A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />RYAN L. BUTLER, CLERK
<br />16. Indemnification. Limitation of Liability. Each party to this Agreement hereby agrees to indemnify,
<br />defend, and hold harmless the other party (including, but not limited to, its directors, employees, officers, and agents) from
<br />and against any and all claims, causes of action, liabilities, damages, costs, or expenses (including, but not limited to,
<br />attorneys' fees) incurred by the party as a result of the other party's (or any party acting by or through the party) gross
<br />negligence or willful misconduct or failure to perform any of its duties or obligations under this Agreement. Notwithstanding
<br />anything herein to the contrary, (i) in no event will either party be liable to the other party under contract, tort, or any other
<br />legal theories for incidental, consequential, indirect, punitive, exemplary or special losses or damages of any kind, regardless
<br />of the nature of the claim, including, without limitation, loss of revenue, loss of profits, loss of goodwill, and loss of data;
<br />and. (ii) either party's total aggregate liability in connection with this Agreement shall be subject to any limitation of liability
<br />provisions in the Underlying Agreement and in no event shall exceed the following amounts: (a) if the Company has less
<br />than 1,500 Members as of this Agreement's Effective Date, the amount equal to the Transaction Fees and Program Fees
<br />paid by the Company to the Business Associate in the most recently completed Plan year; (b) if the Company has between
<br />1,500 and 5,000 Members as of this Agreement's Effective Date, the amount equal to two times the Transaction Fees and
<br />Program Fees paid by the Company to the Business Associate in the most recently completed Plan year; or (c) if the
<br />Company has more than 5,000 Members as of this Agreement's Effective Date, the amount equal to three times the
<br />Transaction Fees and Program Fees paid by the Company to the Business Associate in the most recently completed Plan
<br />year. This Section 16 shall survive termination or expiration of this Agreement.
<br />17. Securily. The Business Associate shall:
<br />(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect
<br />the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives,
<br />maintains, or transmits on behalf of the Company as required by the Regulations;
<br />(b) Ensure that any agent, including any subcontractor, to whom the Business Associate provides such
<br />Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect it;
<br />(c) Report to the Company any security incident of which the Business Associate becomes aware; provided
<br />that the parties acknowledge that probes and reconnaissance scans are commonplace in electronic information systems and
<br />the parties therefore acknowledge and agree that, to the extent such probes and reconnaissance scans constitute security
<br />incidents under the Security Rule, this Section 17(c) constitutes notice to the Company of the ongoing existence and
<br />occurrence of such security incidents for which no additional notice shall be required. Probes and reconnaissance scans
<br />include, without limitation, pings and other broadcast attacks on the Business Associate's firewall, port scans, and
<br />unsuccessful log -on attempts, as long as such probes and reconnaissance scans do not result in unauthorized Use or Disclosure
<br />of PHI;
<br />(d) Make its policies and procedures and documentation required by the Regulations relating to such
<br />administrative, physical, and technical safeguards, available to the Secretary of HHS for purposes of determining the
<br />Company's compliance with the Regulations;
<br />(e) Acknowledge its obligation to comply with the Security Regulations in using and disclosing Electronic
<br />Protected Health Information, including but not limited to 45 C.F.R. §§ 164.308 (Administrative safeguards), 164.310
<br />(Physical safeguards), 164.312 (Technical safeguards), and 164.316 (Policies and procedures and documentation
<br />requirements) of the Security Regulations.
<br />(f) Notify the Company in writing within fifteen (15) business days after discovery of a breach, as that term
<br />is defined at 45 C.F.R. § 164.402, of which Business Associate becomes aware. Business Associate shall also promptly
<br />provide Company such other information required to be provided to individuals under 45 C.F.R. § 164.404(c) as it becomes
<br />available after such breach.
<br />18. Offshore Access to PHI. Business Associate agrees that no PHI may be maintained, stored, or transmitted
<br />outside of the United States by Business Associate or its subcontractors, but Business Associate and its subcontractors may
<br />access PHI from locations outside of the United States. The provisions of this Agreement shall apply completely and without
<br />exception to such accesses of PHI outside of the United States.
<br />4
<br />NOT FOR DISTRIBUTION. THE INFORMATION CONTAINED HEREIN IS CONFIDENTIAL, PROPRIETARY AND
<br />CONSTITUTES TRADE SECRETS OF ESI AND RXBENEFITS
<br />
|