This Agreement is designed to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, as well as any other applicable federal and state laws. The purpose of this Agreement is to establish the terms and conditions under which MindMetrix (Business Associate) will handle, use, and safeguard Protected Health Information (PHI) received from, or created or received by MindMetrix on behalf of the Covered Entity.

WHEREAS, in the performance of a license agreement entered into between Business Associate and Covered Entity, Business Associate may receive protected health information, as defined by 45 C.F.R. §160.103, from or on behalf of Covered Entity, which includes electronic protected health information, as defined by 45 C.F.R. §160.103 (each, an “Underlying Agreement”); and

WHEREAS, Covered Entity and Business Associate desire to enter into this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act and its implementing regulations (the “HITECH Act”) (collectively the “Requirements”).

NOW, THEREFORE, in consideration of the premises and the mutual covenants and agreements contained in this Agreement, and in order to provide the services in accordance thereto, it is hereby further agreed as follows:

DEFINITIONS:

1.1. “BA Agents” shall mean any and all of Business Associate’s employees, subcontractors, and agents (determined in accordance with the federal common law of agency).

1.2. “Notice of Privacy Practices” or “NPP” shall mean any notice of privacy practices developed by Covered Entity under 45 C.F.R. § 164.520.

1.3. “Privacy Officer” shall mean any person designated in writing by Covered Entity as its privacy officer.

1.4. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

1.5. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity. For purposes of this Agreement, all references to Protected Health Information or PHI shall also be deemed to include electronic versions of the same (i.e. electronic PHI).

1.6. “Security Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and C.

1.7. Catch-All Definition. Any other terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Requirements.

2. OBLIGATIONS OF BUSINESS ASSOCIATE:

2.1. Compliance Term. Business Associate shall comply with the terms of this Agreement and the Business Associate requirements of the Privacy Rule, the components of the HITECH Act relating to privacy, and the provisions of the NPP that affect Business Associate’s use or disclosure of PHI of which it has been specifically informed in writing in accordance with Section 4.1, throughout the Term of this Agreement.

2.2. Safeguards and Security Guidelines. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate will develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity, availability and confidentiality of PHI and to prevent non-permitted or violating uses or disclosures of PHI or reasonably anticipated threats of such uses or disclosures, in accordance with 45 C.F.R. § 164.306.

2.3. Breach. Business Associate shall notify Covered Entity in writing following the discovery of any Breach, including (i) any and all Breaches of unsecured PHI, and/or (ii) any and all access, use or disclosure of PHI not permitted by this Agreement. Business Associate shall provide said notification to Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach unless otherwise provided by law.

2.4. Reports. Business Associate shall report to Covered Entity, in writing, any Breach of PHI that is not permitted by this Agreement, permitted by the Privacy Rule, or Required by Law of which it becomes aware, including but not limited to any Security Incident, by contacting Covered Entity’s Privacy Officer. Such report shall be made as soon as possible, but in no event more than twenty (20) business days after discovery by Business Associate of such Breach. Where feasible, each such report will (i) identify the nature of the Breach; (ii) identify the PHI used or disclosed; (iii) identify who was responsible for the Breach; (iv) identify who discovered the Breach; (v) identify what corrective action Business Associate took or will take to prevent further Breaches; (vi) identify what Business Associate did or will do to mitigate any deleterious effect of the Breach; and (vii) provide such other information as Covered Entity may reasonably request. Since the definition of a security incident under the Security Rule includes attempted unauthorized access, use, disclosure, modification or destruction of information, Covered Entity needs to have notice of attempts to bypass electronic security mechanisms. Business Associate and Covered Entity recognize and agree that the significant number of meaningless attempts to, without authorization, access, use, disclose, modify or destroy PHI will make a real-time reporting requirement formidable for Business Associate. Therefore, Business Associate and Covered Entity agree that this paragraph constitutes notice of Security Incidents that are not successful in accessing or disrupting PHI which shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above with respect to Business Associate’s information systems, unless such incident appears to be an attempt to obtain unauthorized access, use or disclosure of Covered Entity’s electronic PHI.

2.5. Accounting of Disclosures and Audits.

2.5.1. Documentation of Use/Disclosure. Business Associate shall document, maintain, and provide to Covered Entity or an Individual, in a reasonable time and manner specified by Covered Entity, information collected in accordance with Section 3 of this Agreement and disclosures by Business Associate and BA Agents of PHI and information related to such disclosure, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

2.5.2. Audit. Business Associate hereby agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary or his or her agents, in a time and manner designated by the Secretary or his or her agents for purposes of the Secretary or his or her agents determining compliance with the Privacy Rule.

2.6. Responsibilities of Business Associate with Respect to Handling of Designated Record Set.

2.6.1. Access to PHI in a Designated Record Set. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access, at the request of Covered Entity, and in time and manner specified by Covered Entity, to PHI to Covered Entity, or, as directed by Covered Entity, to an individual, in order to meet the requirements of 45 C.F.R. § 164.524. If Covered Entity maintains the requested records, Covered Entity, rather than Business Associate, shall permit access according to its policies and procedures implementing the Privacy Rule. This provision does not apply if Business Associate and BA Agents do not maintain PHI from a designated record set of Covered Entity.

2.6.2. Amendments to PHI in a Designated Record Set. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make, upon written request from Covered Entity, any amendments to PHI that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in a reasonable time and manner specified by Covered Entity. Business Associate agrees that it will accommodate an individual’s request to amend his/her PHI only in conjunction with a determination by Covered Entity that the amendment is appropriate according to 45 C.F.R. § 164.526. This provision does not apply if Business Associate and BA Agents do not maintain PHI from a Designated Record Set of Covered Entity.

3. PERMITTED USES AND DISCLOSURES OF PHI:

3.1. General Use and Disclosure Provisions.

3.1.1. Use and Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law, or as otherwise authorized by Covered Entity. To the extent Business Associate carries out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

3.1.2. BA Agents. Business Associate may only release or disclose PHI to BA Agents as necessary to fulfill the Business Associate’s obligations on behalf of Covered Entity. Business Associate shall ensure that any BA Agents that creates, maintains, receives or transmits PHI agree to comply with the same restrictions, terms and conditions that apply to Business Associate as set out in this Agreement.

3.1.3. Minimum Necessary. Business Associate hereby agrees that with respect to the use, disclosure, or request of PHI, Business Associate shall limit such PHI, to the extent practicable, to the Limited Data Set, or, if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, except as otherwise provided in 45 C.F.R. § 164.502(b)(2).

3.2. Specific Use and Disclosure Provisions.

3.2.1. Management and Administration. Except as otherwise limited in this Agreement or any Underlying Agreement(s), if necessary, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this Agreement or any other agreement between Business Associate and Covered Entity, Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that (1) disclosures are Required By Law, or (2) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.2.2. Data Aggregation. Except as otherwise limited in this Agreement or any other agreement between Business Associate and Covered Entity, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

3.2.3. De-identification. Business Associate may create de-identified PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use, retain and disclose such de-identified data to the extent not prohibited by HIPAA.

4. OBLIGATIONS OF COVERED ENTITY

4.1. Notice of Privacy Practices. If Covered Entity’s NPP specifically affects Business Associate’s use or disclosure of PHI, Covered Entity shall inform Business Associate of the specific limitations. Any use or disclosure permitted by this Agreement may be amended by changes to Covered Entity’s NPP if Covered Entity specifically informs Business Associate of the amendment and provides Business Associate with written copies of such amendment; provided, however, that the amended NPP shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended NPP.

4.2. Changes in Permission to Use and Disclose PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3. Restrictions to Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

4.4. Responsibilities of Covered Entity with Respect to Handling of Designated Record Set.

4.4.1. Access Notification. Covered Entity shall notify the Business Associate, in writing, of any PHI that Covered Entity seeks to make available to an Individual pursuant to 45 C.F.R. § 164.524 and the time, manner and form in which the Business Associate shall provide such access.

4.4.2. Amendment Notification. Covered Entity shall notify the Business Associate, in writing, of any amendment(s) to the PHI in the possession of the Business Associate that the Business Associate shall make, and inform the Business Associate the time, manner and form in which such amendment(s) shall be made.

4.4.3. Provision of Policies. If Business Associate maintains a Designated Record Set, Covered Entity shall provide the Business Associate with a copy of its policies and procedures related to an Individual’s right to access PHI, request an amendment to PHI, request confidential communications of PHI, or request an accounting of disclosures of PHI.

4.5. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as provided under Section 3 of this Agreement.

5. TERM AND TERMINATION:

5.1. Term. The “Term” of this Agreement shall commence as of the Effective Date and shall continue until terminated in accordance with this Section 5, or until the final Underlying Agreement between Covered Entity and Business Associate has expired or terminated and all PHI is destroyed or returned to Covered Entity.

5.2. Termination for Cause. Upon a Party’s (the “Non-Breaching Party”) determination of a material breach by the other Party (the “Breaching Party”) under this Agreement, the Non-Breaching Party may report any material breach if Required by Law and shall take the following actions:

5.2.1. Notice. Give the Breaching Party written notice of such breach, and at the Non-Breaching Party’s sole discretion may provide the Breaching Party an opportunity to cure upon mutually agreeable terms. If the Breaching Party does not cure the breach or end the violation according to such terms, or if the Parties are unable to agree upon such terms, the Non-Breaching Party may immediately terminate this Agreement.

5.2.2. Report Violation. If neither termination nor cure is feasible, the Non-Breaching Party may report the violation to the Secretary.

5.3. Termination by Business Associate. If the Business Associate makes the determination that a material condition of performance has changed under any Underlying Agreement or this Agreement, or that Covered Entity breached a material term of this Agreement, Business Associate may provide thirty (30) days’ notice of its intention to terminate this Agreement and any Underlying Agreement.

5.4. Effect of Termination.

5.4.1. Obligation upon Termination. Except as provided in this Section 5.4, upon completion of the functions performed on behalf of Covered Entity, or where PHI is no longer necessary to perform such functions or upon termination of this Agreement, for any reason, Business Associate shall, and shall cause BA Agents to, return all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI. Upon mutual agreement, Business Associate shall destroy such PHI instead of returning it. For purposes of the foregoing sentence, “destroy” shall mean to destroy or erase all copies, electronic files, or media containing PHI so that the PHI cannot be read or reconstructed.

5.4.2. Return Not Feasible. In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification in writing of the conditions that make return or destruction not feasible. In such an event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate retains such PHI.

5.4.3. Survival. Business Associate’s obligation to protect the privacy of PHI is continuous and survives any termination, cancellation, expiration or other conclusion of this Agreement or any other agreement between Covered Entity and Business Associate.

6. MISCELLANEOUS PROVISIONS:

6.1. Regulatory References. A reference in this Agreement to a section in the Requirements means the section as in effect or as amended, and all other references to specific statutes, codes or regulations shall be deemed to be references to those statutes, codes or regulations as may be amended from time to time.

6.2. Amendments. This Agreement may not be amended in any manner except by an instrument in writing signed by duly authorized officers of Covered Entity and Business Associate. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the Requirements and other applicable laws.

6.3. Survival. The respective rights and obligations of Business Associate under Sections 2.2, 2.3, 2.6 and 4.5 of this Agreement shall survive the termination of this Agreement. Section 6 shall survive expiration or termination of this Agreement.

6.4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the Privacy Rule.

6.5. No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as conferring any right or benefit on a person not a party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement and neither Party shall make any representations to any person to the contrary. Business Associate and Covered Entity agree that Individuals who are the subject of PHI are not third-party beneficiaries of this Agreement.

6.6. Notices. Notices under this Agreement shall be in writing and shall be deemed given when (i) delivered personally; (ii) on the date sent by facsimile or e-mail; (iii) three (3) business days after the date sent by certified mail, postage prepaid with return receipt requested; or (iv) upon written confirmation of delivery by recognized international carrier sent by overnight service. All notices shall be addressed to the Parties as specified in the preamble or otherwise specified in writing by the Parties.

6.7. Governing Law and Venue. This Agreement and the obligations and rights of Covered Entity and Business Associate hereunder shall in all respects be governed by and construed, interpreted and enforced in accordance with the laws of the State of Minnesota, without regard to Minnesota’s applicable conflict or choice of laws principles, or any federal law expressly referenced herein. Any action arising out of or relating to this Agreement will be venued in a state or federal court situated in Hennepin County, Minnesota, and both Parties hereby irrevocably consent and submit themselves to the personal jurisdiction of said courts for that purpose.

6.8. Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Assignments made in violation of this provision are null and void.

6.9. Severability. Should any provision of this Agreement be held invalid or unenforceable, such invalidity will not invalidate the whole of this Agreement, but rather that invalid provision will be amended to achieve as nearly as possible the same effect as the original provision and the Agreement will remain in full force and effect.

6.10. No Implied Waiver. No term, provision or condition of this Agreement shall be deemed waived and no breach excused unless the waiver or consent shall be in writing executed by a duly authorized representative of the Party to be bound thereby and which expressly states that the writing’s purpose is to waive a term, provision or condition of this Agreement. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. Any express waiver by either Party shall not constitute consent to, waiver of, or excuse for any different or subsequent breach.

6.11. Entire Agreement. This Agreement constitutes the entire agreement and understanding among the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, inducements and conditions expressed or implied, oral or written, of any nature whatsoever with respect to the subject matter hereof, except as expressly set forth in an Underlying Agreement.

6.12. Counsel Review. This Agreement represents the actual and intended agreement of the Parties hereto and shall not be construed against any Party as a result of its role or the role of its counsel in preparing this Agreement. Each Party acknowledges that it has had the opportunity to be represented by counsel and to have the terms of this Agreement reviewed by counsel.

Both parties (MindMetrix and Covered Entity) agree to abide by the terms and conditions set forth in this Agreement.