PRIVACY AND SECURITY ADDENDUM TO THE RESELLER AGREEMENT

This Privacy and Security Addendum (the “Addendum”) supplements the terms and conditions set forth in the Reseller Agreement (including any Product Addenda) pursuant to which Reseller resells Products to its Reseller Customers. Collectively, this Addendum, the Reseller Agreement and any Product Addenda are referred to as the “Agreement.”

This Addendum shall be applicable only in the event and to the extent that:

(a)  Reseller or a Reseller Customer is a “Covered Entity” as defined in 45 CFR §160.103; EVault is, with respect to Reseller or a Reseller Customer, a “Business Associate” as defined in 45 CFR §160.103; and EVault receives PHI (as defined below) from Reseller or a Reseller Customer; and/or

(b)  EVault receives Nonpublic Personal Information, Member Information and/or Consumer Information (each as defined below) from Reseller or a Reseller Customer; and/or

(c)  EVault receives MA Personal Information (as defined below) from Reseller or a Reseller Customer.

1.   DEFINITIONS. Capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Reseller Agreement or applicable Product Addenda.

“Breach”, as it relates to information, has the same meaning as the term “breach” in Section 13400 of the HITECH Act.

“Consumer Information” has the same meaning as the term “consumer information” in the NCUA Regulation.

“Designated Record Set” has the same meaning as the term “designated record set” in 45 CFR §164.501.

“Electronic PHI” has the same meaning as the term “electronic protected health information” in 45 CFR §160.103, limited to the information created or received by EVault from or on behalf of Reseller or Reseller Customer.

“Gramm-Leach-Bliley Act” means the Financial Services Modernization Act of 1999, 15 USC §6801.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, as each may be amended from time to time.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act of 2009.

"Individual" has the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

“MA Personal Information” has the same meaning as the term “Personal Information” in the Massachusetts Personal Information Protection Law.

“Massachusetts Personal Information Protection Law” means 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth.

“Member Information” has the same meaning as the term “member information” in the NCUA Regulation.

“NCUA Regulation” means that regulation of the National Credit Union Administration found at 12 CFR Part 748.

“Nonpublic Personal Information” has the same meaning as the term “nonpublic personal information” in 15 USC Subchapter 1 §6809.

“NPI” has the meaning set forth in Section 3 below.

"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

"PHI" has the same meaning as the term "protected health information" in 45 CFR §160.103, limited to the information created or received by EVault from or on behalf of Reseller or a Reseller Customer.

"Required By Law" has the same meaning as the term "required by law" in 45 CFR §164.103.

“Secretary" means the Secretary of the Department of Health and Human Services or his designee.

“Security Rule” means the Security Standards at 45 CFR Part 160 and Part 164.

“Unsecured PHI” has the same meaning as the term “unsecured protected health information” in Section 13402(h) of the HITECH Act.

2.   BUSINESS ASSOCIATE AGREEMENT UNDER HIPAA. Effective February 17, 2010, this Section 2 applies to the extent that (a) Reseller or a Reseller Customer is a “Covered Entity” as defined in 45 CFR §160.103; (b) EVault is, with respect to Reseller or a Reseller Customer, a “Business Associate” as defined in 45 CFR §160.103; and (c) EVault receives PHI from Reseller or a Reseller Customer.

2.1  Obligations and Activities Of Business Associate. As a Business Associate, EVault shall have the following obligations:

(a)  EVault agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law. Except as otherwise limited in this Agreement, EVault may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Reseller or a Reseller Customer as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Reseller or a Reseller Customer or the minimum necessary policies and procedures of Reseller or a Reseller Customer of which EVault has been informed.

(b)  EVault agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement including the implementation of administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Security Rule

(c)  EVault agrees to mitigate, to the extent practicable, any harmful effect that is known to EVault of a use or disclosure of PHI by EVault in violation of the requirements of this Agreement.

(d)  EVault agrees to report to Reseller any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware. Further, EVault agrees to notify Reseller of any Breach of Unsecured PHI of which it becomes aware and otherwise comply with the notification requirements set forth in Section 13401 of the HITECT Act.

(e)  EVault agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by EVault on behalf of, Reseller or a Reseller Customer agrees to the same restrictions and conditions that apply through this Agreement to EVault with respect to such information.

(f)   EVault agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by EVault on behalf of, Reseller available to the Secretary, at a reasonable time designated by the Secretary, for purposes of the Secretary determining Reseller or a Reseller Customer's compliance with the Privacy Rule.

(g)  EVault agrees to document such disclosures of PHI and information related to such disclosures as would be required for Reseller to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.

(h)  EVault agrees to provide to Reseller or an Individual, in time and manner agreed by the parties, information collected in accordance with Section 2(g) of this Addendum, to permit Reseller to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.

(i)   EVault agrees not to exchange any PHI of an Individual for remuneration except as permitted in Section 13405(d)(2) of the HITECH Act.

(j)   EVault and Reseller agree that EVault does not receive or maintain PHI from Reseller or a Reseller Customer in a Designated Record Set, and EVault has no ability to provide access to or amend same. 

If, in the performance of its obligations set forth in Sections 2(f) through 2(h) above, EVault expends time and materials, EVault will provide Reseller with an estimate of the fee for such time and materials. Following agreement by the parties as to such fees, EVault will invoice Reseller, and Reseller shall pay EVault such fees in accordance with the payment terms set forth in this Agreement.

Except as otherwise limited in this Agreement, EVault may (i) use PHI for the proper management and administration of EVault or to carry out the legal responsibilities of EVault, and (ii) disclose PHI for the proper management and administration of EVault, provided that disclosures are required by law, or EVault obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies EVault of any instances of which it is aware in which the confidentiality of the information has been breached.

2.2. Obligations of Covered Entity. Reseller shall have the following obligations:

(a)  Reseller shall use the encryption features in the Products, and ensure that any Reseller Customers use the encryption features in the Products, to encrypt any and all PHI that is provided to EVault. In addition to the indemnification obligations set forth in Section 8.2 of the Reseller Agreement, Reseller shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Reseller or a Reseller Customer to encrypt the PHI.

(b)  Reseller shall notify EVault of any limitation(s) in the notice of privacy practices of Reseller or a Reseller Customer in accordance with 45 CFR §164.520, to the extent that such limitation may affect EVault's use or disclosure of PHI.

(c)  Reseller shall notify EVault of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect EVault's use or disclosure of PHI.

(d)  Reseller shall notify EVault of any restriction to the use or disclosure of PHI that Reseller or a Reseller Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect EVault's use or disclosure of PHI.

(e)  Reseller shall not request EVault to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Reseller or a Reseller Customer.

(f)   Reseller represents and warrants that it has the right and authority to provide PHI to EVault for EVault to perform its obligations and provide services to Reseller and Reseller Customers and that EVault’s storage and use of any PHI in providing services to Reseller and Reseller Customers is permitted under Reseller’s and Reseller Customer’s privacy policy and applicable law. 

2.3. Term and Termination

(a)  Term. The term of this Addendum shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Reseller or a Reseller Customer to EVault, or created or received by EVault on behalf of Reseller or a Reseller Customer, is destroyed or returned to Reseller, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.

(b)  Termination for Cause. In addition to any termination rights set forth in the Reseller Agreement, including the Product Addenda, if EVault materially breaches this Addendum, Reseller may terminate this Addendum and this Agreement if EVault fails to cure such breach within thirty (30) days after receiving written notice of such breach or immediately terminate this Addendum and this Agreement if cure is not possible.

(c)  Effect of Termination.

(i)   Except as provided in Section 2.3(c)(ii) below, upon termination of this Addendum, for any reason, EVault shall return or destroy all PHI received from Reseller or a Reseller Customer, or created or received by EVault on behalf of Reseller or a Reseller Customer in accordance with the terms of this Agreement. This provision shall apply to PHI that is in the possession of subcontractors or agents of EVault. EVault shall retain no copies of the PHI.

(ii)   In the event that EVault determines that returning or destroying the PHI is infeasible, EVault shall provide to Reseller notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, EVault shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as EVault maintains such PHI.

(d)  Termination Upon Change In Law. If the Secretary provides guidance, clarification or interpretation of HIPAA or the HITECH Act or there is a change in HIPAA or the HITECH Act such that the service relationship between EVault and Reseller is not considered a Business Associate relationship as defined in HIPAA, this Addendum shall terminate and be null and void.

2.4. Miscellaneous

(a)  Regulatory References. A reference in this Agreement to a section in a regulation means the section as in effect or as amended.

(b)  Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Reseller to comply with the requirements of HIPAA.

(c)  Survival. The respective rights and obligations of EVault under Section 2.3(c) of this Addendum shall survive the termination of this Agreement.

(d)  Interpretation. Any ambiguity in this Addendum shall be resolved to permit Reseller to comply with HIPAA.

3.   GRAMM-LEACH-BLILEY ACT AND NCUA REGULATION. This Section 3 applies to the extent that EVault receives Nonpublic Personal Information, Member Information and/or Consumer Information from Reseller or a Reseller Customer (collectively, “NPI”).

3.1  Nonpublic Personal Information. NPI is deemed to be Confidential Information of Reseller under the Reseller Agreement, if applicable. Notwithstanding anything to the contrary contained in the Reseller Agreement, NPI will be subject to the confidentiality terms of the Reseller Agreement indefinitely.

3.2 Information Security Program. EVault shall implement and maintain an information security program designed to: (a) ensure the security and confidentiality of NPI; (b) protect against any anticipated threats or hazards to the security or integrity of NPI; (c) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer of Reseller or a Reseller Customer; and (d) ensure the proper disposal of NPI. EVault will adjust its information security program as necessary, due to changes in technology, changes in the sensitivity of the information Reseller or Reseller Customers maintain or have access to, or changes in law or regulation, during the term of this Agreement. Upon request, EVault will provide to Reseller any available summaries of policies, test results or other information to document the efforts by EVault to implement an information security program designed to meet the objectives of the regulations. 

3.3  Encryption. Reseller shall use the encryption features in the Products, and ensure that any Reseller Customers use the encryption features in the Products, to encrypt any and all NPI that is provided to EVault. In addition to the indemnification obligations set forth in Section 8.2 of the Reseller Agreement, Reseller shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Reseller or a Reseller Customer to encrypt the NPI.  

4.   MASSACHUSETTS STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENT OF THE COMMONWEALTH. This Section 4 applies to the extent that EVault receives MA Personal Information from Reseller or a Reseller Customer.

4.1  MA Personal Information. MA Personal Information is deemed to be Confidential Information of Reseller under the Reseller Agreement, if applicable. Notwithstanding anything to the contrary contained in the Reseller Agreement, MA Personal Information will be subject to the confidentiality terms of the Reseller Agreement.

4.1 Use of MA Personal Information and Appropriate Security Measures. EVault shall implement and maintain appropriate security measures, in accordance with the Massachusetts Personal Information Protection Law, for the protection of MA Personal Information. Further, all use by EVault of MA Personal Information shall be in accordance with the Massachusetts Personal Information Protection Law.

4.3 Encryption. Reseller shall use the encryption features in the Products, and ensure that any Reseller Customers use the encryption features in the Products, to encrypt any and all MA Personal Information that is provided to EVault. In addition to the indemnification obligations set forth in Section 8.2 of the Reseller Agreement, Reseller shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Reseller or a Reseller Customer to encrypt the MA Personal Information. 

Version B12-20-11