The URL can be used to link to this page

Home My WebLink AboutACA Track - Bentek - PSST, Inc.0,— ACA-Track- ACA-Track CATrack ACA-TrackTM Reporting Only & Employee Notification Options Order Form Client Name: City of Sebastian raipnt Arlrlrpass Contact Name: Contact E-mail: Contact Phone Number: Anticipated* Employee Count: 100 *Counts may be reconciled for billing purposes upon completion of reporting. Required IRS Electronic Reporting: IRS Electronic Reporting, PDF with employee 1095 Forms - $1.50 per report $500 (Or Minimum $500) Set-up and Training Fee (One-time) $995 Each additional EIN ($499) Optional Fulfillment Services: Individual Notice Option: (Minimum Invoice $500) Individual PDF Files labeled for employer web portal access: @ .50 per employee = (Or Minimum $500) Bulk Print Option: Individual 1095 forms, folded and sealed, delivered in bulk @ _perform =. 50 to 9,999 forms $2.00 perform 10,000 up $1.50 perform Total Fulfillment Option: Individual 1095 forms, folded and sealed, USPS mailed @ per form = $225 50 to 9,999 forms $2.25 perform 10,000 up $2.00 perform Total Cost: $1,720.00 To secure your year-end process placement, a 50% down payment is required. Please submit payment made to "BenTek, Inc." and mail to: BenTek, Inc., 11505 Fairchild Gardens Ave., Ste. 102, Palm Beach Gardens, FL 33410. Down Payment Amount: Date Submitted: Check No: Signature: Printed Name: Il:::i �- LGDate: c Psst sR ACA -Track - ACA -Track Tm CATrack- ACA-TrackTM Employee Notification Services Options ACA -Track Basic: Enterprise, Standard and Reporting Only Subscriptions All ACA-TrackTM annual subscriptions include 1094 and 1095 document generation into a single PDF file for each generated group. This PDF file will be available for download from the ACA -Track product web portal where the employer may print or distribute the documents according to their company policy. A selectable option to transmit the IRS reporting file electronically is also included in the base subscription fee. An individual 1095 can be printed/reprinted from the ACA -Track 1095 reporting screen. Optional Notification Services Individual Notice Option: In addition to the combined PDF file generation in the ACA -Track Enterprise, Standard and Reporting Only Subscriptions, ACA -Track will generate an individual PDF form for each employee. Individual document names may be generated with the following naming options: 1) Employee ID; 2) Employee Name or 3) Entity -employee ID. The records are combined into a .zip file for efficient transfer. Minimum invoice: $500. Bulk Print Option: PSST will print the individual 1095 forms onto self-sealing forms with employee name and address on the outside with all confidential employee information enclosed on the inside or on individual forms enclosed in a standard envelop. Forms will be ready for employer distribution. The forms will be bulk mailed to the employer. Minimum invoice: $500. Total Fulfillment Option: PSST will print the individual 1095 forms onto self-sealing forms with employee name and address on the outside with all confidential employee information enclosed on the inside or on individual forms enclosed in a standard envelop. Forms will be mailed via USPS to the latest employee address available in ACA -Track. Minimum invoice: $500. Online Employee Portal Option: PSST provides an employee portal where the employee will initially agree to accept their 1095 information electronically online, and then access their 1095 form(s) electronically. If the employee worked for multiple ACA -Track based employers, the employee can access all ACA -Track produced 1095 forms where the employer subscribed to this service. Direct link from the employer/benefit provider employee portal is available. Minimum invoice: $500. `See Separate "Order Form" above. PSST, LLC Agreement sst INSERT CLIENT NAME HERE TERMS AND CONDITIONS: TODAY'S DATE P.502-244-9280 I F.502-244-9229 kp SS DATA SOLUTIONS 1. Subscription. Client is purchasing a non-exclusive, non -transferable, non -assignable, terminable subscription ("Subscription") for use of the PSST products listed on exhibit 1, page 1 of this Agreement (collectively "Product") by Client and those employees Client registers with the Product as "Designated Employees." 2. Term. The Subscription shall begin upon the execution of this Agreement and Product installation and Product availability, and continue through the Initial Term, set forth on the first page of this Agreement (i.e., one (1) year). If neither party has given the other at least thirty (30) days written notice of its intent not to renew prior to the end of the Initial Term or any Renewal Term, the Subscription shall automatically renew for the next year (each, a "Renewal Term"). 3. Payment. a. For Reporting Only clients 50% of services total is due upon Agreement signing date. All invoices must be paid within thirty (30) days or Client's Subscription is subject to cancellation. b. Balance due 30 days after fulfillment of services or February 1 of calendar year, whichever comes first. All invoices must be paid within thirty (30) days or Client's Subscription is subject to cancellation. c. PSST reserves the right to increase any of the fees after the Initial Term, effective at the beginning of each renewal, by providing at least thirty (45) days prior written notice of same to Client. 4. Product Support. PSST shall provide Client with commercially reasonable: (a) support in the initial installation and setup of Product, and (b) ongoing telephone support regarding the use of Product during the Initial Term and any Renewal Term during normal EST business hours Monday through Friday; but: (i) all telephone assistance rendered by PSST shall only be to Client's Product Administrator; and (ii) PSST shall not be required to provide "help desk" support for any questions or assistance not directly related to Product. 5. Product Operation. Client acknowledges and agrees that it must properly enter data and information onto Product in order for Product to operate properly. Client shall be responsible to verify the accuracy of any of Client's data entered on Product. 6. Product Administrator. At all times, Client must have an employee who has obtained Product administrator certification training from PSST and who is certified by PSST as a Product administrator ("Product Administrator"). If the Product Administrator ceases to serve as such, Client shall promptly and at its expense have a new employee obtain PSST Product administrator certification and be designated as a Product Administrator. 7. Subscription Restrictions. a. Client shall not assign, transfer, pledge, sub -license or otherwise encumber or dispose of any of Client's rights or obligations under this Agreement. b. The Subscription does not extend to any individual or entity not a party to this Agreement, any employees of Client who are not either the Designated Employees or the Product Administrator, or any business, school or operation acquired by Client by merger, consolidation, purchase, operation of law or otherwise, unless PSST agrees in writing to the extension or assignment of the Subscription. No right is granted for the use or access of Product by any third party. A transfer of control or ownership of Client shall be considered a prohibited transfer of Client's Subscription. c. PSST may assign this Agreement to any third party acquiring all or substantially all of PSST's assets or stock. d. Information regarding Client's employees acquired by PSST shall be confidential. Aggregated data not relating to individual employees of Client acquired by PSST in the course of performing this Agreement will be the sole property of PSST. 8. Compliance. PSST shall maintain compliance with all state and federal laws, rules and regulations, and is continually enhancing Product to assure compliance. Given the changing nature of federal and state guidelines and regulations, PSST commits to keeping Product fully compliant based upon the current understanding of mandatory regulations. Ultimately it is the Client's responsibility, with their legal representative, to ensure all reports filed with the federal and state agencies are complete, legal and accurate. 9. Data Breach: PSST makes every effort to protect Client's data in a highly secure environment. The Client shall also make every effort to not allow any Security Breach into the secured environment by way of its negligence or malfeasance. If either party becomes aware of any unlawful access to any Client data stored on PSST equipment or in PSST data centers, or unauthorized access to such data resulting in loss, disclosure, or alteration of Client data or any other data belonging to the parties or ether of them (each a "Security Incident"), the discovering party will: (a) notify the other by written communication (including but not limited by email) of the Security Incident within twenty four business hours (24) from the time of discovery of the same; (b) PSST will investigate the Security Incident and provide the Client with information about the Security Incident; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. An unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Client data or to any of our equipment or facilities storing Client data. This may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log -on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents. The obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Incident. The parties recognize that a Security Incident caused by one of the parties can be damaging to other party and that a party damaged by a Security Incident caused by the other party shall have the ability to seek recourse against the precipitating party and recover any and all remedies available at law and equity against the precipitating party following any Security Incident. Notification of a Security Incident, if any, will be delivered to one or more of your administrators by any means we select, including via email. It is your sole responsibility to ensure your administrators maintain accurate contact information at all times. 10. Integration. In the event Client integrates Product with a third -party product or service, whether with or without PSST's Assistance, Client understands and agrees: (a) that PSST is authorized to provide Client data to a specified third -party or permit such third party to have access to Client's data, as required to accomplish the integration services; and (b) PSST is not responsible for, does not warrant, support, or make any representations regarding: (i) third -party products or services, (ii) Client's data in the possession of third parties, including, without limitation, a third party's storage, use or misuse of Client data, or (iii) Client's uninterrupted access to a third party's services due to circumstances outside of the control of PSST. 11. Indemnification. a. THE PARTIES SHALL BE LIABLE AND SHALL INDEMNIFY AND HOLD HARMLESS THE OTHER PARTY FOR ALL DAMAGES, CLAIMS, LOSSES AND EXPENSES WHATSOEVER, INCLUDING, BUT NOT LIMITED TO, REASONABLE ATTORNEYS' FEES AND ARBITRATION AND COURT COSTS, AS WELL AS ANY DAMAGES, CLAIMS, LOSSES OR EXPENSES RELATING TO ANY ERROR, FAILURE, MALFUNCTION, OR DEFECT OF PRODUCT, ANY BREACH OF THIS AGREEMENT AND ANY NEGLIGENCE OR OTHER MALFEASANCE BY A PARTY, ITS EMPLOYEES, AGENTS, REPRESENTATIVES, ATTORNEYS, OFFICERS, AND DIRECTORS. b. Upon termination of this Agreement for any reason, the provisions of this Section shall survive termination and continue in full force and effect. 12. Termination. a. Client may terminate this Agreement at any time, for any reason or no reason, on thirty (30) days prior written notice to PSST. In the event Client terminates this Agreement pursuant to this Section, PSST shall be entitled to retain all monies received from Client pursuant to this Agreement, to be paid for fees due up to the termination; and shall be relieved of further obligations to Client except for the obligations as set forth In Sections 8 and 9 above. PSST shall promptly return to Client any data, confidential information, materials, records and other information furnished to PSST by Client. PSST shall return to Client, on a pro -rata basis, any fees paid in advance by Client that were not earned as of the date of termination. b. PSST may terminate this Agreement for any material breach by Client with 30 days written notice to the client. 13. Public Disclosure. PSST may not disclose publicly the fact that Client is using Product, for PSST's advertising and promotional purposes without Client's written consent. 14. Copyright and Trademarks. All intellectual property pertaining to Product, including trademarks and copyrights, is and shall remain the sole property of PSST and its affiliated companies. 15. Entire Agreement. This Agreement states the entire understanding reached between the parties hereto with respect to the subject matter contained herein and supersedes all prior or contemporaneous agreements, understandings, representations and warranties between the parties, and may not be amended except by written instrument executed by the parties hereto. 16. Governing Law — This agreement is governed and controlled as to validity, enforcement, interpretation, construction, effect and in all other respect by the statutes, laws and decisions of the Commonwealth of Kentucky, without reference to Kentucky's conflict of laws principle. Any controversy or dispute between the parties arising out of this Agreement will be resolved by arbitration under the Kentucky Uniform Arbitration Act (KRS 417) with claims heard by a panel of three (3) arbitrators. The parties hereby waive any defense of lack of personal jurisdiction, lack of subject matter jurisdiction, improper venue, and/or forum non-conveniens to arbitration in Jefferson County, Kentucky which might otherwise apply but for this Section 16. The costs of arbitration will be shared equally by the parties. Each party shall choose one disinterested person to act as an arbiter and the two arbiters shall choose a third disinterested arbiter. The panel of arbitrators will have no authority to change any of the terms of this Agreement. The parties shall timely present their claim to the panel of arbitrators whose majority decision shall be final and binding upon the parties. The prevailing party may be awarded reasonable attorney's fees Incurred in the arbitration in addition to any other relief awarded as such may be allowed upon application by the panel of arbiters. Judgment upon any award rendered by the arbitrator may be entered in the Jefferson Circuit Court and then in any other competent Court for the purposes of enforcement. NOTICE: Information provided by PSST, LLC is not legal advice and should not be treated as such, should you have questions, please consult legal counsel. SOM.� Benellrs recnnoiogy by Benefirs People AUTHORIZATION FOR RELEASE OF DATA Client expressly authorizes BenTek to release, transfer, map, and or populate to the below referenced vendor product, Protected Health Information (PHI) and Electronic Protected Health Information subject to Section 3 of the Business Associate Agreement between Client and BenTek: Worxtime _ PSST ACA -Track GreatlandNearli Other (Please identify) Client will enter into a separate agreement with each vendor. Client agrees to directly execute a Business Associate Agreement with the selected vendor. BenTek is providing this assistance to client without additional compensation, although BenTek may act as an agent in collecting applicable vendor fees and remitting them to vendor for ease of Client administration. BenTek makes no warranties with respect to any vendor product. Client will indemnify and hold BenTek harmless from and against all liability arising from or related to Client's use of and inability to use the vendor's software product and Client specifically releases BenTek from all liability for the output, filing, or accuracy of any forms or returns created as a result of the use of these vendor products. ClientName� tT/ OF SEZf-\5r7A0 - I Authorized Signature, 1 tp Printed Name: kgMMETH W . KILGOR,E Titie:DtRECTbi�!- �DM(iJt�rR nJE ti'Y1�5 Date: t( -9-I5 11505 Fairchild Gardens Avenue, Suite 102, Palm Beach Gardens, FL 33410 Tel: (561) 799-4840 / (877) 5-BenTek Fax: (877) 6-BenTek BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement') by and between CITY M:. bcE- AaT7Am ("Client'), and PSST, Inc. ("PSST") is made and entered into effective O �q , ZO15 RECITALS WHEREAS, Client is a "covered entity" as those terms are defined in 45 C.F.R. § 160.103; and WHEREAS, PSST provides administration services to Client; and WHEREAS, as a result of such functions, Client has identified PSST as a "business associate," as defined in 45 C.F.R. § 160.103, of Client for purposes of the privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996, (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HI TECH) and the regulations issued thereunder; and WHEREAS, PSST acknowledges that it is a business associate, as defined in 45 C.F.R. § 160.103, of Client that may create, use, or disclose Protected Health Information or Electronic Protected Health Information on behalf of Client; and WHEREAS, Client desires to obtain written assurances that PSST will safeguard Protected Health Information or Electronic Protected Health Information created or received by or on behalf of Client. NOW, THEREFORE, the pal -ties agree as follows: 1. DEFINITIONS 1.1 "Breach" shall have the meaning set forth in 45 C.F.R. §164.402. 1.2 "Data Aggregation" shall have the meaning as the term "data aggregation" in 45 C.F. R. § 164.501. 1.3 "Designated Record Set' shall mean a group of health-related records about an Individual as provided in 45 C.F.R. § 164.501. 1.4 "Electronic Health Record" shall mean an electronic record of health-related information with respect to an Individual that is created, gathered, managed and consulted by authorized healthcare clinicians and staff. 1.5 "Electronic Protected Health Information" or "Electronic PHP' means information that PSST or its agent, including a subcontractor, creates, receives, maintains or transmits from or on behalf of Client that comes within paragraphs 1(i) or l(ii) of the definition of "protected health information" at 45 C.F.R. § 160.103. Page 1 of 6 17535419x.1 1.6 "Genetic Information" shall have the meaning assigned to such term in 45 C.F.R. § 160.103. 1.7 "HIPAA" shall mean the health information privacy provisions under the Health Insurance Portability and Accountability Act of 1996, and regulations issued thereunder at 45 C.F.R. Parts 160 and 164, as amended by HITECH. 1.8 "HITECH" shall mean the Health Information Technology for Economic and Clinical Health Act and the regulations issued thereunder. 1.9 "Individual" shall mean a person who is the subject to the Protected Health Information of the Client, and shall include a person who qualifies as the Individual's personal representative in accordance with 45 C.F.R. § 164.502(g). 1.10 "Limited Data Set" shall have the meaning assigned to such term in 45 C.F.R. §164.514(e)(2). 1,11 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160,103, limited to the information created or received by PSST from or on behalf of Client. Genetic Information shall be considered PHI. 1.12 "Required by Law" shall mean a mandate contained in an applicable state, federal, or local law that compels Client (or business associates acting on behalf of Client) to make a use or disclosure of PHI that is enforceable in a court of law. 1.13 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 C.F.R. § 164.304. However, certain low risk attempts to breach network security, such as the incidents listed below, shall not constitute a Security Incident under this Agreement, provided they do not penetrate the perimeter, do not result in an actual breach of security and remain within the normal incident level: • pings on the firewall; • port scans; • attempts to log on to a system or enter a database with an invalid password or username; • denial -of -service attacks that do not result in a server being taken off-line; and • malware such as worms or viruses. 1.14 "Subcontractor" shall have the meaning as the term in 45 C.F.R. § 160.103. Page 2 of 8 17535419v.1 1.15 "Unsecured Protected Health Information" or "Unsecured PHI" shall have the meaning assigned to such term in 45 C.F.R. § 164.402 and guidance issued thereunder. 2. OBLIGATIONS OF THE PARTIES 2.1 PSST shall safeguard all PHI and Electronic PHI created or received by PSST on behalf of Client in accordance with HIPAA. PSST shall implement administrative, physical and technical safeguards that prevent use or disclosure of the Electronic Protected Health Information other than as permitted by the Security Rules. Specifically, PSST agrees to implement policies and procedures in accordance with 45 C.F.R. § 164.316 that: i. Prevent, detect, contain and correct security violations in accordance with the administrative safeguards set forth in 45 C.F.R. § 164.308; ii. Limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed in accordance with the physical safeguards set forth in 45 C.F.R. § 164.310; and iii. Allow access to electronic information systems that maintain Electronic PHI to only those persons or software programs that have been granted access rights in accordance with the technical safeguards set forth in 45 C.F.R. § 164.312. 2.2 PSST shall not use or disclose PHI or Electronic PHI except as permitted or required by Article 3 of this Agreement or as Required by Law. PSST shall notify Client of all requests for the disclosure of PHI and Electronic PHI from a law enforcement or government official, or pursuant to a subpoena, court or administrative order, or other legal request as soon as possible prior to making the requested. disclosure. PSST shall provide to Client all PHI and Electronic PHI necessary to respond to these requests as soon as possible, but no later than ten (10) business days following its receipt of a written request from Client. 2.3 Client shall provide to PSST, and PSST shall request from Client, disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only a Limited Data Set or, if necessary or otherwise permitted by HHS regulations, the minimum PHI or Electronic PHI necessary to perform or fulfill a specific function required or permitted under the Agreement. "Minimum necessary" shall be interpreted in accordance with HITECH, and in any event shall not include any direct identifiers of individuals such as names, street addresses, phone numbers or social security numbers, except for a unique identifier assigned by Client as necessary for the strategic analysis. 2.4 PSST shall comply with all granted restrictions on the use and/or disclosure of PHI, pursuant to 45 C.F.R. § 164.522(a), upon written notice from Client; provided, however, that Client shall not grant any restriction that affects PSST's use or disclosure of PHI without first consulting with PSST. 2.5 PSST shall comply with all granted requests for confidential communication of PHI, pursuant to 45 C.F.R. § 164.522(b), upon written notice from Client. Page 3 of 8 17535419v.1 2.6 PSST shall repot to Client any use or disclosure of PHI not permitted by this Agreement of which PSST becomes aware within fifteen (15) business days of its becoming aware, and will take such corrective action necessary, or as reasonably directed by Client, in order to prevent and minimize damage to any Individual and to prevent any further such occurrences. 2.7 Following the discovery of a Breach of Unsecured PHI, PSST shall notify the Client without unreasonable delay and in no case no later than fifteen (15) days after discovery of the Breach. The notification shall include the identification of each Individual whose Unsecured PHI has been or is reasonably believed by PSST to have been accessed, acquired, used or disclosed during the Breach. PSST shall provide the Client with any other available information that the Client requires to notify affected individuals under the Privacy Rule. 2.8 PSST shall make reasonable efforts to mitigate, to the extent practicable or as reasonably directed by Client, any harmful effect that is known to PSST resulting from a breach of this Agreement or HIPAA that is directly caused by PSST. 2.9 PSST shall report to Client any Security Incident within five (5) business days of when it becomes aware of such Security Incident. PSST shall mitigate to the extent practicable or as reasonably directed by Client any harmful effect that is known to PSST of a Security Incident by PSST. 2.10 PSST shall take reasonable steps to ensure that any Subcontractor performing services for Client agrees in writing to the same restrictions and conditions that apply to PSST with regard to its creation, use, and disclosure of PHI and Electronic PHI in accordance with 45 C.F.R. §§ 164.308(b)(2), 164.502(e)(1)(ii) and 164.504(e)(5). PSST shall, upon written request from Client, provide a list of any Subcontractors with whom PSST has contracted to perform services for Client. PSST shall advise Client if any Subcontractor breaches its agreement with PSST with respect to the disclosure or use of PHI or Electronic PHI. If PSST knows of a pattern of activity or practice of its Subcontractor that constitutes a material breach or violation of the Subcontractor's duties and obligations under its agreement with the Subcontractor ("Subcontractor Material Breach"), PSST shall cure the breach or provide a reasonable period for Subcontractor to cure the Subcontractor Material Breach; provided, however, that if PSST cannot, or Subcontractor does not, cure the Subcontractor Material Breach within such period, PSST shall terminate the agreement with Subcontractor, if feasible, at the end of such period. 2.11 PSST shall, upon written request from Client, provide to Client a copy of any PHI or Electronic PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, created or maintained by PSST, and not also maintained by Client, within thirty (3 0) days of receipt of the request. 2.12 PSST shall, upon written request from Client, make any amendment to PHI in a Designated Record Set maintained by PSST within thirty (30) days of receipt of the request unless PSST can establish to Client's satisfaction that the PHI at issue is accurate and complete. Page 4 of 8 17535419x.1 2.13 If an Individual's PHI is held in an Electronic Health Record, PSST shall provide requested copies in electronic format to the individual or to an entity or person designated by the Individual, provided such designation is clearly and conspicuously made by the Individual or Client. 2.14 PSST shall make its internal practices, written policies and procedures, books, records, and other documents relating to the use and disclosure of PHI and/or Electronic PHI created or maintained by PSST on behalf of Client available to the Secretary of the Department of Health and Human Services, or his or her designee, for purposes of the Secretary determining Client's compliance with HIPAA. 2.15 PSST shall make available the information required to provide an accounting of disclosures made on and after the Effective Date, as necessary for Client to comply with 45 C.F.R. § 164.528, within twenty (20) business days of receipt of the request. PSST shall provide one such accounting within a twelve month period without charge, but may make a reasonable charge for any additional such accountings within the same twelve month period. 2.16 PSST shall maintain all records, other than those records that are also maintained by Client, for six (6) years from the date created or last in effect, whichever is later, as necessary for Client to comply with 45 C.F.R. § 164.5300)(2). 3. PERMITTED USES OF PHI 3.1 PSST may use and disclose PHI and Electronic PHI as necessary to provide services to Client, subject to Section 2.3 of this Agreement and consistent with the requirements of HIPAA. 3.2 PSST may use and disclose PHI and Electronic PHI as necessary for the proper management and administration of PSST or to cavy out PSST's legal responsibilities, subject to Section 2.4 of this Agreement and consistent with the requirements of HIPAA; provided, however, that PSST may disclose the PHI and Electronic PHI for such purposes only if: the disclosure is Required by Law, or ii. PSST obtains reasonable assurances that the party to whom the PHI or Electronic PHI is disclosed (a) will protect the confidentiality of the PHI and Electronic PHI, (b) will not further disclose the PHI or Electronic PHI except as Required by Law or for the purposes for which it was disclosed to the other party, and (c) will report any improper use or disclosure of the PHI and/or Electronic PHI to PSST. 3.3 Except as otherwise limited in this Agreement, and to the extent provided for under this Agreement, PSST may use PHI and Electronic PHI to provide Data Aggregation services to Client, as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B). Page 5 of 8 I7535419v.1 4. TERMINATION OF AGREEMENT 4.1 Except as described in Section 4.3, this Agreement shall continue in effect so long as PSST provides service to Client involving maintaining, using or disclosing PHI or Electronic PHI, or otherwise retains a copy of PHI or Electronic PHI provided to PSST by Client. 4.2 Client may terminate this Agreement at any time if Client discovers that PSST has materially breached any provision of this Agreement. 4.3 If PSST becomes aware of a pattern of activity or practice of the Client that constitutes a material breach or violation of the Client's duties and obligations under the Agreement, PSST shall take reasonable steps and provide a period of thirty (30) calendar days for the Client to cure the material breach or violation. If the Client does not cure the material breach or violation within such 30 -day period, PSST shall terminate the Agreement, if feasible, at the end of such 30 -day period. 4.4 Upon the expiration of Client's relationship with PSST, and contingent upon the payment of all outstanding fees, PSST shall return PHI and Electronic PHI to CIient or Client's designated agent upon Client's request. If return of all PHI and Electronic PHI is not feasible, the provisions of this Agreement shall continue to apply to PSST until such time as all PHI and Electronic PHI is either returned to Client or destroyed pursuant to PSST's document retention policy, provided that PSST shall limit fiuther use of PHI and Electronic PHI only to those purposes that make the destruction or return of the PHI and Electronic PHI infeasible. Following the expiration of the relationship, PSST agrees not to disclose PHI and Electronic PHI except to Client or as Required by Law. 5. NOTICES Whenever, under this Agreement, PSST is required to give notice to Client, such notice shall be sent via First Class Mail to: Attention: Privacy Officer Page 6 of 8 17535419v.1 Whenever, under this Agreement, Client is required to give notice to PSST, such notice shall be sent via First Class Mail to: PSST, Inc. 303 Middletown Park Place, Suite B Louisville, KY 40243 6. INDEMNIFICATION PSST agrees to indemnify Client, and any employees, directors, officers of Client (collectively "Client Indemnitees"), against all actual and direct losses resulting from or in connection with any breach of this Agreement by PSST, or its partners, employees or other members of its workforce. Actual and direct losses shall include, but shall not be limited to, judgments, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) which are imposed upon or incurred by Client Indemnitees by reason of any suit, claim, action, investigation, or demand by any Individual, government entity, or third party. This obligation to indemnify shall survive the termination of this Agreement. , Client agrees to indemnify PSST and any employees, directors, officers of PSST (collectively "PSST Indemnitees") against all actual and direct losses resulting from or in connection with any breach of this Agreement by Client, or any violation of HIPAA resulting from any improper use or disclosure of PHI and Electronic PHI pursuant to Client's direction. Actual and direct losses shall include, but shall not be limited to, judgments, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) which are imposed upon or incurred by PSST Indemnitees by reason of any suit, claim, action, investigation, or demand by any Individual, government entity, or third party, This obligation to indemnify shall survive the termination of this Agreement. 7. AMENDMENT The parties agree to negotiate in good faith any amendments necessary to conform this Agreement to changes in applicable law. PSST further agrees to promptly attempt to amend its agreements with its subcontractors and agents to conform to the terms of this Agreement. In the event PSST is unable to amend this Agreement or its agreements with its subcontractors in a way that is sufficient to satisfy the requirements under HIPAA, Client may terminate this Agreement in accordance with Section 4 upon thirty (30) days written notice. 8. TERNIS Or AGREEMENT GOVERN Any ambiguity in this Agreement shall be resolved in a way that permits compliance with HIPAA. In the event of a conflict between the terms of this Agreement and any other contract or agreement between Client and PSST, this Agreement shall govern. Page 7 of 8 17535419,v.1 9. REGULATORY REFERENCES A reference in this Agreement to a section in the Privacy Rules or Security Rules means the section as in effect or as amended, and for which compliance is required. IN WITNESS HEREOF, the parties have executed this Agreement by their respective duly authorized officers or representatives. CLIENT By: Title: Date: Page 8 of 8 17535419x.1 PSST TXT^ By: Title: Date: M-jI-A0 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this "Agreement") by and between BenTek, Inc. (`BenTek') and PSST, LLC ("Contractor"), is made and entered into effective as of October 15, 2015. RECITALS WHEREAS, Client(s) is(are) a "covered entity," as defined in 45 CFR § 160.103. of Client. WHEREAS, BenTek is a "Business Associate," as defined in 45 CFR § 160.103 WHEREAS, pursuant to services agreement nter dOi��b$enTek and Contractor on [Insert. date of BenTek Contractor contrac j (the "Services Agreement"), BenTek has retained Contractor to provide certain services to BenTek, and BenTek may use such services to provide services to and to perform other functions on behalf of Client(s). WHEREAS, BenTek desires to obtain written assurances that Contractor, as a "Subcontractor" (defined below) of BenTek, will protect and safeguard "Protected Health Information" and "Personally Identifiable Information" (defined below) disclosed to or created, received, accessed or otherwise obtained by Contractor pursuant to the Services Agreement in compliance with "HIPAA" (defined below) and other applicable laws. WHEREAS, BenTek and Contractor desire to enter into a written agreement consistent with the applicable requirements of HIPAA, including Title 45 CFR §§ 164.308(b), 164.314(a)(2)(iii), 164.502(e) and 164.504(e)(5); WHEREAS, the parties desire to amend the Services Agreement to include certain additional terms and conditions; and NOW, THEREFORE, in consideration of the premises and of the mutual promises, representations and covenants herein contained, the parties hereto agree as follows: I. INCORPORATION OF RECITALS The recitals set forth above are incorporated herein by reference. 2. DEFINITIONS Any tern used, but not otherwise defined, in this Agreement has the same meaning ascribed to such term in HIPAA. 2.1 "Breach" shall have the meaning set forth in 45 C.F.R. § 164.402. 2.2 "HIPAA" shall mean the health information privacy and security provisions under the Health Insurance Portability and Accountability Act of 1996, and regulations issued thereunder (as such Act and regulations may be amended from time to time), including, 17693422v.1 Page 1 of l 1 without limitation, those regulations at 45 C.F.R. Parts 160 through 164, as amended by HITECH. 2.3 "HITECH Act" shall mean the amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, and the rules and regulations promulgated thereunder, as may be amended from time to time. 2.4 "Individual" shall mean a person who is subject to the Protected Health Information of the Client(s), and shall include a person who qualifies as the Individual's personal representative in accordance with 45 C.F.R § 164.502(g). 2.5 "Personally Identifiable Information" shall mean any personal information the confidentiality, privacy and/or security of which is protected under applicable law. 2.6 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by Contractor from or on behalf of BenTek and/or Client(s). 2.7 "Required by Law" shall have the meaning set forth in 45 C.F.R. § 164.103, and includes a mandate contained in an applicable state, federal, or local law that compels the Client(s) (or a business associate acting on behalf of the Client(s)) to make a use or disclosure of PHI that is enforceable in a court of law. 2.8 "Security Rule" shall mean HIPAA's Security Rule, 45 C.F.R. Part 164.302, et. seq. (as such rule may be amended from time to time). 2.9 "Subcontractor" shall have the meaning set forth in 45 C.F.R. § 160.103, and shall also include, as applicable, any contractor, consultant, agent, representative or other third party that performs services for the BenTek and/or Client(s) on behalf of the Contractor, or to whom Contractor provides PHI or whom otherwise creates, uses, discloses, access, maintains or receives PHI. 2.10 "Unsecured Protected Health Information" shall have the meaning set forth in 45 C.F.R. § 164.402. 3. OBLIGATIONS OF THE PARTIES 3.1 Contractor agrees to abide by and comply with all applicable federal and state laws and regulations concerning the confidentiality, privacy and security of PHI and electronic PHI, including, without limitation, (a) HIPAA, the Security Rule, and the HITECH Act, and (b) all such laws and regulations that would apply to BenTek and/or Client(s) if BenTek and/or Client(s) themselves were conducting the activities conducted by Contractor on behalf of BenTek and/or Client(s). Without limiting the foregoing, Contractor shall appropriately and effectively safeguard all PHI created, maintained, used or received by Contractor on behalf of the Client(s) in accordance with this Agreement, the Client's HIPAA Privacy Policy (the "Privacy Policy'), HIPAA, the Security Rule, the HITECH Act and other applicable law, and shall develop, implement maintain, keep 1769342v.1 Page 2 of 11 current and use the appropriate administrative, technical and physical safeguards and security measures to do so. Contractor represents and warrants that it has the right and authority to perform its services and obligations for BenTek and Client(s) under this Agreement and the Services Agreement, and that such service will not violate the Privacy Policy, HIPAA, the Security Rule, the HITECH Act or any applicable law. 3.2 Contractor shall not use or disclose PHI except as permitted or required by this Agreement or as Required by Law; provided, however, that Contractor shall forward all requests for the disclosure of PHI from a law enforcement or government official, or pursuant to a subpoena, other legal request, or court or administrative order, to BenTek as soon as possible prior to making the requested disclosure (taking into account the time required for BenTek to respond to such request, subpoena or order), and no later than five (5) business days following its receipt of such request or order. 3.3 Contractor shall provide to BenTek all PHI necessary for BenTek or Client(s) (as applicable) to respond to a request for the disclosure of PHI from a law enforcement or government official, or pursuant to a subpoena, other legal request, or court or administrative order as soon as possible (taking into account the time required for BenTek or Client(s) (as applicable) to respond to such request, subpoena or order), and no later than five (5) business days following its receipt of a written request from BenTek. 3.4 Contractor shall comply with all granted restrictions on the use and/or disclosure of PHI, pursuant to 45 C.F.R. § 164.522(a), upon written notice from BenTek. Contractor shall forward to BenTek any requests for restriction on the use and/or disclosure of PHI as soon as possible, but not later than ten (10) business days after receipt. Contractor shall also comply with the applicable requirements of HIPAA and HITECH with respect to requested restrictions on disclosure of PHI (including those requirements set forth in 45 C.F.R. § 164.522(a)(1)(vi)). 3.5 Contractor shall comply with all granted requests for confidential communication of PHI, pursuant to 45 C.F.R. § 164.522(b), upon written notice from BenTek. Contractor shall forward to BenTek any requests for confidential communication of PHI as soon as possible, but not later than ten (10) business days after receipt. 3.6 Contractor shall train its employees and other workforce members, as well as its Subcontractors, who handle PHI or are responsible for employees or other workforce members who handle PHI as necessary to comply with Contractor's obligations under this Agreement. 3.7 Contractor shall report to BenTek any breach of the Privacy Policy, this Agreement, HIP" the Security Rule, the HITECH Act or other applicable law (including any such breach by Contractor, its employees or other workforce members or its Subcontractors) as soon as possible, but not later than ten (10) business days after discovery. Contractor's report shall at least: (a) identify the nature of the breach; (b) identify the PHI used or disclosed; (c) identify who made the unauthorized use or received the unauthorized disclosure; (d) identify what Contractor has done or will do to mitigate any deleterious I7697472v.1 Page 3 of 11 effect of the breach; and (e) provide such other information, including a written report, as reasonably requested by BenTek. Contractor shall also take such corrective actions necessary to prevent future breaches, including, without limitation, those reasonable corrective actions directed by BenTek. 3.8 Contractor shall, at Contractor's own expense, use its best efforts (including, without limitation, taking such reasonable actions as directed by BenTek) to mitigate any harmful effect that is known to Contractor resulting from a breach of the Privacy Policy, this Agreement, HIPAA, the Security Rule, the HITECH Act or other applicable law. 3.9 Contractor shall ensure that any Subcontractor agrees (consistent with the applicable requirements of 45 C.F.R. §§ 164.308(b), 164.314(a)(2)(iii), 164.502(e) and 164.504(e)(5)) to the same restrictions and conditions that apply to Contractor with regard to the creation, use, storage, possession and disclosure of PHI. Contractor shall, promptly upon written request from BenTek, provide a list of all of its Subcontractors. Contractor shall report to BenTek any improper use or disclosure of PHI by any Subcontractor as soon as possible, but not later than ten (10) business days after Contractor's discovery of the violation, in accordance with Section of 3.7 of this Agreement. Furthermore, if Contractor knows of a pattern of activity or practice of any Subcontractor that constitutes a material breach or violation of duties and obligations of such Subcontractor under the agreement entered into between Contractor and such Subcontractor pursuant to 45 C.F.R. § 164.502(e) ("Subcontractor Material Breach"), Business Associate shall cure the breach or provide a reasonable period for such Subcontractor to cure the Subcontractor Material Breach; provided, however, that, if Contractor cannot, or such Subcontractor does not, cure the Subcontractor Material Breach within such period, Contractor shall terminate the agreement with such Subcontractor, if feasible, at the end of such period. 3.10 Contractor shall, upon written request from BenTek, make any amendment to PHI maintained by Contractor as soon as possible, but not later than ten (10) business days after receipt of the request, unless Contractor can establish to BenTek's satisfaction that the PHI at issue is accurate and complete. Contractor shall forward to BenTek any requests it receives for amendment of PHI as soon as possible, but not later than ten (10) business days after receipt. 3.11 Contractor shall make its internal practices, safeguards, security measures, written policies and procedures, books, records, and other documents relating to the use and disclosure of PHI created or maintained by Contractor on behalf of BenTek and/or Client(s) available to the Secretary of the Department of Health and Human Services, or his or her designee, for purposes of demonstrating BenTek's and/or Client's compliance with HIPAA. 3.12 Contractor shall make its internal practices, safeguards, security measures, written policies and procedures, books, records, and other documents relating to the use and disclosure of PHI created or maintained by Contractor on behalf of BenTek and/or Client(s) available to Client(s) as soon as possible after a written request from BenTek, but not later than ten 00) business days after receipt of BenTek's request. I7693422v.I Page 4 of ii 3.13 Contractor shall document all disclosures of PHI (including, without limitation, such disclosures of PHI as would be required for BenTek, and/or Client(s) to respond to a request for an accounting of disclosures of PHI in accordance with HIPAA and the HITECH Act), and shall provide BenTek with a written accounting of all such disclosures within a six (6) year period (or such other lesser time period specified by BenTek or the HITECH Act) as soon as possible after a written request from BenTek, but not later than ten (10) business days after receipt ofBenTek's request. 3.14 Contractor shall maintain all BenTek and Client(s) records, including PHI, for six (6) years from the date created or last in effect, whichever is later, as necessary for BenTek and Client(s) to comply with 45 C.F.R. § 164.5300)(2). 3.15 Contractor shall comply with the electronic data interchange standards and uniform code sets required under the electronic transaction rules of HIPAA, 45 C.F.R. § 162.100 et seq., to the extent Contractor engages in covered transactions with or on behalf of BenTek and/or Client(s). 3.16 With respect to PHI that Contractor creates, receives, maintains, stores or transmits electronically, Contractor shall implement administrative, technical, and physical safeguards, as described in the Security Rule, that reasonably and appropriately protect the confidentiality, integrity, and availability of such electronic PHI. Without limiting the foregoing, Contractor shall: 3.16.1 ensure that any Subcontractor to whom Contractor provides electronic PHI agrees to implement reasonable and appropriate safeguards to protect such electronic PHI; 3.16.2 report to BenTek any "Security Incident" as defined by the Security Rule (including the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in Contractor's information system containing Client's PHO of which Contractor becomes aware as soon as possible (it, however, such Security Incident resulted in a breach of this Agreement or a Breach, Contractor will make the report in accordance with the provisions set forth in Section 3.7 or 3.18 of this Agreement, as applicable); and 3.16.3 make its policies, procedures and documentation available to the Secretary to determine compliance with the Security Rule. 3.17 Contractor shall, following the "discovery" (as such term is defined by the HITECH Act) of a Breach or potential Breach, including any Breach by or caused by Contractor, its employees or other workforce members, or its Subcontractors, promptly notify BenTek in writing of any such Breach as follows: 3.17.1 The notice by Contractor to BenTek shall be given reasonably in advance of the time BenTek or Client(s) (as applicable) is required to give a notice of the Breach under the HITECH Act and other applicable law, and in no event later than five (5) business days after initial discovery of the Breach. 17693422v.1 Page 5 of 11 3.17.2 The notice by Contractor to BenTek shall include the information required to be provided by Contractor to BenTek and/or Client(s) (as applicable) under the HITECH Act and other applicable law, all information necessary for BenTek or Client (as applicable) to provide the notice required to be provided by BenTek or Client (as applicable) under the HITECH Act and other applicable law, and such other information reasonably requested by BenTek with respect to the Breach. 3.17.3 Contractor shall not, except to the extent required by applicable law, (a) notify or otherwise contact an Individual with respect to a Breach of such Individual's information, or (b) report any such Breach to any government authority or media outlet or otherwise notify the public of any such Breach, without the express prior written authorization of BenTek. 3.17.4 The parties shall cooperate in good faith with respect to their notification obligations under the HITECH Act and other applicable law, including coordinating their notification obligations under such laws in order to avoid multiple, confusing notifications to affected Individuals with respect to the same Breach. 3.17.5 The actual costs (including reasonable attorneys' fees, reasonable Breach notification costs, and reasonable identity theft protection and mitigation costs) incurred by BenTek and Client(s) with respect to a Breach by or caused by Contractor, its employees or other workforce members, or its Subcontractors shall be borne by Contractor. 4. PERMITTED USES OF PHI 4.1 Contractor may only request, use and disclose the minimum PHI necessary to fulfill its obligations under the Services Agreement, subject to applicable law and the terms of the Privacy Policy and this Agreement (including, without limitati(?n, Sections 3.4 and 4.3). Contractor agrees that "minimum necessary" shall be interpreted in accordance with HIPAA, as amended by the HITECH Act. Furthermore, Contractor will not use or disclose PHI in a manner that would violate HIPAA, the Security Rule, the HITECH Act or other applicable law if done by BenTek or Client(s), except for the specific uses and disclosures set forth in Sections 4.2, 4.3 and 4.4. 4.2 Contractor may only use and disclose the minimum PHI necessary for the proper management and administration of Contractor or to carry out Contractor's legal responsibilities, subject to applicable law and the terms of the Privacy Policy and this Agreement (including, without limitation, Sections 3.4 and 4.3). 17697422v.1 Page 6 of 11 4.3 Contractor may only disclose the PHI pursuant to the provisions of Section 4.2 if: 4.3.1 the disclosure is Required by Law, or 4.3.2 Contractor obtains, prior to making any such disclosure, reasonable assurances, evidenced by a written agreement, from the party to whom the PHI is disclosed that it (a) will protect the confidentiality of the PHI as required by this Agreement, (b) will not use or disclose the PHI except as Required by Law or as solely necessary for the purposes for which it was disclosed to the other party, and (c) will report any instance where the confidentiality of the PHI is breached or any other improper use or disclosure of the PHI to Contractor as soon as possible after discovery, but in no event later than three (3) days after discovery (and Contractor will in turn notify BenTek as required hereunder). 4.4 Except as otherwise limited in this Agreement, and to the extent permitted under the Services Agreement, Contractor may use PHI to provide data aggregation services (as defined under 45 C.F.R. § 164.501) to BenTek and/or Client(s), as permitted by 45 C.F.R. § 164.504(e)(2)(i)(13) and other applicable law. 4.5 Contractor will not transfer PHI outside the United States without the prior written consent of BenTek. In this context, a "transfer" outside the United States occurs if Contractor's employees or other workforce members or Subcontractors physically located outside the United States are able to access, use, or disclose PHI. 5. nRIMINATTON OF AGREEMENT 5.1 Except as described in Section 5.4, this Agreement shall continue in effect until the expiration or termination of the Services Agreement. 5.2 BenTek may terminate the Services Agreement, this Agreement and Contractor's engagement with BenTek, at any time if BenTek discovers that Contractor has materially breached any provision of this Agreement, including, without limitation, a violation of the Privacy Policy, the Security Rule, HIPAA, the HITECH Act and/or other applicable law by or caused by Contractor, its employees or other workforce members, or its Subcontractors. 5.3 If BenTek has breached any material provision of this Agreement, then Contractor may notify BenTek of the material breach and request that it be cured within thirty (30) days (or such other longer period of time as may be warranted by the circumstances), and terminate this Agreement if BenTek does not cure such breach within such period. Upon termination of this Agreement by Contractor, BenTek may terminate the Services Agreement. 5.4 Upon the termination or expiration of this Agreement, or at any other time BenTek requests, Contractor shall destroy or return to BenTek all PHI, in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any Individual who is a subject of the PHI. If not feasible, Contractor shall provide to BenTek notification of the conditions that make the 17693422v.1 Page 7 of 11 return or destruction of PHI infeasible and identify such PHI, including any PHI that Contractor has disclosed to its Subcontractors. The provisions of the Services Agreement and this Agreement shall continue to apply to Contractor until such time as all PHI is either returned to BenTek or destroyed, provided that Contractor shall limit further use of PHI only to those purposes that make the destruction or return of the PHI infeasible and shall continue to comply with applicable law. Following the expiration or termination of the Services Agreement, Contractor agrees not to disclose PHI except to BenTek or as Required by Law. Contractor will complete these obligations as promptly as possible, but not later than thirty (30) days after it receives BenTek's request for return or destruction of PHI. This Section 5.4 also applies to PHI that is in the possession of any Subcontractor, and Contractor shall require any such Subcontractor to provide written certification to Contractor that it has returned or destroyed all such PHI that could be returned or destroyed. The obligations of Contractor under this Section 5.4 and Sections 3.13 (access to books and records), 3.14 (accounting of disclosures), 3.18 (breach notification), 5 (term and termination) and 6 (indemnification) shall survive the termination of this Agreement. 6. NDEMNIFICATION:INSURANCE Contractor agrees to indemnify, defend, and hold harmless BenTek, Client(s) and Client's affiliated entities, and employees, workforce members, directors, officers, contractors, and agents of BenTek and Client(s), from and against all costs, claims, demands, suits, actions, causes of action, liabilities, penalties, losses, and expenses (including, without limitation, reasonable attorneys' fees, reasonable Breach notification costs and identity theft protection costs and other reasonable and appropriate mitigation costs) resulting from or in connection with any breach of the Services Agreement or of this Agreement by, or any Breach or violation of HIPAA, the Security Rule, the HITECH Act and/or other applicable federal or state law relating to the security or privacy of health information and/or Personal Information by or caused by, Contractor, its employees and/or other workforce members, and/or its Subcontractors. Losses shall include, but shall not be limited to, judgments, liabilities, lost profits, fines, penalties, costs, and expenses (reasonable attorneys' fees, reasonable and appropriate Breach notification costs and identity theft protection costs and other reasonable and appropriate mitigation costs) which may be imposed upon BenTek or Client(s) by reason of any suit, claim, action, investigation, or demand by any individual, government entity, or third party. This obligation to indemnify shall survive the expiration or termination of this Agreement and the Services Agreement. Any limitations or caps on the liability of Contractor set forth in the Services Agreement shall not apply to Contractor's indemnification obligations under this Section 6, Contractor's mitigation obligations under Section 3.8 or Contractor's obligations under Section 3.17.5. Further, without limiting any insurance obligations of Contractor under the Services Agreement, Contractor agrees to maintain reasonable and appropriate insurance coverage against the improper use and disclosure of PHI by Contractor, its employees and/or other workforce members, and/or its Subcontractors. Promptly following a request by BenTek, Contractor will provide a certificate evidencing such insurance coverage. 17693422Y.1 Page 8 of I t 7. MISCELLAtNEOUS 7.1 Entire Agreement: Amendment Waiver. This Agreement sets forth the entire understanding between the parties hereto, and supersedes and replaces all prior or contemporaneous oral or written agreements between the parties concerning the matters contemplated in this Agreement. Except as provided below in this Section 7.1, this Agreement and the provisions herein may only be amended, modified or waived upon the mutual written agreement of the parties. No failure or delay on the part of either party in exercising any right, power or remedy under this Agreement shall operate as a waiver of such right, power or remedy nor shall any single or partial exercise of any such right, power or remedy operate as a waiver. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with changes in the laws or regulation. The parties specifically agree to take such action necessary to implement, and continue compliance with, the standards and requirements of HIPAA, the Security Rule, the HITECH Act or any other applicable federal or state privacy law or regulation relating to the security or privacy of health information and/or Personal Information, or the exchange of health information and/or Personal Information by electronic or other means, Upon BenTek's request, Contractor agrees to promptly amend the terms of this Agreement to conform to any applicable change in law or regulation. Contractor further agrees to promptly amend its agreements with its Subcontractors to conform to the terms of this Agreement. BenTek may terminate this Agreement and the Services Agreement immediately in the event (i) Contractor does not amend this Agreement within thirty (30) days after receiving written notice of a request by BenTek to amend this Agreement pursuant to this Section 7. 1, or (ii) Contractor does not amend this Agreement sufficiently to satisfy the standards and requirements of HIPAA, the Security Rule, the HITECH Act and any other applicable state or federal law or regulation regarding privacy and/or security of health information and/or Personal Information as determined by BenTek. 7.2 Interpretation: Severability. Counterparts. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits BenTek and Client(s) to comply with HIPAA, the Security Rule, the HITECH Act and other applicable law. If any provision of this Agreement is for any reason found to be unenforceable, the remainder of this Agreement will continue in full force and effect. This Agreement may be executed in one or more counterparts, all of which together shall constitute one and the same instrument. 7.3 Notification of Investigation. Contractor will provide to BenTek prompt notice and a description of the commencement of any investigation of Contractor, any of its employees or other workforce members, or any of its Subcontractors by any state, federal or local governmental agency or other prosecutorial entity relating to its compliance with HIPAA, the Security Rule, the HITECH Act or other similar state or local privacy law. Contractor will also provide prompt notice and a description of the outcome of any such investigation and prompt notice and a description of any legal proceedings filed against Contractor, any of its employees or other workforce members, or any of its Subcontractors alleging a violation of HIPAA, the Security Rule, the HITECH Act or other similar state or local privacy law, including whether any penalty was imposed or other corrective measure was required. If any penalty was imposed or other corrective 17693422v.] Page 9 of 11 measure was required, Contractor will provide a description of such penalty or corrective measure. 7.4 Notice. Any notice, request, instruction or other document to be given hereunder by a party shall be in writing and delivered personally or by messenger or overnight courier, sent by registered or certified mail, return receipt requested, or sent by facsimile (with a copy and confirmation of facsimile transmission sent by registered or certified mail), addressed to the parties as follows: If to BenTek: Katherine Bellantoni, Privacy Officer BenTek, Inc. 11505 Fairchild Gardens Ave., Suite 102 Palm Beach Gardens, FL 33410 If to Contractor: PSST, LLC Larry R. Roach 303 Middletown Park Place, Suite B Louisville, KY 40243 or such other person or address as may be designated in writing by the party to receive such notice. If mailed as aforesaid, the day of mailing shall be the date of delivery. 7.5 Governing LawNenue. This Agreement shall be governed by and construed in accordance with the laws of the State of Florida (to the extent not preempted by HIPAA or other applicable Federal law), excluding that body of law pertaining to conflict of laws. The parties agree that any disputes relating to this Agreement shall be resolved by the state or federal courts located in Florida, and Contractor consents to venue in those courts as proper. 7.6 Assignment. This Agreement may be not be assigned without the prior written consent of BenTek. All of the terms and provisions of the Agreement shall be binding upon and inure to the benefit of and be enforceable by the respective successors and permitted assigns of the parties. 8. TERMS OF AGREEMENT GOVERN In the event of a conflict between the terms of this Agreement and the Services Agreement or any other contract or agreement between BenTek and Contractor, this Agreement shall govern. 17693422v.1 Page 10 of 1 1 IN WITNESS HEREOF, the parties have executed this Agreement by their respective duly authorized officers or representatives. BENT: By: Title: Date: 17693422x.1 Page 11 of I 1 PSST, LLC By: Larry Roach �� •�� Title: President and CEO Date: October 26, 2015