.

Entire Agreement. These General Terms and Conditions of Service and any related Order Form and/or Funding Agreement (if applicable) constitute the full and complete understanding and agreement of the parties relating to the subject matter hereof and supersede all prior understandings and agreements relating to such subject matter. In case of a conflict between these General Terms and Conditions of Service and an Order Form or Funding Agreement, the Order Form or Funding Agreement shall prevail. Any conflict between an Order Form and a Funding Agreement, the Funding Agreement shall prevail. In addition to the foregoing, these General Terms and Conditions of Service, and any Order Form and/or Funding Agreement, shall prevail over any additional or different provisions in any purchase order, acceptance notice, or other similar document issued by you, which provisions shall be of no force or effect.

Survival. The following Sections shall survive the termination of all Order Forms: Effect of Termination, Intellectual Property, Warranty, Indemnification, Limitation of Liability, Confidentiality, Privacy, Records Maintenance and Disposition, Escheatment, Notices, Governing Law, Disputes, Entire Agreement and Survival.

[V. 03/12/2020]

Business Associate Agreement

This Business Associate Agreement ("Agreement") is made and entered into by and between you, as our client, and Cafe Health, Inc. (and its subsidiaries), as your service provider, pursuant to the Service Agreement entered into by and between us on even date herewith. This Agreement is incorporated by reference into the Service Agreement, supersedes any prior Business Associate Agreement we have been party to and reflects the Omnibus HITECH Act Final Regulations as of January 25, 2013.

Definitions

Unless otherwise defined, terms used in this Agreement have the same meaning as those terms in the Standards for Privacy of Individually Identifiable Health Information or the HIPAA Security Standards ("HIPAA Privacy & Security Rules"), found at 45 CFR Parts 160-164.

"Agreement" means this Business Associate Agreement.

"Business Associate" means Cafe Health, Inc. and its subsidiaries.

"Covered Entity" means you.

"HITECH Act" means the HITECH Act of the American Recovery and Reinvestment Act of 2009 (Title XIII, Subtitle D of P.L. 111-5), enacted February 17, 2009 (codified at 42 USC § 17921 et seq.).

"Service Agreement" means the Order Form(s) and General Terms and Conditions of Service.

Obligations and Activities of Business Associate

Use or Disclosure of Protected Health Information. Business Associate agrees not to use or disclose Protected Health Information, other than as permitted or required by this Agreement or as required by Law. All data transmissions shall be encrypted.

Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

Duty to Mitigate. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

Duty to Report Violations. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware, including, where there is a breach of Protected Health Information, the identities of any individual whose Protected Health Information was breached and the data elements disclosed.

Agents. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

Access to Secretary. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Privacy & Security Rules.

Access to Individuals. Business Associate agrees to provide individuals with access to their Protected Health Information, as held in a Designated Record Set by Business Associate, in order to meet the requirements under 45 CFR 164.524.

Amendment of Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information it holds in a Designated Record Set, as directed by the Covered Entity pursuant to 45 CFR 164.526.

Accounting of Disclosures. Business Associate agrees to document and provide a description of any disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. Business Associate agrees to provide such information to Covered Entity, or to an Individual at the direction of the Covered Entity, in order for Covered Entity to comply with the accounting requirements in 45 CFR 164.528.

Covered Entity's Right to Restrict. Business Associate agrees to comply, upon communication by Covered Entity, with any restrictions to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522.

HIPAA Security Standards.

Business Associate agrees to comply with the HIPAA Privacy & Security Rules with respect to any Electronic Protected Health Information that Business Associate holds on behalf of the Plan.

Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of Protected Health Information other than as provided for by the Agreement.

Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required in the HIPAA Privacy & Security Rules.

Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information.

Business Associate agrees to report to Covered Entity any security incident under the HIPAA Privacy & Security Rules of which it becomes aware, including the identities of any individual whose Electronic Protected Health Information was breached.

Responsibilities If Security Breach

Business Associate shall notify Covered Entity immediately if there is a breach by either Business Associate or one of its agents of unsecured protected health information, as defined in, and consistent with, the HITECH Act and any regulations or guidance issued thereunder, including 45 CFR Part 164, Subpart D. Such notification shall:

Be made in writing to the Covered Entity's Privacy Officer.

Be made within ten (10) days of discovery.

Include the names of the individuals whose information was breached, the circumstances surrounding the breach, the date of the breach and date of discovery, the information breached, any steps the individuals should take to protect themselves, the steps Business Associate (or its agent) is taking to investigate the breach, mitigate losses, and protect against future breaches, and a contact person for more information.

If requested by Business Associate, Covered Entity shall allow Business Associate to approve the content of any notification in advance.

If requested by Covered Entity, Business Associate shall notify the individuals involved, or the media or the US Department of Health and Human Services, as applicable, in accordance with the HITECH Act, and regulations or guidance issued thereunder, including 45 CFR Part 164, Subpart D. For purposes of this provision, Business Associate is considered an independent contractor of Covered Entity.

Permitted Uses and Disclosures by Business Associate

Disclosures Generally. Except as otherwise provided in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Privacy & Security Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.

To Carry Out Covered Entity Obligations. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Management & Administration.

Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are: (a) required by law or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it is disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Data Aggregation & De-Identification. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity or to de-identify Protected Health Information. Once information is de-identified this Business Associate Agreement shall not apply.

Required By Law. Business Associate may use or disclose Protected Health Information as required by law.

Term and Termination

Term. This Agreement shall remain in effect for the term of the applicable Service Agreement. Upon termination of the Service Agreement, Business Associate will retain no copies of the Protected Health Information and will return or destroy the same. If such return or destruction is not feasible, Business Associate will continue to extend the protections afforded to Protected Health Information hereunder. This provision also applies to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.

Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity is authorized to terminate this Agreement and the Service Agreement.

Survival. The rights and obligations of Business Associate under this Agreement will survive the termination of this Agreement.

Miscellaneous

Compliance with Laws and Regulations. The HITECH Act requires federal agencies to establish rules and regulations regarding the privacy and security of Protected Health Information. Business Associate will ensure that its privacy and security procedures are compliant with the HITECH Act and any rules and regulations issued thereunder with respect to Covered Entity's Protected Health Information. The parties agree to amend this Agreement to comply with applicable requirements of the HITECH Act, where necessary.

Relationship of Parties. The parties intend that Business Associate is an independent contractor and not an agent of Covered Entity.