OPERATING REQUIREMENTS

1. TECHNOLOGY REQUIREMENTS, APPLICATION I.D., AND USER INTERFACE.
1. Requirements. Solution shall conform to all requirements in “Go Live Guide” on the HealthVault Development Center and shall use only Microsoft documented methods to access HealthVault Accounts, and shall not attempt to bypass any HealthVault restrictions or requirements for such access (such as the End-User application authorization). The HealthVault Development Center can be accessed at http://msdn.microsoft.com/en-us/healthvault/default.aspx.
2. Application I.D. Solution Provider shall use the Application I.D. solely to enable Solution to access HealthVault Accounts for the purpose for which the Application I.D. was issued. Solution Provider shall not disclose its Application I.D. to any third-party except to Solution Provider’s authorized agents for use solely on Solution Provider’s behalf in accordance with this Agreement and under a written duty of confidentiality pursuant to Section 8 of the Agreement.
3. User Interface. Solution shall only use Microsoft-approved symbols and text within its End-User interface (as described in Microsoft HealthVault user interface guidelines) to indicate and describe HealthVault connectivity.
2. END-USER SUPPORT. Solution Provider is solely responsible for End-User support of Solutions.
3. TERRITORY. Solution Provider shall not store End-User Data outside of the U.S.
4. COMPLIANCE REVIEW. After Microsoft issues Solution Provider an Application I.D., Microsoft has the ongoing right but not the obligation to evaluate Solution for continued compliance with the HealthVault Requirements. Solution Provider shall cooperate by providing such information reasonably requested to confirm such compliance. Microsoft shall notify Solution Provider of, and Solution Provider shall promptly remedy any material non-conformity with the HealthVault Requirements or suspected security vulnerabilities (subject to Solution Provider’s right to terminate or suspend access between Solution and HealthVault). Solution Provider is not compelled to provide Microsoft any particular type of information, however insufficient information may result in Microsoft suspending connectivity between Solution and HealthVault.
5. SUSPENSION OF HEALTHVAULT ACCESS.
1. Microsoft-Initiated Suspension of Solution Access to HealthVault. Microsoft may suspend connectivity between Solution and HealthVault for material failure to comply with the HealthVault Requirements, unless Solution Provider substantially cures such material failure or provides a reasonably acceptable work-around to remedy such material failure within ten (10) days after Solution Provider’s receipt of written notice from Microsoft. Notwithstanding the foregoing, Microsoft may immediately suspend connectivity between the Solution and HealthVault on prior written notice (which may be provided via email to Solution Provider Business and Technical contacts) and without providing an opportunity to cure if Microsoft reasonably believes that such suspension is necessary (i) to prevent threats to the privacy, security and integrity of End-user Data or to the performance or availability of HealthVault; or (ii) as a result of any law, rule or regulation.
2. Microsoft-Initiated Suspension of HealthVault. Microsoft may immediately suspend operation of HealthVault or portions thereof on prior written notice (which may be provided to Solution Provider via email to Solution Provider Business and Technical contacts) if Microsoft reasonably believes that such suspension is necessary (i) to prevent unauthorized access or other threats to the privacy, security and integrity of End-User Data; (ii) until such threats are resolved to Microsoft’s reasonable satisfaction; or (iii) as a result of any law, rule or regulation.
6. INSURANCE.
1. Commercial General Liability. Solution Provider and Microsoft shall each maintain sufficient insurance coverage to enable it to meet its obligations under this Agreement. Without limiting the foregoing, each Party warrants that such insurance shall include Commercial General Liability (Occurrence Form) insurance coverage with minimum limits of U.S. $2,000,000 per occurrence, to the extent this Agreement creates exposures generally covered thereby.
2. Professional Liability. Solution Provider and Microsoft shall each maintain Professional Liability/Errors & Omissions Liability insurance coverage with policy limits of not less than U.S. $2,000,000 each claim with a deductible of not more than U.S. $100,000. Such insurance shall include coverage for infringement of the proprietary rights of any third-party, to the extent reasonably available, including without limitation copyright and trademark infringement as related to Solution Provider performance under this Agreement. In addition, such insurance shall include coverage for the following injuries, unless covered, and not in any way excluded or restricted, by the Party’s general liability insurance: invasion of privacy, and advertising injury. Such insurance shall also include coverage for contingent bodily injury/property damage. If Solution includes a HealthVault-compatible hardware driver, such insurance shall include coverage for third-party loss of use arising from the recall, removal, or of use arising from the recall, removal or withdrawal of products due to Solution Provider errors, omissions, or negligent acts. Such insurance shall not contain limitations of coverage for claims arising from unauthorized/exceeded access to systems/data or for services rendered over public/private networks. Throughout the Term, the Professional Liability/Errors & Omissions Liability insurance’s retroactive coverage date shall be no later than the Effective Date of this Agreement. Upon termination of this Agreement, Solution Provider and Microsoft shall either continue to maintain an active insurance policy, or purchase an extended reporting period providing coverage for claims first made and reported to the insurance company within 12 months after the termination or expiration of this Agreement.
3. Either Party may meet the above insurance requirements via commercial insurance, self insurance, alternative risk financing solutions or a combination of these options if they meet the following criteria: (i) liquid assets of a minimum of U.S.$500,000; and (ii) a quick ratio (liquid assets divided by current liabilities) of a minimum of 1.0.
7. THIRD PARTY CONTENT. HealthVault enables storage of certain standard terminologies from third parties (including but not limited to those listed below) in HealthVault Accounts. You may only use the third party terminologies available in HealthVault to receive information from HealthVault Accounts for use as part of the End-User’s personal information, and to test your Solutions’ connectivity with HealthVault. You may not disassemble, decompile, reverse engineer, or modify third party terminologies from HealthVault. You may not sell, or otherwise use them separately from End User personal health records. You are solely responsible for obtaining all licenses for third party content needed for the Solution. Information about the terminologies HealthVault uses is available in the HealthVault Developer Center.

UMLS METATHESAURUS. Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark notices appearing in the original sources, all of which are hereby incorporated by reference.

LOINC Database. The HealthVault platform includes access to all or a portion of the LOINC® database, or is derived from the LOINC® database, subject to a license from Regenstrief Institute, Inc. Your use of the LOINC database and LOINC codes also is subject to this license, a copy of which is available at http://www.regenstrief.org/loinc/#copyright. The current complete LOINC database and Users' Guide are available for download at http://www.regenstrief.org/loinc. The LOINC database and LOINC codes are copyright © 1995-2007, Regenstrief Institute, Inc. and the Logical Observation Identifiers Names and Codes (LOINC) Committee. All rights reserved. THE LOINC DATABASE IS PROVIDED "AS IS." ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. LOINC® is a registered United States trademark of Regenstrief Institute, Inc. A small portion of the LOINC table may include content (e.g., survey instruments) that is subject to copyrights owned by third parties. Such content has been mapped to LOINC terms under applicable copyright and terms of use. Notice of such third party copyright and license terms would need to be included if such content is included.

SNOMED Clinical Terms® (SNOMED CT®) The International Health Terminology Standards Development Organization (IHTSDO) licenses SNOMED CT. All rights reserved. SNOMED CT® was originally created by the College of American Pathologists. “SNOMED” and “SNOMED CT” are registered trademarks of the IHTSDO. See www.nlm.nih.gov/research/umls for more information.

PRIVACY & SECURITY REQUIREMENTS

(NON HIPAA-COVERED ENTITIES)

1. NON HIPAA-COVERED ENTITY REQUIREMENTS. Solution Provider shall comply with the following requirements:
   1. Notice and Consent.
      • Privacy Statement. Solution Provider shall maintain a privacy statement that describes (i) Solution Provider’s collection, use, storage, and transfer of personal information received by Solution from a HealthVault Account, and (ii) how End-Users can review, edit and remove such personal information that is stored by or on behalf of Solution Provider. If Solution includes a portal accessible to End-Users, Solution Provider shall present the privacy statement in an accessible and prominent manner (which may be via a link on the homepage) upon the End-User’s initial use, each subsequent use, and on each webpage of Solution. If the privacy statement is materially revised, then the revised privacy statements shall first be presented to the End-User prior to use of a Solution under the new terms.
      • Connection Authorization. HealthVault displays certain information provided by Solution Provider about Solution, and requires End-User opt-in consent before Microsoft enables transfer of data to or from Solution. Solution Provider shall keep the information it provides Microsoft for display to End-Users accurate and up-to-date. A description of the information required is available at http://msdn.microsoft.com/en-us/healthvault/bb962148.aspx#appconfig.
   2. Information Use and Retention. Solution Provider shall:
      • not disclose End-User Data received from a HealthVault Account to a third-party without first obtaining explicit opt-in consent from the End-User (the End-User shall take an explicit action to indicate consent) with respect to the specific third-party;
      • require any contractors or vendors who have access to End-User Data received from a HealthVault Account to agree in writing to comply with Solution Provider’s privacy and security policies, including those requirements to which Solution Provider is obligated under this Agreement;
      • maintain End-User Data only for purposes for which the End-User has explicitly consented;
      • provide the End-User with the ability to access and/or update End-User Data that Solution Provider receives from a HealthVault Account;
      • provide the End-User a way to delete (except for data retention required by law) any End-User Data that Solution Provider retains beyond an active session.
2. INFORMATION SECURITY PROGRAM. Solution Provider shall maintain an information security program reasonably designed to prevent the use or disclosure of End-User Data other than as permitted under the privacy terms between Solution Provider and End-Users. Such information security program shall include administrative, physical and technical safeguards that reasonably and appropriately designed to protect the confidentiality, integrity, and availability of End-User Data. Solution Provider shall ensure that any agent (including a subcontractor) to whom it provides End-User Data agrees to implement reasonable and appropriate safeguards to protect such End-User Data.
3. SECURITY VULNERABILITIES. Each Party shall take prompt action to respond to any known security vulnerability in its technology or operations in compliance with its security program. Resolution may include without limitation to (a) suspend, remove or disable the features or functions of its service; and (b) patch, correct or fix the security vulnerability. Either Party may suspend connectivity of Solution with HealthVault until the security vulnerability is resolved to its reasonable satisfaction.
4. BREACH OF END-USER DATA. In the event of a breach of End-User Data, the Parties shall cooperate to the extent reasonably necessary to meet their respective legal obligations. Solution provider acknowledges that Microsoft operates HealthVault Accounts as personal health records as defined under Subtitle D of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”).