Common use of Protected Health Information Clause in Contracts

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI")8.1 Compliance with HIPAA, NDHIN Policies and Procedures, and Other Laws and Regulations. Notwithstanding anything The NDHIN and each Participant shall comply with all applicable standards for the confidentiality, security, and use of any Patient Data or Protected Health Information under HIPAA, the NDHIN Policies and Procedures, and any other applicable federal, state, and local laws. Except as provided in Section 8.1.1, each Participant agrees to ------------------------------------ report promptly to the contrary in NDHIN following its discovery by the Participant, and the NDHIN agrees to report promptly to the Health Information Technology Advisory Committee following its discovery by the NDHIN, any material breach of the provisions of this Section that relates to this Agreement. In addition, in order the NDHIN agrees to report promptly to the other Participants any material breach of the provisions of this Section. For the purpose of this Section "report promptly" means to report the discovery of any material breach of this Section AS SOON AS POSSIBLE AND IN ANY CASE within five (5) days of the time NDHIN or a Participant, as applicable, becomes aware of any such breach. 8.1.1 In addition to any other requirements, because NDHIN has joined the Sequoia project (formerly Healtheway), the public-private partnership that operationally supports the nationwide eHealth Exchange, Participant agrees to comply with HIPAA requirementsthe provisions in Section 15.04 of the Restatement I of the Data Use and Reciprocal Support Agreement (September 30, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, 2014) (“DURSA”) that Broker: require the Participant: (a) shall not To comply with all Applicable Law; (e) To reasonably cooperate with NDHIN regarding issues related to the DURSA; To Request, retrieve and send data only for a Permitted Purpose as defined in the DURSA (which is more restrictive than HIPAA); To use data received from NDHIN or disclose PHI except another Sequoia Participant in accordance with the terms and conditions of the DURSA; To refrain from disclosing to provide services any other person any passwords or other security measures issued to the Participant or to an Authorized User of the Participant by the NDHIN; and (f) To as soon as reasonably practicable (as required by Section 14.03 of the DURSA); but no later than: (1) one (1) hour after discovering information that leads a NDHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert NDHIN to the suspected breach; and (2) twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to NDHIN. In other words, if a breach (or suspected breach) occurs WHILE the Participant is sending, requesting, receiving, or accessing an electronic transmission of health information through the Sequoia Project, the breach must be reported as required by this Agreement subsection. BUT IF the breach was from the Participants EHR or electronic records system and consistent did not occur while (i.e., at the same time) the Participant or the Participants Authorized user was using the Sequoia Project (even though the information is ePHI received or accessed through the Sequoia Project), the breach is considered to be not directly related to the Sequoia Project and should not be reported under this subsection. (Although the Participant may be required to report the breach under other NDHIN and HIPAA Notification rules). (1) the breach is an unintentional access or disclosure of information accessed through the DURSA by an employee or individual acting in good faith and within the course and scope of the employment or other professional relationship of the individual with Applicable Law; the Participant, and (2) the information is not further accessed or disclosed by the individual. As used in Subsection (f), “Transacting Message Content pursuant to the DURSA” means sending, requesting, receiving, asserting, responding to, submitting, routing, subscribing to, or publishing information contained within an electronic transmission of health information transacted by an NDHIN Participant using the DURSA Specifications, including any information contained in an electronic transmission, or accompanying any such transmission such as Protected Health Information (PHI), de-identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), individually identifiable information, pseudonymized (partially de-identified) data, metadata, Digital Credentials, and schema. 8.1.2 The Notification of a DURSA breach under Section 8.1.1(f) should include sufficient information for NDHIN to understand the nature of the Breach. (a) For instance, the Notification could include, to the extent available at the time of the 24-hour Notification, the following information: (1) One or two sentence description of the breach (8) Description of the roles of the people involved in the breach (e.g. employees, Participant Users, service providers, unauthorized persons, etc.) The type of Message Content breached Participants likely impacted by the breach Number of individuals or records impacted or estimated to be impacted by the breach Actions taken by the Participant to mitigate the breach Current status of the breach (whether under investigation or resolved) Corrective action taken and steps planned to be taken to prevent a similar breach (b) The Participant shall limit supplement the use of, access to information contained in the Notification as it becomes available and disclosure of PHI cooperate with other Participants and NDHIN in investigating and taking corrective action in response to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure breach. 8.1.3 The requirements of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.Section 8.1.1

Protected Health Information. PHI")7.1. Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirementsfurther protect the confidentiality of any PHI disclosed to or used by Producer pursuant to the Contract and to satisfy requirements of HIPAA, Broker agrees MetLife and Producer agree to the following with respect to any PHI received, obtained received or created by BrokerProducer in providing services pursuant to the Contract, including PHI received or disclosed or made accessible created prior to Broker, that Broker: the effective date of the Contract (“MetLife PHI”): (a) the obligations regarding MetLife PHI contained in this Agreement shall be in addition to any other obligations contained in the Contract that apply to MetLife PHI; (b) Producer may not use or disclose MetLife PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable LawContract; (c) Producer shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this AgreementMetLife PHI; (d) MetLife and Producer represent and warrant that their security procedures are adequate to protect and maintain the confidentiality of MetLife PHI; (e) Producer shall promptly report to MLIDC MetLife any use or disclosure of MLIDC MetLife PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) Producer shall require ensure that any of its Representatives Agents, including any sub- contractors or Producer affiliates, that Producer may use in accordance with the Contract and independent contractors to whom Producer provides MetLife PHI is disclosed or made accessible or who uses MetLife PHI has agreed been approved by MetLife in writing and agrees to the same restrictions and conditions that apply to Broker Producer with respect to MetLife PHI pursuant to this Agreement; (g) shall, within fifteen thirty (1530) days of MLIDC's MetLife’s request, Producer shall provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their MetLife PHI, and Producer agrees to incorporate any amendments of the MetLife PHI as requested by MLIDCMetLife; (h) shall Producer agrees to make its internal practices, books books, and records relating to its use or disclosure of MetLife PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable LawMetLife’s compliance; (i) Producer agrees that upon termination of this Agreement the Contract it shallwill, if feasible, return to MLIDC or destroy all MetLife PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, Producer agrees to extend the protections of this Agreement to the MetLife PHI beyond the termination of this Agreement the Contract and for as long as Broker Producer has MetLife PHI, and further agrees that any further use or disclosure of the MetLife PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further ; (j) Producer agrees that it will not disclose MetLife PHI, other than enrollment information, to an employer or plan sponsor, unless the employer or plan sponsor has taken the steps required by HIPAA to permit disclosure to the employer or plan sponsor; (k) Producer may use or disclose MetLife PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law, and only to the extent that such use or disclosure complies with any applicable HIPAA requirements relating to uses and disclosures required by law; and (l) Producer shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or of any such electronic PHIelectronic 7.2. Producer agrees and acknowledges that it is directly subject to HIPAA, as amended by the HITECH Act, including its provisions relating to security and privacy of PHI as well as its enforcement and penalty provisions. Producer agrees that it will: (a) comply with all applicable security and privacy provisions of HIPAA as amended by the HITECH Act and as it may be amended from time to time; (2b) ensure that its Representatives agree not act in any way to implement reasonable interfere with or hinder MetLife's ability to comply with HIPAA as amended by the HITECH Act and appropriate safeguards as it may be amended from time to protect such electronic PHItime; and (3c) notify MetLife within five (5) business days after discovering a "breach" as that term is defined in Section 13400 of the HITECH Act at the following e-mail address: xxxxxxxxxxxxxx@xxxxxxx.xxx 7.3. In the event Producer learns of a pattern of activity or practice of subcontractor that constitutes a material breach or violation of its obligations relating to PHI under Producer and subcontractor’s agreement, Producer will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, Producer will terminate the agreement with its subcontractor, if feasible, or, if termination is not feasible, report the problem to the Company Secretary of Department of Health and Human Services (“HHS”). 7.4. PHI is defined as individually identifiable information that is transmitted or maintained in any security incident related medium and relates to: the past, present or future physical or mental health or condition of an individual; the provision of health care to Electronic PHI an individual; or past, present, or future payment for the provision of which health care to the Broker becomes awareindividual. 7.5. In Producer's breach of any of the provisions of Paragraph 7 shall constitute a material breach of this contextAgreement and provide grounds for immediate termination by MetLife, notwithstanding any other provision of the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and peopleAgreement.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ ---------------------------- the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ ------------------------------------- the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirements, Broker Xxxxxx agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC MetLife any use or disclosure of MLIDC MetLife PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and Brokers or independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's MetLife’s request, provide to MLIDC MetLife any PHI or information relating to PHI as deemed necessary by MLIDC MetLife to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCMetLife; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's MetLife’s compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shallwill, if feasible, return to MLIDC MetLife or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker Xxxxxx further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives Brokers agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further FURTHER agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI")7.1. Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirementsfurther protect the confidentiality of any PHI disclosed to or used by Producer pursuant to the Contract and to satisfy requirements of HIPAA, Broker agrees MetLife and Producer agree to the following with respect to any PHI received, obtained received or created by BrokerProducer in providing services pursuant to the Contract, including PHI received or disclosed or made accessible created prior to Broker, that Broker: the effective date of the Contract (“MetLife PHI”): (a) the obligations regarding MetLife PHI contained in this Agreement shall be in addition to any other obligations contained in the Contract that apply to MetLife PHI; (b) Producer may not use or disclose MetLife PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable LawContract; (c) Producer shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this AgreementMetLife PHI; (d) MetLife and Producer represent and warrant that their security procedures are adequate to protect and maintain the confidentiality of MetLife PHI; (e) Producer shall promptly report to MLIDC MetLife any use or disclosure of MLIDC MetLife PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) Producer shall require ensure that any of its Representatives Agents, including any sub- contractors or Producer affiliates, that Producer may use in accordance with the Contract and independent contractors to whom Producer provides MetLife PHI is disclosed or made accessible or who uses MetLife PHI has agreed been approved by MetLife in writing and agrees to the same restrictions and conditions that apply to Broker Producer with respect to MetLife PHI pursuant to this Agreement; (g) shall, within fifteen thirty (1530) days of MLIDC's MetLife’s request, Producer shall provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their MetLife PHI, and Producer agrees to incorporate any amendments of the MetLife PHI as requested by MLIDCMetLife; (h) shall Producer agrees to make its internal practices, books books, and records relating to its use or disclosure of MetLife PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable LawMetLife’s compliance; (i) Producer agrees that upon termination of this Agreement the Contract it shallwill, if feasible, return to MLIDC or destroy all MetLife PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, Producer agrees to extend the protections of this Agreement to the MetLife PHI beyond the termination of this Agreement the Contract and for as long as Broker Producer has MetLife PHI, and further agrees that any further use or disclosure of the MetLife PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further ; (j) Producer agrees that it will not disclose MetLife PHI, other than enrollment information, to an employer or plan sponsor, unless the employer or plan sponsor has taken the steps required by HIPAA to permit disclosure to the employer or plan sponsor; (k) Producer may use or disclose MetLife PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law, and only to the extent that such use or disclosure complies with any applicable HIPAA requirements relating to uses and disclosures required by law; and (l) Producer shall (1) implement administrative, physical, and 7.2. Producer agrees and technical safeguards acknowledges that reasonably it is directly subject to HIPAA, as amended by the HITECH Act, including its provisions relating to security and appropriately protect privacy of PHI as well as its enforcement and penalty provisions. Producer agrees that it will: (a) comply with all applicable security and privacy provisions of HIPAA as amended by the confidentiality, integrity, HITECH Act and availability or any such electronic PHIas it may be amended from time to time; (2b) ensure that its Representatives agree not act in any way to implement reasonable interfere with or hinder MetLife's ability to comply with HIPAA as amended by the HITECH Act and appropriate safeguards as it may be amended from time to protect such electronic PHItime; and (3c) notify MetLife within five (5) business days after discovering a "breach" as that term is defined in Section 13400 of the HITECH Act at the following e-mail address: xxxxxxxxxxxxxx@xxxxxxx.xxx 7.3. In the event Producer learns of a pattern of activity or practice of subcontractor that constitutes a material breach or violation of its obligations relating to PHI under Producer and subcontractor’s agreement, Producer will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, Producer will terminate the agreement with its subcontractor, if feasible, or, if termination is not feasible, report the problem to the Company Secretary of Department of Health and Human Services (“HHS”). 7.4. PHI is defined as individually identifiable information that is transmitted or maintained in any security incident related medium and relates to: the past, present or future physical or mental health or condition of an individual; the provision of health care to Electronic PHI an individual; or past, present, or future payment for the provision of which health care to the Broker becomes awareindividual. 7.5. In Producer's breach of any of the provisions of Paragraph 7 shall constitute a material breach of this contextAgreement and provide grounds for immediate termination by MetLife, notwithstanding any other provision of the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and peopleAgreement.

Protected Health Information. The Trustees are authorized to receive, maintain, use, and disclose Protected Health Information (“PHI")”) pursuant to the conditions set forth below. Notwithstanding anything to ------------------------------------ the contrary Each Trustee shall certify in this Agreement, in order to writing that he will comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: these conditions. Each Trustee will agree to: (a) shall not use or further disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; received from the Fund other than as permitted in the Fund’s written privacy policy or as required by law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require ensure that any of its Representatives and independent contractors agents, including subcontractors, to whom a Trustee provides PHI is disclosed or made accessible or who uses PHI has agreed received from the Fund agree to the same restrictions and conditions that apply to Broker the Trustee with respect to PHI; (c) not use or disclose PHI pursuant received from the Fund for employment- related actions and decisions or in connection with any other benefit or employee benefit plan; (d) report to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC the Fund’s privacy officer any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI received from the Fund that is inconsistent with the uses or disclosures provided for in this section of which the Trustee becomes aware; (e) make PHI received from the Fund available to individuals for inspection or amendment as required by law; (f) make PHI received from the Fund available to provide an accounting of disclosures as required by the, Fund; (g) make internal practices, books, and records relating to the use and disclosure of PHI received from the Fund available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's for purposes of determining compliance by the Fund with Applicable Law; the applicable federal regulations; (ih) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form received from the Fund and retain no copiescopies of PHI when no longer needed for the purpose for which disclosure was made, and except that, if such return or destruction is not feasible, limit further uses and disclosures to extend those purposes that make the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use return or disclosure destruction of the PHI shall infeasible; (i) ensure adequate separation between the Trustees and the Fund by limiting disclosure of PHI to the Trustees as plan sponsors and to be solely accessed and used only for the purposes plan administrative functions that make return or destruction infeasible. Destruction without retention the Trustees perform; and (j) agree to provide an effective mechanism to resolve any issues of copies a Trustee’s noncompliance with this section by taking appropriate action which may include, but is not deemed feasible if prohibited by limited to, limiting or placing special conditions on a non-compliant Trustee’s access or use of PHI from the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and peopleFund.

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC Phoenix any use or disclosure of MLIDC Phoenix PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's Phoenix’s request, provide to MLIDC Phoenix any PHI or information relating to PHI as deemed necessary by MLIDC Phoenix to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCPhoenix; (hg) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's Phoenix’s compliance with Applicable Law; (ih) agrees that upon termination of this Agreement it shallwill, if feasible, return to MLIDC Phoenix or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.;

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's ’s request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's ’s compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "“security incident" ” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ ------------------------------------- the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC Principal Underwriter any use or disclosure of MLIDC Principal Underwriter PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDCPrincipal Underwriter's request, provide to MLIDC Principal Underwriter any PHI or information relating to PHI as deemed necessary by MLIDC Principal Underwriter to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCPrincipal Underwriter; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDCPrincipal Underwriter's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC Principal Underwriter or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC Principal Underwriter any use or disclosure of MLIDC Principal Underwriter PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's Principal Underwriter’s request, provide to MLIDC Principal Underwriter any PHI or information relating to PHI as deemed necessary by MLIDC Principal Underwriter to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCPrincipal Underwriter; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's Principal Underwriter’s compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC Principal Underwriter or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company Principal Underwriter any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "“security incident" ” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI")8.1 Compliance with HIPAA, NDHIN Policies and Procedures, and Other Laws and Regulations. Notwithstanding anything The NDHIN and each Participant shall comply with all applicable standards for the confidentiality, security, and use of any Patient Data or Protected Health Information under HIPAA, the NDHIN Policies and Procedures, and any other applicable federal, state, and local laws. Except as provided in Section 8.1.1, each Participant agrees to ------------------------------------ report promptly to the contrary in NDHIN following its discovery by the Participant, and the NDHIN agrees to report promptly to the Health Information Technology Advisory Committee following its discovery by the NDHIN, any material breach of the provisions of this Section that relates to this Agreement. In addition, in order the NDHIN agrees to report promptly to the other Participants any material breach of the provisions of this Section. For the purpose of this Section "report promptly" means to report the discovery of any material breach of this Section AS SOON AS POSSIBLE AND IN ANY CASE within five (5) days of the time NDHIN or a Participant, as applicable, becomes aware of any such breach. 8.1.1 In addition to any other requirements, because NDHIN has joined the Sequoia project (formerly Healtheway), the public-private partnership that operationally supports the nationwide eHealth Exchange, Participant agrees to comply with HIPAA requirementsthe provisions in Section 15.04 of the Restatement I of the Data Use and Reciprocal Support Agreement (September 30, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, 2014) (“DURSA”) that Broker: require the Participant: (a) shall not To comply with all Applicable Law; (e) To reasonably cooperate with NDHIN regarding issues related to the DURSA; To Request, retrieve and send data only for a Permitted Purpose as defined in the DURSA (which is more restrictive than HIPAA); To use data received from NDHIN or disclose PHI except another Healtheway Participant in accordance with the terms and conditions of the DURSA; To refrain from disclosing to provide services any other person any passwords or other security measures issued to the Participant or to an Authorized User of the Participant by the NDHIN; and (f) To as soon as reasonably practicable (as required by Section 14.03 of the DURSA); but no later than: (1) one (1) hour after discovering information that leads a NDHIN Participant to reasonably believe that a Breach related to Transacting Message Content pursuant to the DURSA may have occurred, alert NDHIN to the suspected breach; and (2) twenty-four (24) hours after determining that a Breach related to Transacting Message Content pursuant to the DURSA has occurred, provide a Notification of any such Breach to NDHIN. In other words, if a breach (or suspected breach) occurs WHILE the Participant is sending, requesting, receiving, or accessing an electronic transmission of health information through the DURSA, the breach must be reported as required by this Agreement subsection. BUT IF the breach was from the Participants EHR or electronic records system and consistent did not occur while (i.e., at the same time) the Participant or the Participants Authorized user was using the DURSA (even though the information is ePHI received or accessed through the DURSA), the breach is considered to be not directly related to the DURSA and should not be reported under this subsection. (Although the Participant may be required to report the breach under other NDHIN and HIPAA Notification rules). (1) the breach is an unintentional access or disclosure of information accessed through the DURSA by an employee or individual acting in good faith and within the course and scope of the employment or other professional relationship of the individual with Applicable Law; the Participant, and (2) the information is not further accessed or disclosed by the individual. As used in Subsection (f), “Transacting Message Content pursuant to the DURSA” means sending, requesting, receiving, asserting, responding to, submitting, routing, subscribing to, or publishing information contained within an electronic transmission of health information transacted by an NDHIN Participant using the DURSA Specifications, including any information contained in an electronic transmission, or accompanying any such transmission such as Protected Health Information (PHI), de-identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), individually identifiable information, pseudonymized (partially de-identified) data, metadata, Digital Credentials, and schema. 8.1.2 The Notification of a DURSA breach under Section 8.1.1(f) should include sufficient information for NDHIN to understand the nature of the Breach. (a) For instance, the Notification could include, to the extent available at the time of the 24-hour Notification, the following information: (1) One or two sentence description of the breach (8) Description of the roles of the people involved in the breach (e.g. employees, Participant Users, service providers, unauthorized persons, etc.) The type of Message Content breached Participants likely impacted by the breach Number of individuals or records impacted or estimated to be impacted by the breach Actions taken by the Participant to mitigate the breach Current status of the breach (whether under investigation or resolved) Corrective action taken and steps planned to be taken to prevent a similar breach (b) The Participant shall limit supplement the use of, access to information contained in the Notification as it becomes available and disclosure of PHI cooperate with other Participants and NDHIN in investigating and taking corrective action in response to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure breach. 8.1.3 The requirements of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.Section 8.1.1

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ ____________________________ the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC any use or disclosure of MLIDC PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's request, provide to MLIDC any PHI or information relating to PHI as deemed necessary by MLIDC to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDC; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. PHI"). Notwithstanding anything to ------------------------------------ ---------------------------- the contrary in this Agreement, in order to comply with HIPAA requirements, Broker agrees with respect to any PHI received, obtained or created by Broker, or disclosed or made accessible to Broker, that Broker: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC Principal Underwriter any use or disclosure of MLIDC Principal Underwriter PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDCPrincipal Underwriter's request, provide to MLIDC Principal Underwriter any PHI or information relating to PHI as deemed necessary by MLIDC Principal Underwriter to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCPrincipal Underwriter; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDCPrincipal Underwriter's compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shall, if feasible, return to MLIDC Principal Underwriter or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker has PHI, and further agrees that any further use or disclosure of the PHI shall be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company Principal Underwriter any security incident related to Electronic PHI of which the Broker becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirements, Broker General Agent agrees with respect to any PHI received, obtained or created by BrokerGeneral Agent, or disclosed or made accessible to BrokerGeneral Agent, that BrokerGeneral Agent: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC MetLife any use or disclosure of MLIDC MetLife PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker General Agent in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and Brokers or independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker General Agent with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's MetLife’s request, provide to MLIDC MetLife any PHI or information relating to PHI as deemed necessary by MLIDC MetLife to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCMetLife; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's MetLife’s compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shallwill, if feasible, return to MLIDC MetLife or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker General Agent has PHI, and further agrees that any further use or disclosure of the PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. .With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker General Agent further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives Brokers agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker General Agent becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.

Protected Health Information. “PHI"”). Notwithstanding anything to ------------------------------------ the contrary in this Agreement, in In order to comply with HIPAA requirements, Broker Member General Agent agrees with respect to any PHI received, obtained or created by BrokerMember General Agent, or disclosed or made accessible to BrokerMember General Agent, that BrokerMember General Agent: (a) shall not use or disclose PHI except to provide services pursuant to this Agreement and consistent with Applicable Law; (b) shall limit the use of, access to and disclosure of PHI to the minimum required to perform services or by Applicable Law; (c) shall use appropriate safeguards to prevent use or disclosure of PHI except as permitted by this Agreement; (d) shall promptly report to MLIDC MetLife any use or disclosure of MLIDC MetLife PHI not permitted by this Agreement of which it becomes aware; (e) shall take reasonable steps to mitigate any harmful effect of any use or disclosure of PHI by Broker Member General Agent in violation of the terms of this Agreement or Applicable Law; (f) shall require that any of its Representatives and Brokers or independent contractors to whom PHI is disclosed or made accessible or who uses PHI has agreed to the same restrictions and conditions that apply to Broker Member General Agent with respect to PHI pursuant to this Agreement; (g) shall, within fifteen (15) days of MLIDC's MetLife’s request, provide to MLIDC MetLife any PHI or information relating to PHI as deemed necessary by MLIDC MetLife to provide individuals with access to, amendment of, and an accounting of disclosures of their PHI, and to incorporate any amendments of the PHI as requested by MLIDCMetLife; (h) shall make its internal practices, books and records relating to its use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services at his/her request to determine MLIDC's MetLife’s compliance with Applicable Law; (i) agrees that upon termination of this Agreement it shallwill, if feasible, return to MLIDC MetLife or destroy all PHI it maintains in any form and retain no copies, and if such return or destruction is not feasible, to extend the protections of this Agreement to the PHI beyond the termination of this Agreement and for as long as Broker Member General Agent has PHI, and further agrees that any further use or disclosure of the PHI shall will be solely for the purposes that make return or destruction infeasible. Destruction without retention of copies is not deemed feasible if prohibited by the terms of this Agreement or by Applicable Law, including record retention requirements under state insurance laws. With respect to PHI received made accessible, maintained or transmitted electronically in the performance of its obligations under this Agreement, Broker Member General Agent further agrees that it shall (1) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability or any such electronic PHI; (2) ensure that its Representatives Brokers agree to implement reasonable and appropriate safeguards to protect such electronic PHI; and (3) report to the Company any security incident related to Electronic PHI of which the Broker Member General Agent becomes aware. In this context, the term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in information systems such as hardware, software, information, data applications, communications and people.