HIPAA Business Associate Addendum

This HIPAA Business Association Addendum (this "HIPAA Addendum") is an addendum to the General Terms and Conditions. This HIPAA Addendum defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, as each may be amended from time to time (collectively, "HIPAA"). This HIPAA Addendum shall be applicable only in the event and to the extent ClearData meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. ?160.103, or applicable successor provisions.

1. Defined Terms. For the purposes of this HIPAA Addendum, capitalized terms shall have the following meanings:

"Agreement" shall mean the Service Description, the General Terms and Conditions, the Product Terms and Conditions, any ClearData Addendum to the General Terms and Conditions (including this HIPAA Addendum), and the AUP, collectively, as each of those terms is defined in the General Terms and Conditions.

"Business Associate" shall mean ClearData Networks, Inc.

"CFR" shall mean the Code of Federal Regulations.

"individual" shall have the same meaning as the term in 45 CFR ?164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR ?164.502(g).

"Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

"Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR ?164.501, limited to the information received by Business Associate from or on behalf of Customer.

"Required By Law" shall have the same meaning as the term "required by law" in 45 CFR ? 164.501.

"Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.

2. Obligations and Activities of Business Associate.

(a) Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this HIPAA Addendum or as permitted or Required by Law.

(b) Business Associate agrees to provide those physical, technical, and administrative safeguards described in the General Terms and Conditions and the other parts of the Agreement including those safeguards selected by you and described in the Service Description. You acknowledge that you are solely responsible for selecting appropriate safeguards as required to comply with the Privacy Rule.

(c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its agents or subcontractors in violation of the requirements of this HIPAA Addendum.

(d) Business Associate agrees to report to you any impermissible acquisition, access, use or disclosure of Protected Health Information of which it becomes aware without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of the acquisition, access, use or disclosure.

(e) Business Associate agrees to obtain from any agent, including a subcontractor to whom it provides Protected Health Information, reasonable assurances that it will adhere to the same restrictions and conditions that apply to Business Associate under this HIPAA Addendum with respect to such information.

(f) All Protected Health Information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR ? 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than you.

(g) All Protected Health Information and other information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR ? 164.526.

(h) Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary's determining your compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to you at Business Associate's then current standard hourly rate for Supplemental Services.

(i) You acknowledge that Business Associate is not required by this HIPAA Addendum to make disclosures of Protected Health Information to Individuals or any person other than you, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR ? 164.528. In the event that Business Associate does make such disclosure, it shall document the disclosure as would be required for you to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR ?164.528, and shall provide such documentation to you promptly on your request.

3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, you as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by you.

4. Specific Use and Disclosure Provisions. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may:

(a) use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities;

(b) disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and

(c) use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with ?164.502(j)(1).

5. Your Obligations. You shall notify Business Associate of:

(a) any limitations(s) in your notice of privacy practices in accordance with 45 CFR ? 164.520 to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information;

(b) any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information; and

(c) any restriction to the use or disclosure of Protected Health Information that you have agreed to in accordance with 45 CFR ? 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

You agree that you will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by you.

6. Term and Termination.

(a) The term of this HIPAA Addendum shall continue for the term of the Agreement and following termination of the Agreement until all Protected Health Information is destroyed or returned to you or your designee.

(b) Breach of this HIPAA Addendum shall be a material breach of this Agreement giving rise to a right of termination under the Master Services Agreement.

(c) Upon termination of the Agreement for any reason Business Associate shall destroy all Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. Business Associate shall retain no copies of the Protected Health Information. In the event that Business Associate determines that destroying the Protected Health Information is infeasible, Business Associate shall promptly provide you notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the destruction infeasible, for so long as Business Associate maintains such Protected Health Information. You shall bear the cost of storage of such Protected Health Information for as long as storage by Business Associate is required. This Section does not require Business Associate to segregate any Protected Health Information from other information maintained by you on Business Associate's servers and Business Associate may comply with this requirement by returning or destroying all of the information maintained on its servers by you.

7. Miscellaneous.

(a) Amendment. Each of us agrees to take such action as is reasonably necessary to amend this HIPAA Addendum from time to time as is necessary for you to comply with the requirements of HIPAA as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Agreement, Business Associate shall have the option to terminate the Agreement on thirty (30) days advance notice.

(b) Survival. Our respective rights and obligations under this HIPAA Addendum shall survive the termination of the Agreement.

(c) Interpretation. Any ambiguity in the Agreement shall be resolved to permit you to comply with HIPAA and the Privacy Rule.