Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC20-423 HealthbreakWORKSITE WELLNESS SERVICES AGREEMENT THIS WORKSITE WELLNESS SERVICES AGREEMENT (this “Agreement”), including all Attachments and Exhibits, (collectively referred to as the “Agreement”) is made and entered into this 1st day of January, 2021 (“Effective Date”) by and between Healthbreak, Inc., for itself and on behalf of its subsidiaries and affiliates (collectively, “Healthbreak”) and Eagle County Colorado, a body corporate and politic (“Client”). This Agreement shall replace any and all prior agreements between Healthbreak and Client. Healthbreak and Client may individually be referred to as a “Party” or collectively as the “Parties.” W I T N E S S E T H: WHEREAS, Healthbreak is in the business of providing health management solution services; and WHEREAS, Client desires to engage Healthbreak for the provision of health management solution services; NOW THEREFORE, in consideration of the promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows: ARTICLE I DEFINITIONS Section 1.01. Definitions. Unless otherwise specifically provided, the capitalized terms used in this Agreement shall have the meanings set forth in Exhibit A attached hereto and incorporated by reference. ARTICLE II RESPONSIBILITIES OF HEALTHBREAK Section 2.01. Services. Healthbreak shall provide health management solution services (“Services”) for Client subject to the terms of the Service Specifications attached hereto as Attachment A and as specified throughout this Agreement. Unless otherwise specified, Services and related deliverables are provided in English only. Section 2.02. Healthbreak Personnel. All personnel provided by Healthbreak shall be employees or contractors of Healthbreak or its affiliates or contractors, and not of Client. Section 2.03. Reporting. Healthbreak shall provide Client with relevant reporting regarding Services as specified in the Service Specifications. Unless otherwise specified or unless reporting is available on-demand by Client, reporting shall be provided at the end of each Program Year. Client may request additional reports and if Healthbreak is able to provide such reports, additional fees may apply and shall be agreed by the Parties in advance of the production of same. Client agrees that any reports requested by Client which require the provision of Member PHI, will only be provided if necessary for DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F C20-423 the administration of one or more of Client’s group health plan(s) (the “Plan”). Client agrees that such report shall only be provided to the individual(s) authorized by the Plan Sponsor to administer the Plan and Client acknowledges that the Plan has been amended to allow for access to Client Member PHI. Healthbreak may request that Client provide a copy of the “Certification by Plan Sponsor to Group Health Plan”. Section 2.04. Non-Exclusive Services. Client acknowledges and agrees that Healthbreak has other business activities that take a major and substantial part of Healthbreak’s total time devoted to business matters. Accordingly, Healthbreak shall not be bound to devote all or any specific part of its business time to the affairs of Client, but shall devote such time and attention to Client’s business as may be required in order to ensure that the Services are conducted in a diligent and proper manner. During the continuance of this Agreement, Healthbreak may: (i) engage in any activity whether or not such activity may be deemed to be in competition with the business operations of Client; (ii) own an interest in any other business venture of any nature or description independently, or with others; and (iii) provide services for any other business of any nature or description whether or not competitive with the business of Client. Notwithstanding the foregoing, Healthbreak agrees to maintain the confidentiality of the raw data collected from a third-party payor and/or Client and/or or its employees, including claims data, absenteeism, sick time, productivity, worker’s compensation and attrition rate. ARTICLE III BILLING AND COMPENSATION Section 3.01. Compensation. In consideration of the Services under this Agreement, Client shall pay Healthbreak’s fees and expenses which are undisputed as set forth in the Billing and Payment Schedule attached hereto as Attachment B. All billing cycles shall begin on the first of the month. An initial payment shall be due upon contract signing. Electronic invoices for all subsequent payments shall be presented to Client one month in advance of delivery of Services and unless otherwise specified in this Agreement, payment for Services shall be due within 30 days of the date of the invoice. Notwithstanding the provisions of the Billing and Payment Schedule, payments not received within 30 days of the applicable due date will accumulate interest, until paid, at the rate of one and 1-1/2% per month on the unpaid balance, equal to an annual percentage rate of 18%, or the maximum rate permitted by applicable law, whichever is less. Section 3.02. Expenses. Unless otherwise explicitly provided in the Agreement, travel, expenses, and sales and other state taxes are not included in the Services. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Section 3.03. Billing Contact. Client’s primary contact for billing purposes is as follows: Rhea Beacom Rhea.beacom@eaglecounty.us (970) 328-8796 500 Broadway P.O. Box 850Eagle, Colorado 81631-0850 TABOR. Notwithstanding anything to the contrary contained in this Agreement, Client shall have no payment obligations under this Agreement, nor shall any payments be made to Healthbreak in respect of any period after December 31 of any year, without an appropriation therefor by Client in accordance with a budget adopted by the Board of County Commissioners in compliance with Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Law (C.R.S. 29-1-101 et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 20). ARTICLE IV RESPONSIBILITIES OF CLIENT Section 4.01. Implementation and Provision of Data. The process of preparing to deliver Services under this Agreement is referred to as the “Implementation” process. Client shall designate one of its employees as the coordinator to work with the designated Healthbreak Client Services specialist during the Implementation process. The Implementation Period is specified in the Billing and Payment Schedule attached hereto as Attachment B. Healthbreak shall commence billing on the Launch Date set forth in Attachment B regardless of whether Client actually launches on that date unless such delays are caused by Healthbreak. During the Implementation Period and as otherwise required under the Agreement, Client shall timely provide to Healthbreak all data and other information (i.e., census files) requested and reasonably necessary for the performance of Services as well as coordinate with third-party vendors for the provision of data of Client if applicable. Section 4.02. Eligibility File. Client acknowledges that an Eligibility File containing the required data on all Eligible Members is necessary for the performance of Services and agrees to the following: (a) Client is responsible for identifying and notifying Healthbreak of all persons who are Eligible Members (as stated in Attachment B of the Agreement) in file format in accordance with the Eligibility Management Specifications document that discloses the Eligible Members and includes at least the following information: the Eligible Members last name, first name, date of birth, gender, unique employee identifying number, if applicable, and any other information necessary to enable Healthbreak to administer the Program and Services required by this Agreement. (b) Client will provide the Eligibility File in accordance with the Eligibility Management Specifications of Healthbreak, or any of its contractors, including but not limited to Virgin Pulse, Inc. (“VP”) no later than 49 days prior to the Launch Date. This information and any Eligible Member additions and terminations shall be kept current and submitted on a monthly basis by the fifteenth (15) day of each month during the Term, unless otherwise agreed upon by the Parties. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F (c) Client acknowledges and agrees that Healthbreak, under certain limited circumstances, may be required to share this Eligibility File information for the provision of biometric services to fulfill its obligations under this Agreement or any additional Statement of Work. Healthbreak may be further required to share this information to Connected Partners to fulfil its obligations under this Agreement or any additional Statements of Work. Client acknowledges and agrees that Healthbreak and its contractors will only load files which strictly comply with the terms of the aforementioned documents and all other files will be deemed “unloadable.” Client shall be responsible for any errors with respect to the information provided, including any failure to report employee terminations, or termination of an Eligible Member from participation in the Program. Services will be available to all persons included on the Eligibility File and Client will be responsible for payment for all Eligible Members provided on the Eligibility File and all individuals included on the Eligibility File shall be considered Eligible Members. Healthbreak Services are only available to Eligible Members that are at least 18 years of age and Client agrees that it will not include anyone under the age of 18. (d) Client agrees that, upon request, Client will verify the eligibility status of any person seeking Services and, if deemed eligible, provide the same data as is required for the Eligibility File. All Members shall be Eligible Members of Client. Section 4.03. Notice of Privacy Practices. Client will provide Eligible Members and Healthbreak with Client’s Notice of Privacy Practices in compliance with the applicable sections of the Health Insurance Portability and Accountability Act (“HIPAA ”). Section 4.04. Consent Forms. Eligible Members who desire to become Participants shall sign any Consent to Participate Forms or Member Policies, as required by Healthbreak or any of its contractors. Notwithstanding the foregoing, participation in the Program or acceptance of Services in any manner is deemed consent to participate. Client shall ensure that all necessary or required consents or authorizations are obtained from Eligible Members at its own expense. Section 4.05. Incentives. Client may provide an Incentive Reward that encourages Eligible Members. Healthbreak shall support Client in determining which Participants are eligible to receive the Incentive Reward and Client agrees to provide Healthbreak with the Incentive Reward requirements at least 65 days prior to the Launch Date. Client shall be solely responsible for the actual administration of the Incentive Reward. Healthbreak will make an initial determination of whether Members have earned and are entitled to incentives under the Program as part of the Services. Healthbreak’s role in administering claims for incentives is purely ministerial, and performed within a framework of policies, interpretations, rules, practices and procedures made or adopted by Client. Healthbreak will only have authority to construe the provisions of the program approved by Client and determine whether a claim for incentives is eligible to be granted in accordance with the terms of the Program and this Agreement. Upon determination on request of a Member that the Member has not earned or is not entitled to incentive under a program, Healthbreak will provide a claims denial notice in the form and manner directed by Client. If and to the extent that any program made available by Healthbreak is part of the Plan, Client shall administer any appeal process and retains ultimate authority, discretion and responsibility for the Plan. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Client expressly waives any and all claims of any type against Healthbreak and its contractors related, either directly or indirectly, to offering an Incentive Reward, unless such claims are as result of Healthbreak’s negligence. Client affirms that any Incentive Reward that requires the satisfaction of a Health Status Factor is intended to comply with all applicable federal, state and/or local rules or regulations, including, but not limited to, any and all applicable privacy statutes and/or statutes related to the use of lawful products or engaging in lawful conduct. Healthbreak does not and cannot provide legal advice to Client regarding the specifics of any Incentive Reward. Neither Healthbreak nor its contractors make any representations with respect to whether the Program or Incentive Reward complies with the Americans with Disabilities Act of 1990 as amended. Client agrees that neither Healthbreak nor its contractors make any representations of compliance with laws pertaining to employment, discrimination, disability, and other related law as it relates to the Incentive Reward, the administration of the Incentive Reward, and the Program Design, and Client shall rely solely on advice of its own counsel with respect to the applicability of such laws and expressly waives any and all claims against Healthbreak and its contractors arising from any alleged or actual non-compliance with such laws. Furthermore, Client shall rely solely on the advice of its counsel in making a determination of whether or not the selected services are subject to ERISA. Client waives any and all claims of any type against Healthbreak and its contractors related to any data or information received by Healthbreak or its contractors from any third party that Client requests to be included by Healthbreak or its contractors in any reports used by Client or in data files sent to any other Party (at the request of Client) for incentive fulfillment or to support payment or distribution of incentive rewards of any kind or type or for claims analytics. The Parties acknowledge and agree that Healthbreak, in the exercise of Healthbreak’s sole discretion, shall be permitted to adjust, remove, or otherwise alter rewards accumulated by Members (i) in error, (ii) in a manner that violates the Membership Agreement, or (iii) have otherwise been accumulated in a fraudulent or dishonest manner. Section 4.06. Communications to Eligible Members. Client is responsible for providing its members with adequate and accurate communications about the Program and its incentive rewards. Healthbreak will provide Client with recommended communication templates that can be edited by Client. Client is solely responsible for any edited content and distribution of the communication materials. Section 4.07. Client Facilities. For Services where use of Client facilities is required, Client agrees to provide suitable facilities in a setting that will enable Healthbreak to safely and, as appropriate, confidentially provide Services to Eligible Members. This shall include, without limitation, the provision of meeting room space, tables, chairs, utilities, and internet access. Section 4.08. Exclusivity. During the Term of this Agreement, Client shall not enter into an agreement with any other Party for the provision of the same or substantially similar services provided by Healthbreak. Section 4.09. Insurance. (a) Client Insurance. Client will maintain at its sole expense a valid policy of general liability insurance with minimum limits of $1,000,000 per occurrence and DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F $3,000,000 annual aggregate during the Term of the Agreement. Client will provide proof of insurance upon request. (b) Healthbreak Insurance. Contractor agrees to provide and maintain at Contractor’s sole cost and expense, the following insurance coverage with limits of liability not less than those stated below: (i) Types of Insurance. (A) Workers’ Compensation insurance as required by law. (B) Auto coverage with limits of liability not less than $1,000,000 each accident combined bodily injury and property damage liability insurance, including coverage for owned, hired, and non-owned vehicles. (C) Commercial General Liability coverage to include premises and operations, personal/advertising injury, products/completed operations, broad form property damage with limits of liability not less than $1,000,000 per occurrence and $1,000,000 aggregate limits. (c) Other Requirements. (i) The commercial general liability coverage shall be endorsed to include Eagle County, its associated or affiliated entities, its successors and assigns, elected officials, employees, agents and volunteers as additional insureds. Healthbreak’s certificate of insurance in effect as of the Effective Date, which is consistent with the foregoing requirements, is attached hereto as Exhibit B. Healthbreak will maintain the levels of insurance required under this Agreement during the Term hereof. (ii) Healthbreak will use best efforts to require that its subcontractors, if any, maintain insurance policies similar to those required of Healthbreak hereunder and the services they are performing on Healthbreak’s behalf. (iii) The insurance provisions of this Agreement shall survive expiration or termination hereof. (iv) The parties hereto understand and agree that the Client is relying on, and does not waive or intend to waive by any provision of this Agreement, the monetary limitations or rights, immunities and protections provided by the Colorado Governmental Immunity Act, as from time to time amended, or otherwise available to Client, its affiliated entities, successors or assigns, its elected officials, employees, agents and volunteers. (v) Healthbreak is not entitled to workers’ compensation benefits except as provided by Healthbreak, nor to unemployment insurance benefits unless unemployment compensation coverage is provided by Healthbreak or some other DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F entity. Healthbreak is obligated to pay all federal and state income tax on any moneys paid pursuant to this Agreement. Section 4.10. Intellectual Property. Any logos, designs, domain names, or other works created under this Agreement are the intellectual property of Healthbreak or its contractors and such parties retain any and all rights to such intellectual property. Notwithstanding the foregoing, Healthbreak does not claim any right or title to Client’s name or registered marks. Section 4.11. Use of De-Identified Data. Healthbreak (and any of its contractors to whom Healthbreak has granted such rights) shall have the right to use the data, health and lifestyle status metrics, and other results of its Services under this Agreement in such a way that neither Client nor any Eligible Member or Participant is identifiable. Section 4.12. Client Assistance. In addition to its other responsibilities hereunder, Client agrees to make available in a timely manner at no charge to Healthbreak all content, graphic files, data, or other information and resources of Client required by Healthbreak for the performance of its obligations under this Agreement. Client shall be responsible for, and assumes the risk of, any problems resulting from, the content, accuracy, completeness and consistency of all such content, materials and information supplied by Client. Client shall also be solely responsible, at its own expense, for acquiring, installing and maintaining all connectivity equipment, hardware, software and other equipment as may be necessary for it and its Members to connect to, access, and use the Services. Client shall also encourage Members to participate in Programs offered hereunder, reasonably assist Healthbreak with enrollment functions, and accommodate and provide reasonable access to all Members for completion of enrollment and engagement in all offerings. ARTICLE V TERM Section 5.01. Term. The Initial Term of this Agreement shall be from the Effective Date of this Agreement and shall continue for a period of twelve (12) months from the Launch Date for Services (the “Initial Term”). Section 5.02. Program Year. A program year is the 12-month period starting from the Launch Date set forth in Attachment B and each 12-month period thereafter (“Program Year”). Client will be presented with recommendations for a Program Design for the subsequent Program Year. The final Program Design for the subsequent year must be approved by Client at least 65 days prior to the subsequent Program Year. In the event Client does not timely approve the Program Design, the then- current Program Year will be extended for one month. However, during this extended period, Members will not be able to accrue points towards an incentive. Section 5.03. Renewal Term. Following the Initial Term, this Agreement will automatically renew for one (1) year terms (“Renewal Term”), unless either Party provides written notice of its desire to terminate at least ninety (90) days prior to the expiration of the then-current term (the Initial Term and any Renewal Terms, collectively referred to herein as the “Term”). During the first two Renewal Terms, the subscription fees shall stay the same as stated in Attachment B. During the third and any subsequent DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Renewal Term, the subscription fees may increase no more than a 4% (pursuant to Healthbreak’s notice thereof to Client), Section 5.04. [Intentionally Omitted] Section 5.05. Termination. Notwithstanding anything to the contrary contained in this Agreement, this Agreement may be terminated: (a) by either Party, upon written notice to the other, if the other Party (the “Defaulting Party”) breaches any material obligation or covenant of the Defaulting Party hereunder and if such breach shall remain uncured for 30 days following written notice of such breach given by the non-Defaulting Party to the Defaulting Party; (b) immediately and automatically upon the filing of a voluntary or involuntary petition for reorganization or bankruptcy by or against a Party; or (c) at the discretion of Healthbreak if Client is more than 60 days past due on payments owed to Healthbreak under this Agreement and subject to the terms of Section 9.07 of this Agreement. Upon such termination, Client shall still be liable for all payments that have accrued prior to the date of termination and that will accrue throughout the remainder of the then current term. Notwithstanding the foregoing, in the event a Healthbreak invoice to Client is unpaid by the end of the current month in which payment is due, Healthbreak shall notify Client in writing of such default. If such default has not been cured to the reasonable satisfaction of Healthbreak within fifteen (15) business days following month end, Healthbreak shall block the ability of Client’s Members to redeem rewards, and the ability to redeem rewards will remain off until Healthbreak is notified that the default has been cured to Healthbreak’s reasonable satisfaction. In the event Client is in default by the end of the second month following the date that payment is due and the default has not been cured to the reasonable satisfaction of Healthbreak, within two (2) business days following month end (A) Healthbreak shall block the ability for Client’s Members to access their personal internet pages maintained on the Services and block the ability for Client’s Members otherwise to participate in the Services, and (B) all rewards earned but not redeemed by Client’s Members shall be forfeited, and Healthbreak shall not have any further obligation to Client with respect to such rewards. Section 5.06. Rights of the Parties. Termination or expiration of this Agreement shall not alter or impair any rights of either Party accrued under this Agreement through the date of termination or expiration. ARTICLE VI LICENSES Section 6.01. Automated Services. Subject to Client’s compliance with the terms and conditions of this Agreement, Healthbreak hereby grants Client a non-exclusive right and license during the Term to access and use the Services as provided in Attachment A. Healthbreak grants Client a nonexclusive license to use the Software. Except as specifically set forth herein, Healthbreak or its suppliers retain all DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F right, title, and interest, including all intellectual property rights, relating to or embodied in the Services, including without limitation the Software and all technology, web addresses, telephone numbers, or systems relating to the Services. Client agrees not to reverse engineer, decompile, disassemble, translate, or attempt to learn the source code of any software related to the Services. Other than using the Services for Client’s internal business purposes, Client may not resell the Services or otherwise generate income from the Services. Healthbreak must be notified of and approve in writing any third-party Authorized User prior to granting access to the Services to such third-party Authorized User. For all third-party Authorized Users, Client shall provide Healthbreak with a copy of the Business Associate Agreement between Client and the third party or alternatively shall request that third party execute the Healthbreak Confidentiality Agreement. Client third parties will not be given access to the Services without one of the above referenced agreements. The Authorized User will continue having access to the Software for the Term of the Agreement unless Client notifies Healthbreak, in writing, that authorization has been revoked. Section 6.02. License to Healthbreak Materials. Except for Member reports and employer reports, all materials, including date-specific marketing materials available to Client through the Services, any Healthbreak or VP websites, or any materials/content provided by Healthbreak, through VP or otherwise (collectively, “Materials”) are licensed to Client. Healthbreak hereby grants Client a personal, nonexclusive, non-transferable license to use the Materials solely for the purposes of the Services provided under the Agreement during the Term of the Agreement. Client shall not distribute, alter or use the Materials for any other purpose. Client shall treat all such Materials as Confidential Information as defined in Article VIII of the Agreement. Upon the termination of this Agreement, Client shall discontinue use or distribution of all Materials or, if requested by Healthbreak or its contractors, return or destroy all such Materials to and for the benefit of Healthbreak and its contractors. Section 6.03. Link Agreement. Healthbreak grants Client a limited, non-exclusive, non- transferrable, non-assignable right to establish a link to the Member Portal. Client and its Members shall use the Member Portal only for the purposes expressly described in this Agreement and subject to the restrictions set forth in this Agreement. Neither Party to this Agreement grants the other Party any license or right under its intellectual property, other than as may be expressly set forth in this Agreement. Furthermore, neither Party may use any service/trade names, nor service/trademarks of the other Party without the other Party’s express prior written consent. Without limiting the foregoing, Healthbreak’s trademarks and names shall include, but not be limited to, the trademarks, service marks and tradenames of Healthbreak and its suppliers. Section 6.04. Healthbreak Obligations Regarding the Software. (a) Member Support: Member Support shall be provided as set forth in Attachment A (b) Healthbreak shall maintain all appropriate security measures based on the sensitivity and nature of Confidential Information and data processed under this DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Agreement, including physical, administrative and organizational controls applicable to Healthbreak systems, Healthbreak sites, and its service provider’, Virgin Pulse’s, systems. (c) Healthbreak, through Virgin Pulse, shall implement all the above referenced administrative, physical, and technical safeguards to protect Confidential Information. In addition, through Virgin Pulse, upon Client’s request, Healthbreak shall cause Virgin Pulse to provide to Client Virgin Pulse’s certification from the International Organization for Standardization’s standards: ISO/IEC 27001 or Standards for Attestation Engagements No. 16, Service Organization Control 2, Type 2 audit report. (d) Breach Notification and Remedies. (i) In the case of a security incident originating from the Client, at Client’s cost and expense, Healthbreak will provide assistance to the Client for identification and resolution, but the Client will have sole responsibility for any remediation actions necessary as a result of the Breach. (ii) Healthbreak shall promptly notify the Client within 72 hours or sooner by telephone and email, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been, a data breach involving Client’s Confidential Information. Healthbreak shall (a) cooperate with the Client as reasonably requested by the Client to investigate and resolve the data breach, (b) promptly implement necessary remedial measures, if necessary, and (c) document responsive actions taken related to the data breach, including any post- incident review of events and actions taken to make changes in business practices in providing the services, if necessary. (iii) If a data breach is a direct result of Healthbreak’s breach of its contract obligations under this Section 6.04(b), Healthbreak shall bear the costs associated with (a) the investigation and resolution of the data breach; (b) notifications to individuals, regulators or others required by state law; and (c) complete all corrective actions as reasonably determined by Healthbreak based on root cause; all [(a) through (c)] subject to this Agreement’s limitation of liability. ARTICLE VII REPRESENTATIONS AND WARRANTIES Section 7.01. Each Party represents and warrants to the other that: (a) its execution and performance of this Agreement will not violate any provision of law, rule, regulation to which such Party is subject; and (b) such Party will comply with all laws, rules and regulations pursuant to which such Party conducts its business. Section 7.02. Each Party represents and warrants to the other that: (a) it has all requisite corporate power and authority to execute, deliver and perform its obligations under this Agreement; (b) the execution, delivery and performance of this Agreement have been duly authorized by such Party; (c) no approval, authorization or consent of any governmental or regulatory authority is required to be obtained DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F by it in order for it to enter into and perform its obligations under this Agreement; and (d) the signatory to this Agreement possesses all necessary authority to enter into the Agreement. Section 7.03. Services Warranty. Healthbreak agrees to provide and maintain the Services in a workmanlike manner customary for service providers in the industry. Healthbreak does not warrant or guarantee in any way the results from the Services. The Parties acknowledge and agree that Healthbreak is not a care provider and does not provide medical advice. The Services are not, nor are they intended to be, a medical evaluation, medical examination, medical advice, medical consultation, medical diagnosis or medical treatment. Section 7.04. Disclaimer of Warranty. EXCEPT AS EXPRESSLY PROVIDED HEREIN, HEALTHBREAK MAKES NO EXPRESS OR IMPLIED WARRANTIES, AND HEALTHBREAK EXPRESSLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. HEALTHBREAK EXPRESSLY DENIES ANY REPRESENTATION OR WARRANTY ABOUT THE ACCURACY OR CONDITION OF DATA OR THAT THE SERVICES OR RELATED SYSTEMS WILL OPERATE UNINTERRUPTED OR ERROR-FREE. ARTICLE VIII CONFIDENTIALITY Section 8.01. Confidential Information. All written, electronic, or oral proprietary or confidential information or documentation received by a Party hereto (the “Receiving Party”) from the other Party (or its contractors) or trade secrets of the other Party (or its contractors) (the “Disclosing Party”) shall be deemed to be the Disclosing Party’s proprietary and confidential information (“Confidential Information”) including information disclosed prior to the effective date of this Agreement but disclosed in anticipation of its execution or the Services contemplated herein. Confidential Information includes any and all information, know-how, and data, technical or non-technical, whether written, graphic, or oral, furnished by either Party (or its contractors) or on its behalf, to the other, that is confidential and proprietary or is treated as such by the Disclosing Party and shall include without limitation (A) financial information, trade secrets, intellectual property, ideas, concepts, designs, research and technical information, business and operational policies, processes, procedures and strategies, business plans, and system design and operating specifications; (B) other information disclosed in writing by the Disclosing Party and marked as proprietary, confidential, or with a similar designation; (C) other information disclosed orally or not in a tangible medium of expression that the Disclosing Party, within 30 days of disclosure, describes and specifies in writing as being Confidential Information; and (D) information disclosed orally or in writing that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Healthbreak Confidential Information shall also include without limitation content contained in or derived from the Services, Software, VPSync application, and the member portal, including all source code, object code, executable formats, files, modifications, processes, and any and all derivative works of the Services, Software, VPSync application, and the member portal. Healthbreak understands and agrees that this Agreement and its exhibits is a public document to be approved by Eagle County in a public meeting. Confidential Information does not include this Agreement, including its pricing information, and information which, at the time of its disclosure, is in the public domain or which, after disclosure, becomes part of the public domain by publication or otherwise through no action or fault of the receiving Party. The Parties agree and covenant as follows: DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F (a) Ownership. All Confidential Information furnished, disclosed or exchanged is and shall be considered for all purposes to be the property of the Disclosing Party. (b) Disclosure. The Receiving Party shall comply with this Article VIII using at least the same degree of care as used to protect its own important confidential or proprietary information, but in any case using no less than a reasonable degree of care. The Receiving Party may disclose the Disclosing Party’s Confidential Information to its and its affiliates’ employees and independent contractors who have a need to know such information and who agree to protect the Confidential Information from unauthorized use and disclosure under standard provisions of employment or under the terms of a written agreement containing restrictive covenants at least as restrictive as those set forth herein. Healthbreak understands and agrees that this Agreement and its exhibits is a public document to be approved by Eagle County in a public meeting. Confidential Information shall not include this Agreement and its pricing information, material, data or information which is known to the Receiving Party prior to the disclosure by the Disclosing Party, which is generally available to the public or in the industry, or which has been obtained from a third party (which, to the Receiving Party’s knowledge, has a right to disclose the same). Except as contemplated by or required to perform its obligations under this Agreement, the Receiving Party shall not, either directly or indirectly, use or disclose to any third party any Confidential Information without the prior written consent of the Disclosing Party. The Receiving Party may disclose Confidential Information: (i) as required by any court or other governmental body (provided it shall give the Disclosing Party prompt notice, prior to the disclosure, so that the Disclosing Party may take steps to oppose such disclosure); (ii) as otherwise required by law; (iii) to legal counsel of the Parties; (iv) in connection with the requirements of an initial public offering or securities filing; (v) in confidence, to accountants, banks, and financing sources and their advisors; (vi) in confidence, in connection with the enforcement of this Agreement or rights under this Agreement; or (vii) in confidence, in connection with a merger or acquisition or proposed merger or acquisition, or the like. (c) Survival. The provisions of this Article VIII shall survive termination of this Agreement. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F ARTICLE IX GENERAL TERMS Section 9.01. Independent Contractors. The Parties enter into this Agreement as independent contractors, and nothing contained in this Agreement will be construed to create a partnership, joint venture, agency, or employment relationship between the Parties. Under no circumstances shall the employees, agents, or subcontractors of one Party be considered employees or agents of the other Party. Healthbreak shall be entitled to use contractors of its own selection to complete any of its duties and obligations hereunder. Section 9.02. Non-Solicitation of Personnel. From the date hereof until one year following the termination of this Agreement, the Parties agree that they will not engage in any activities that would cause either Party’s personnel to leave the employment of the other, without the prior written consent of the other Party, that includes but is not limited to: (a) directly soliciting or employing for full-time or part- time work with the other Party or on behalf of a third party or, (b) soliciting or accepting employment applications directly or from a third-party from the other Party’s personnel. If it appears that one Party is (or threatens to be) in violation of this covenant, the other Party shall be entitled to injunctive relief to restrain the first Party from further violation, or recovery of an amount equal to 75% of the total annual compensation of such employee (including taxes, insurance, benefits and overhead) as a fee for the additional benefit obtained by the breaching party for a violation hereof. The Parties agree that, given the scarcity of qualified personnel in the labor market, and given the high cost of training replacement personnel, such amount represents a reasonable estimate of the minimum damages that are likely to accrue to the non-breaching Party in the event of the breaching Party’s violation of this provision. Such amount shall be in addition to, and not in lieu of, any other damages that the non-breaching Party may be able to demonstrate. Neither Party shall be prohibited by this provision from pursuing other remedies, including a claim for losses and damages, or termination of this Agreement for cause. Nothing contained herein will prevent a Party from hiring any employee who responds to a general hiring program conducted in the ordinary course of business and not specifically directed at such employee. Section 9.03. Service Modification. Healthbreak reserves the right to make modifications to the Services outlined below as a result in a change in the law or for the express purpose of continuously improving the effectiveness and or efficiency of the Services. Healthbreak will provide written notice to Client of any material modifications. Section 9.04. Business Associate Status. The Parties acknowledge that in providing the Services specified in this Agreement that Healthbreak is the Business Associate and not a Covered Entity under HIPAA, and that the Parties have entered into a Business Associate Agreement (“BAA”) as a condition of this Agreement. This BAA between the Parties dated August 1, 2018 is incorporated herein by this reference as Exhibit C. Section 9.05. Data Sharing. Client has contracted with Cigna Health and Life Insurance Company (“Cigna”) to provide health insurance to Client’s employees, among other services. Client consents and agrees to Healthbreak providing Member Information, as defined in the Agreement, to Cigna so Cigna may deliver the appropriate services to Client. Further, Client understands and agrees that Cigna will use and disclose de-identified and/or disassociated data for population benchmarking and normative reporting purposes. Client confirms that it has secured a Business Associate Agreement with Cigna and DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F agrees to provide a copy to Healthbreak upon execution of this Agreement. Client has also contracted with Hays Companies of Denver (“Hays”) to provide employee benefit plan consulting services. Client consents and agrees to Healthbreak providing Member Information, as defined in the Agreement, to Hays so Hays may deliver the appropriate services to Client. Further, Client understands and agrees that Cigna will use and disclose de-identified and/or disassociated data for population benchmarking and normative reporting purposes. Client confirms that it has secured a Business Associate Agreement with Hays and agrees to provide a copy to Healthbreak upon execution of this Agreement. Section 9.06. Compliance With Laws. Healthbreak agrees that all Services provided pursuant to this Agreement shall be performed in compliance with all applicable U.S. federal or state laws, rules and regulations. Section 9.07. Indemnification. (a) Client is a governmental entity under the [Colorado Governmental Immunity C.R.S. § 24-10-106 as amended (the “Act”). Nothing in this Agreement shall be construed as a waiver by Client of any protections, rights, or defenses applicable to Client under the Act. It is not the intent of Client to incur by contract any liability for the operations, acts, or omissions of Healthbreak or any third party and nothing in this Agreement shall be so interpreted or construed. (b) Healthbreak shall indemnify and hold harmless Client, and any of its officers, agents and employees against any third-party claims for losses, claims, damages or liabilities for which Client may become subject to insofar as any such losses, claims, damages or liabilities arise out of this Agreement and are based upon (y) any performance or nonperformance by Healthbreak of its obligations under Article II hereunder or (z) Healthbreak’s gross negligence, fraud or willful misconduct; and Healthbreak shall reimburse Client for reasonable attorney fees and costs, legal and other expenses incurred by Client in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the Client to the extent that Client is liable to such third party for such claims without regard to the involvement of Healthbreak. This paragraph shall survive expiration or termination hereof. Section 9.08. Limitation of Liability. Neither Healthbreak nor Client will be responsible for special, indirect, incidental, punitive, consequential, or other similar damages, including but not limited to lost profits, that the other Party may incur or experience in connection with this Agreement, whether in contract, tort, or otherwise, however caused, even if such Party has been advised of the possibility of such damages. Each Party’s aggregate liability to the other party or any third party for any claims, losses, injuries, suits, demands, judgments, liabilities, costs, expenses or damages for any cause whatsoever (including, but not limited to, those arising out of or related to the Agreement), regardless of the form of action or legal theory, shall not exceed the amount of insurance each Party is required to maintain under Section 4.09 of this Agreement. Notwithstanding the foregoing, in the event of a default by Client of any of the provisions of this Agreement, Healthbreak, without limiting any other remedies provided for in this Agreement, at law or in equity, shall be entitled to immediately accelerate and recover any and all amounts then due or to become due from Client pursuant to the provisions of this Agreement during the remaining Term of this Agreement. Section 9.09. Applicable Law. The validity of this Agreement and any of its terms and provisions or the Parties’ rights and duties shall be interpreted and enforced in accordance with the laws of the State of Colorado, without regard to its principles of conflict of laws. Any dispute or claim from this Agreement shall be resolved exclusively in the federal or state courts of the State of Colorado and the DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Parties hereby irrevocably submit to the personal jurisdiction of said courts and waive all jurisdictional defenses thereto. Section 9.10. Force Majeure. Neither Client nor Healthbreak shall be deemed to be in default of any provision of this Agreement, or for failures in performance, resulting from acts or events beyond its reasonable control. Without limitation, such acts may include acts of God, civil or military authority, terrorists, civil disturbance, war, strikes, fires, other catastrophes, labor disputes, parts shortages, or other events beyond the Parties’ control. If a Party’s non-performance under this Section 8.11 extends for 30 days or longer, the Party affected by such non-performance may terminate this Agreement by providing written notice thereof to the other Party. Section 9.11. No Waiver. The failure of either Party hereto to enforce at any time any of the provisions of this Agreement, or the failure to require at any time performance by the other Party of any of the provisions of this Agreement, shall in no way be construed to be a present or future waiver of such provisions, nor in any way affect the validity of either Party to enforce each and every such provision thereafter. The express waiver by either Party of any provision, condition or requirement of this Agreement shall not constitute a waiver of any future obligation to comply with such provision, condition, or requirement. Section 9.12. Assignment. No Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, except that a merger, acquisition, change in control, change of ownership or a majority interest, or the sale of a significant portion of the assets of either Party shall not constitute an assignment or delegation hereunder. Notwithstanding the foregoing, this Agreement will apply to, be binding in all respects upon and inure to the benefit of the successors and permitted assigns of the Parties. Nothing expressed or referred to in this Agreement will be construed to give any Party other than the Parties to this Agreement any legal or equitable right, remedy or claim under or with respect to this Agreement or any provision of this Agreement, except such rights as shall inure to the successors and assigns of either Party permitted under the first sentence of this Section 9.14. Section 9.13. No Third-Party Beneficiaries. Healthbreak and Client intend that this Agreement will not benefit or create any right or cause of action in or on behalf of any person or entity other than the Parties, other than any rights or benefits conferred hereunder to Healthbreak’s employees, partners, contractors, subcontractors, or agents, including but not limited to VP. Section 9.14. Notices. Any notice or demand required under this Agreement, other than rate adjustment or renewal notices, will be in writing, will be personally served or sent by certified mail, return receipt requested and postage prepaid, or by a recognized overnight carrier which provides proof of receipt, and will be sent to the attention of person(s) at the address specified below. Rate adjustment notices or renewal notices may be provided by standard commercial means, including e-mail and/or facsimile transmission. to Healthbreak: Healthbreak Inc. Kathy Knudsen DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 601 – 16th Street, Suite C-311 Golden, Colorado 80401 720.344.9507 kknudsen@healthbreakinc.com to Client: Eagle County Government Hollis Dempsey 500 Broadway P.O. Box 850 Eagle, Colorado 81631-0850 970.328.8793 hollis.dempsey@eaglecounty.us with copy to County Attorney: County Attorney’s Office 500 Broadway P.O. Box 850 Eagle, Colorado 81631-0850 Section 9.15. Headings. The headings of the sections and subsections of this Agreement are for reference only and will not affect in any way the meaning or interpretation of this Agreement. Section 9.16. Severability. In the event that one or more of the provisions of this Agreement is deemed invalid, unlawful and/or unenforceable, then only that provision will be omitted, and will not affect the validity or enforceability of any other provision; the remaining provisions will be deemed to continue in full force and effect. Section 9.17. Survivability of Obligations. All provisions of the Agreement that impose continuing obligations on the Parties, including but not limited to Section 4.12, the warranty, indemnity and confidentiality obligations of the Parties, shall survive the expiration or termination of the Agreement. Section 9.18. Entire Contract; Counterparts. This Agreement and the Schedules, Attachments and Exhibits hereto constitute the entire contract between Client and Healthbreak regarding the Services to be provided hereunder. Any agreements, promises, proposals, negotiations, or representations (whether written, oral, express, or implied) which are not expressly set forth in this Agreement are of no force or effect. This Agreement may be executed in any number of counterparts, each of which will be deemed to be the original, but all of which shall constitute one and the same document. No amendments to this Agreement will be effective unless made in writing and signed by duly authorized representatives of both Parties. The Parties acknowledge and agree that the execution and delivery of this Agreement by facsimile or e-mail transmission shall be valid and binding. Section 9.19. HIPAA. In addition, to the confidentiality provisions set forth elsewhere in of this Agreement, the Parties desire to comply with the Standards for Privacy of Individually Identifiable Health Information promulgated by the Department of Health and Human Services at 45 CFR parts 160 and 164, subparts A and E (“Privacy Rule”) under HIPAA. The Parties shall ensure that their directors, officers, employees, contractors, and/or agents do not use or further use or disclose Protected Health Information DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F (as defined in the Privacy Rule) in any manner that would constitute a violation of the Privacy Rule other than as permitted or required by law. The Parties agree to implement all necessary safeguards to prevent the use or disclosure of the Protected Health Information (as defined in the Privacy Rule) and to mitigate, to the extent practicable, any potential business pattern, practice or effect that is known to the Parties to be in violation of the requirements of the Privacy Rule. The parties acknowledge and agree to cooperate and modify the terms of this Agreement for any changes to HIPAA which require modifications herein. IN WITNESS WHEREOF, the parties hereto have executed this Agreement on the year and date first above written. COUNTY OF EAGLE, STATE OF COLORADO By and Through Its COUNTY MANAGER BY: _____________________ Jeff Shroll, County Manager HEALTHBREAK, INC. By Name Title DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F President Kathy Knudsen ATTACHMENT A SERVICE SPECIFICATIONS WELLNESS PLATFORM – VIRGIN PULSE IGNITE PRODUCT Ignite is a social wellbeing solution designed to strengthen corporate culture, increase employee engagement, and enhance productivity. Ignite connects Members through individual and team-based challenges that drive collaboration, organizational alignment, sustained healthy habits, and drive higher participation in all your HR programs and benefits through an integrated, extensible platform. Ignite is delivered through a web and mobile (iOS and Android) platform with services for implementation, ongoing account management, Member engagement and Member support. PROGRAM DESIGN & INCENTIVES Configure your program design based on your well-being goals, with incentives to drive program participation and improved health outcomes Program Structure Configure a task-based program incentive and reward structure Incentive & Reward Structure Member rewards will be configured based on client requirements, options include: • Employer-Sponsored Rewards – reward Members with a variety of reward options including, but not limited to. healthcare contributions, local incentives, cash, gift cards, etc. May be awarded based on program achievements and actions or via periodic data file transfers from client or client’s 3rd party partners. Data files must be transmitted in the required Virgin Pulse file format • Subsidized Tracking Devices – Members may redeem employer-subsidized discount codes in the Virgin Pulse Store for popular consumer tracking device Branding & Customization Client may customize program elements to reflect its culture and brand, including: • Create a vanity URL for Member access to the web platform • Add a corporate/wellness logo to the program website, mobile app and emails • Create calendar events ASSESSMENT & MEASUREMENT Tools to help Members assess their health status and risks Health Assessment Assessment tool that makes Members aware of their health risks and enables personalized recommendations. 3rd Party Biometric Screening Integration Integrate biometric screening results from your designated screening vendor: • Vendor must transmit data in the required VP file format • Data is displayed to member and used to drive program recommendations • Aggregate data collected from the biometric screening will be provided • See Biometric Services section for screening details Biometric Screening Data Migration Four years of Member data will be migrated from the SimplyWell platform into VP platform as part of the Initial Term. CHALLENGES & SOCIAL SUPPORT Drive engagement, foster friendly competition, and support a culture of wellbeing Challenge Types Destination Challenges – themed, team-based step challenges traversing destinations virtually and unlocking engaging content at challenge milestones, deployable company-wide, includes Destination Challenge Theme Library, chat, leaderboards, automated communications, and configurable team size and start/end dates Basic Challenges – team-based challenges in which Members compete in simple, themed step competitions, deployable company-wide or to population segments (business unit, location), includes Basic Challenge Theme Library, chat, leaderboards, automated communications, and configurable team size and start/end dates Monthly Promoted Healthy Habit Challenges – clients may run week-long company-wide healthy habit challenges. Choose from Virgin Pulse’s calendar of challenges or create customized challenges. Individual Challenges – Members may challenge friends to compete in week-long Healthy Habit Challenges; one-day, weekend or work week Personal Step Challenges; and an ongoing 7-day Friends Leaderboard step challenge DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F WELLNESS PLATFORM – VIRGIN PULSE IGNITE PRODUCT Challenges & Challenge Administration Virgin Pulse/Healthbreak Administered Challenges – Healthbreak will administer two (2) Virgin Pulse company challenges per year, as requested, in which Members compete in a themed step competition. Client chooses from the Virgin Pulse library of preconfigured challenge themes. Client Administered Challenges - Client administrators and champions with appropriate permissions may use a self-service administrative tool to deploy unlimited company challenges. Choose from the Challenge Theme Library or create your own custom theme (client supplies custom content and images), and configure challenge settings (start/end dates, etc.). Friends Members may connect with Members inside your company to participate in challenges and compare activities and may invite up to 10 people outside your company to be friends. Friends outside the company have access to a generic experience without rewards. Groups Members may join and create groups based on interests. PARTNER & PROGRAM INTEGRATIONS Integrate and promote HR programs, benefits, tools, events and information to drive awareness, usage and impact Client Programs/Partners Integrate your programs, benefits, tools and information in one unified employee portal, including: • Personalized Program Page – at launch list up to five (5) programs and resources in a program directory with personalized recommendations and ability to host PDFs with additional program info for Members. After launch client may add additional programs. • Targeted Promotion & Communication – drive program awareness and utilization by promoting recommended programs via web, mobile app. • Clients may reward Members for program achievements and actions via periodic data file transfers for up to three (3) integrated programs from client or client’s 3rd party partners. Data files must be transmitted in the required Virgin Pulse file format. Personalization Engine A flexible recommendation system that allows clients to create a personalized benefit experience by targeting programs to Members based on criteria such as eligibility, demographics, health risks, readiness to change and wellbeing interests Targeted Promotion & Communications Drive program awareness and utilization by promoting recommended programs via automated web (e.g., program and calendar cards, programs page, calendar), mobile (e.g., program and calendar cards, programs page, calendar) and communication campaigns with options for email, site pop-up, mobile in-app message and mobile push notifications, and offline communications (see Member Communications section for details). Event & Community Calendar Promote events via a monthly calendar targeted to specific business units, locations, or company- wide. Virgin Pulse Journeys Digital Coaching Members have access to online digital coaching on lifestyle and health condition topics that help Members stress less, move more, eat better, cut back on alcohol, quit smoking, manage diabetes, and improve financial wellbeing and musculoskeletal health. Available in US. TRACKING DEVICES & APPS Connect consumer trackers and apps to drive engagement Consumer Health Trackers Members may connect 50+ popular mobile health apps, wearables and health tracking devices to the Virgin Pulse program to track validated health metrics Virgin Pulse App & Device Partners Integrated Virgin Pulse app and device partners create an integrated Member experience including data sharing (e.g., steps, active minutes, calories consumed, etc.), incentives, and integrated reporting ADMINISTRATIVE TOOLS Tools to help manage your program Eligibility File Processing Processing of eligibility files submitted by client in Virgin Pulse standard file format Client Admin Portal Program administrators can use web-based management tools to manage and segment components of their Virgin Pulse program, including calendar events, challenges, daily cards, healthy habits and wellbeing pillars and topics. Self-Service Ticketing Tool Support for feature configuration requests, custom content and Member issues via a self-service ticketing tool. PROGRAM ANALYTICS Insight into program usage and performance Client receives one (1) Analytics seat to access an on-demand dashboard updated daily with program metrics including enrollment, engagement, program usage, challenge tracking, external programs, HRA, biometrics, etc. Features include ability to DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F WELLNESS PLATFORM – VIRGIN PULSE IGNITE PRODUCT filter by location and business unit, ability to export for sharing with stakeholders, alerts/KPIs, custom dashboards, and in- platform chat MEMBER COMMUNICATIONS Drive program awareness, enrollment and participation Launch Communications – Virgin Pulse administered activation campaign including three (3) emails sent to Eligible Members, four (4) posters, four (4) digital displays, one (1) print-ready postcard and one (1) program infosheet (client assumes any printing, distribution costs). Ability to add client logo to all communications. Ongoing Engagement Campaigns – automated, system-generated emails sent by Virgin Pulse to Participants to drive program participation Platform Notifications – client may communicate timely notifications to Members via platform notification feature, including ability to segment notifications Configured Email Communications – Virgin Pulse support for up to two (2) configured emails per year. Emails include standard images and layout plus client copy changes and/or client colors. LANGUAGES Drive program awareness, enrollment and participation The Ignite web platform and mobile app are translated into the following languages: US English, UK English, Chinese (Simplified), Chinese (Traditional), French (European), French (Canadian), German, Italian, Japanese, Korean, Malay, Polish, Portuguese (Brazilian), Russian, Spanish (Latin American), Spanish (European), Swedish, Vietnamese. An in-language mobile web browser experience is also available in these languages. MEMBER SUPPORT Post-launch Member support Online Support Members may access a knowledgebase of helpful program information and problem resolutions via the Support section of the program site or they may submit questions via the Support form Member Services Provides Member-level support after launch via phone (888-671-9395) and email (support@virginpulse.com) from 8am-9pm EST, Monday-Friday; and chat 2am-9pm EST, Monday- Friday. BIOMETRIC SERVICES Biometric services will be performed through Healthbreak’s screening partner, Preventive Health Now (PHN) Physician Lab Forms • Forms containing Member biometric data is sent directly to screening partner from the Member or third party authorized by the Member. • Forms must be signed by the health care provider and/or laboratory before it can be accepted. • Refer to 3rd Party Biometric Screening Integration HEALTHBREAK PROGRAM MANAGEMENT SERVICES Services to successfully launch your program and ensure ongoing program success. Implementation Services • 90-day standard implementation timeline • Scheduled implementation meetings with Client • Program design consulting & incentive forecasting • Delivery of IT requirements documentation • Setup and testing of initial eligibility file and ongoing eligibility file process • Configuration and setup of Virgin Pulse platform according to Client’s specifications • Setup and loading of biometric data feed from 3rd party vendor • Setup of applicable reward redemption options and ecommerce store • Coordination of standard launch communication deliverables • Coordination of device fulfillment & logistics if applicable • Coordination, setup and testing of file integrations with client’s 3rd party vendors DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F HEALTHBREAK PROGRAM MANAGEMENT SERVICES Program Management A Client Service Manager will be responsible for proactive program management and client outreach to optimize program performance. Services will include: • Weekly calls (1 hour) during implementation • Status Calls o Weekly / Bi-Weekly for first quarter after launch. • After first quarter moves to monthly • Service Reviews o Quarterly • Monthly newsletter including new feature announcements and engagement promotion updates ADDITIONAL BUY-UP OPTIONS Services to drive program success SURVEY TOOLS Tools to educate and gather feedback Virgin Pulse Surveys Additional fees apply Build and deploy employee surveys to members via the Virgin Pulse platform: • Create and publish surveys and access survey results via Healthbreak service team • Members complete surveys/polls/quizzes directly through the Virgin Pulse platform • Survey types include quick (1-2 questions), eNPS and custom (unlimited questions) surveys • Question types include polls, quizzes, multiple choice, rating scale, mood and free text • Surveys may be deployed to members organization-wide or to specific org hierarchy segments • Promote surveys prominently on web and mobile via program cards • Professional Services Professional staffing and custom programs to extend your HR team Professional Staffing Additional fees apply Healthbreak can dedicate offsite wellness specialists to assist you in other wellness program administration and coordination areas.. Custom Well-Being Programs Additional fees apply • Employee Needs Assessments, Productivity Assessments & Culture Audits • Creation and oversight of wellness champions • Policy and culture evaluation and improvement plans • Leadership engagement and support training • Health education and training • Development and implementation of custom wellness seminars, webinars, wellness challenges, lifestyle programs and healthy living campaigns Custom Design Services Additional fees apply • Copy writing, editing and graphic design • Fulfillment options including print and mailing services Custom Reports Additional fees apply • Custom reports are available for an additional fee. • Fees are quoted based on scope of request. • • Verified Forms • Creation and/or administration of digital forms DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F Additional fees apply DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F ATTACHMENT B BILLING AND PAYMENT SCHEDULE Client fee schedule below is based on the following: Program Launch Date: January 1, 2021 Eligible Members: 444 Employees, 274 Spouses/Partners SERVICES Product or Service Details Fees Annual Set-Up Fee Per Year Includes program orientation webinar to help Eligible Members understand platform & features. $2,500 Wellness Platform – Virgin Pulse Ignite Per Eligible Per Month (PEPM) Billed bi-monthly in advance Employees: $3.65 Spouses: $1.85 Biometric Services – PHN Physician Lab Forms Set up + per processed form $300 stand-alone service set-up fee $14.00 per form Healthbreak Program Management Per service year Included Additional Buy-Up Options Quoted Upon Request Agreed upon in writing by both Parties prior Professional Services Hourly in quarter hour increments $65 per hour for request assistance outside of the defined Healthbreak Program Management Services DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F EXHIBIT A DEFINITIONS “Annual Service Period” means the period beginning on the Launch Date and continuing for twelve months. Also referred to as Program Year. “Authorized User” means a person who is authorized by Healthbreak or its contractors to use the Services website. Authorized Users include Client personnel acting in their capacity as Client representatives, Eligible Members and third parties as agreed to by the Parties. “Biometric Screening” means a service provided by Healthbreak, its contractors or a third- party that includes the collection of blood via finger stick or venipuncture and/or the collection of certain other biometric data. For Eligible Members not able to attend a Screening Event(s) at Client’s Worksite, Healthbreak and/or Client may direct such Eligible Members to a third-party location for blood work. “Connected Partner(s)” shall mean any of Client’s third-party vendors, with whom Client has a direct relationship, that Client requests be integrated or connected, as applicable in the context of the services offered by such Connected Partners, to the Program. “Electronic File Transfer” means the uploading or downloading of data files via a secure environment, or other host or server that may be listed in a Service Schedule, of Healthbreak or its contractors. “Eligibility File” means a data file provided by Client or its designated third party with a listing of persons eligible for services and including all of the data fields necessary for a person to be identified as Eligible Members of Client that meets Healthbreak’s Eligibility Management Specifications. “Eligibility Management Specifications” means the guidelines and any conditions provided by Healthbreak that are associated with the electronic file transfer of Eligibility Files. “Eligible Members” means those Members eligible for Services hereunder, and may include benefit eligible employees, non-benefit eligible employees, spouses or domestic partners. The specific number of Client’s Eligible Members shall be set forth in Attachment B. “Health Professional(s)” means Personnel of Healthbreak or its contractors who interact with Members for purposes of health management, including Health Coaches, Clinicians, Screening Specialists and Health Specialists. “Health Status Factor” has the meaning ascribed in either or both the Health Insurance Portability and Accountability Act of 1996 (“HIPAA ”) and the Code of Federal Regulations (“CFR”) as described in the HIPAA non-discrimination rules published December 13, 2006 at 26 CFR Part 54, 29 CFR Part 2590, and 45 CFR Part 146. “Healthbreak Client Services” means the Healthbreak personnel primarily responsible for managing the Implementation and coordination of ongoing Services deliverable under this Agreement. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F “Implementation Period” means the period between the Effective Date of the Agreement and the Launch Date for Services. “Implementation” means the process of preparing to deliver Services under the Agreement that occurs between the Effective Date and the Launch Date. “Incentive Reward” means a financial inducement arranged, provided and/or funded by Client designed to encourage Eligible Members to become Participants and may include, but is not limited to, payroll deduction premium credits or surcharges, cash, paid time off, and gift cards. “Incentives Management” means the process of tracking and evaluating the participation in activities or offerings and/or completion of a combination of requirements necessary to determine whether a Participant has qualified for an incentive, and the reporting associated therewith. “Launch Date” means the date during the first year and subsequent years of the Agreement upon which Eligible Members may first access, use, or enroll in health management Services available under the Agreement, including use of the Member Portal. “Member Policies” shall mean the Membership Agreement, Privacy Policy, consents and any additional legal notices provided by Healthbreak or its contractors during enrollment that must be executed by Eligible Members who desire to become Participants, and as updated from time to time. “Member Portal” means the portion of the Services where Eligible Members may access the Program. “Member” means a person with a record maintained in the Member Portal. “Participant” means a Member who elects to participate in any of the Services available under the Agreement. “PEPM” means per Eligible Member per Month. “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. Protected Health Information shall include Electronic Protected Health Information “Program or Program Design” shall mean a proprietary, interactive health and fitness program, including the Services, which provides Eligible Members with incentives for increased activity and healthy behaviors; as applicable, interactive challenges to improve the Members engagement; and a combination of activity and biometric tracking devices, along with a personalized online program portal, to help Participants monitor their daily activity and track measurable health outcomes. “Software” means any all programs and operating information of Healthbreak or its contractors (including but not limited to VP) included in or required to access and use the Services, including, without limitation, the Member Portal, the VPSync application, and any subsequent DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F revisions or modifications thereto which are furnished to Client. The term Software does not include any proprietary software of a third party. DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F EXHIBIT B CERTIFICATE OF INSURANCE (EFFECTIVE __________________) DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? INSR ADDL SUBR LTR INSD WVD PRODUCER CONTACT NAME: FAXPHONE (A/C, No):(A/C, No, Ext): E-MAIL ADDRESS: INSURER A : INSURED INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY)(MM/DD/YYYY) AUTOMOBILE LIABILITY UMBRELLA LIAB EXCESS LIAB WORKERS COMPENSATION AND EMPLOYERS' LIABILITY DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) AUTHORIZED REPRESENTATIVE EACH OCCURRENCE $ DAMAGE TO RENTEDCLAIMS-MADE OCCUR $PREMISES (Ea occurrence) MED EXP (Any one person)$ PERSONAL & ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $ PRO-POLICY LOC PRODUCTS - COMP/OP AGGJECT OTHER:$ COMBINED SINGLE LIMIT $(Ea accident) ANY AUTO BODILY INJURY (Per person)$ OWNED SCHEDULED BODILY INJURY (Per accident)$AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE $AUTOS ONLY AUTOS ONLY (Per accident) $ OCCUR EACH OCCURRENCE CLAIMS-MADE AGGREGATE $ DED RETENTION $ PER OTH- STATUTE ER E.L. EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE $ If yes, describe under E.L. DISEASE - POLICY LIMITDESCRIPTION OF OPERATIONS below INSURER(S) AFFORDING COVERAGE NAIC # COMMERCIAL GENERAL LIABILITY Y / N N / A (Mandatory in NH) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF,NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED.NOTWITHSTANDING ANY REQUIREMENT,TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN,THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER.THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND,EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW.THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S),AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT:If the certificate holder is an ADDITIONAL INSURED,the policy(ies)must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED,subject to the terms and conditions of the policy,certain policies may require an endorsement.A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: CERTIFICATE HOLDER CANCELLATION © 1988-2015 ACORD CORPORATION. All rights reserved.ACORD 25 (2016/03) CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) $ $ $ $ $ The ACORD name and logo are registered marks of ACORD HEALT-9 OP ID: BP 11/11/2020 McCann, LLC Alliance Insurance Agency McCann LLC James McCann 1895 Youngfield St. #3 Golden, CO 80401 McCann, LLC 303-237-1220 303-235-8501 j.mccann@allinsgrp.com Capital Specialty Pinnacol Assurance Healthbreak Inc. 601 16th St Suite C-311 Golden, CO 80401 A X 1,000,000 X MM20142096-06 07/24/2020 07/24/2021 100,000 5,000 1,000,000 3,000,000 X 1,000,000 1,000,000A MM20142096-06 07/24/2020 07/24/2021 X X XB 4226396 10/01/2020 10/01/2021 1,000,000 1,000,000 1,000,000 A MM20142096-06 07/24/2020 07/24/2021 Aggregate 3,000,000 Liability Per claim 1,000,000 Eagle County Government is additional insured per policy terms and conditions. EAGLECT Eagle County Government Hollis Dempsey 500 Broadway PO Box 850 Eagle, CO 81631 303-237-1220 41190 Professional DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F EXHIBIT C BUSINESS ASSOCIATE AGREEMENT [Previously executed BAA to be Inserted Here] DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 1 BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is by and between Eagle County, Colorado, a body corporate and politic (collectively referred to hereinafter as the Covered Entity”) and Healthbreak, Inc. (“Business Associate”) effective as of August 1, 2018 Effective Date”). W I T N E S S E T H: WHEREAS, Business Associate provides certain services to Covered Entity that requires Business Associate to have access to certain Protected Health Information (defined below), and, in connection with those services, Covered Entity may disclose to Business Associate, or Business Associate may create on Covered Entity’s behalf, Protected Health Information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 HIPAA,” found at Public Law 104-191), and certain privacy and security regulations promulgated by the U.S. Department of Health and Human Services to implement certain provisions of HIPAA and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as modified by the Final Omnibus Rule effective as of March 26, 2013 collectively, the “HIPAA Regulations”) found at 45 C.F.R. Parts 160, 162 and 164; and WHEREAS, Covered Entity is a “covered entity,” as that term is defined in the HIPAA Regulations; and WHEREAS, Business Associate is a “business associate” of Covered Entity, as that term is defined in the HIPAA Regulations; and WHEREAS, pursuant to the HIPAA Regulations, all business associates of Covered Entity, as a condition of doing business with Covered Entity, must agree in writing to certain mandatory provisions regarding, among other things, the privacy and security of Protected Health Information; NOW THEREFORE, IN CONSIDERATION OF THE FOREGOING, and the mutual promises and covenants contain herein, the Parties agree as follows: Section 1. Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Regulations. Breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information, which compromises the security or privacy of such Protected Health Information, but does not include circumstances excluded from the definition of Breach as provided in 45 C.F.R. 164.402. Data Aggregation” has the same meaning as the term “data aggregation” in 45 C.F.R. 164.501. Designated Record Set” has the same meaning as the term “designated record set” in 45 C.F.R. 164.501. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2 C18-256 DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 2 Electronic Protected Health Information” or “ePHI” has the same meaning as the term electronic protected health information” in 45 C.F.R. 160.103, limited to information created, or received or transmitted by Business Associate from or on behalf of Covered Entity. Individual” has the same meaning as the term “individual” in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g). Limited Data Set” has the same meaning as the term “limited data set” in 45 C.F.R. 164.514(e)(2). Notice of Privacy Practices” means a notice of privacy practices that complies with the standards set out in 45 C.F.R. 164.520. Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. parts 160 and 164. Protected Health Information” or “PHI” has the same meaning as the term protected health information” in 45 C.F.R. 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. Protected Health Information shall include Electronic Protected Health Information. Required by Law” has the same meaning as the term “required by law” in 45 C.F.R. 164.103. Secretary” means the Secretary of the U.S. Department of Health and Human Services or his designee. Security Standards” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. parts 160 and 164. Section 2. Obligations and Activities of Business Associate. a) Specific Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may receive, create, use, disclose, maintain, or transmit Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate the Privacy Rule or Security Standards if done by Covered Entity and as permitted herein. To the extent Business Associate is carrying out any obligation of Covered Entity with respect to the HIPAA Regulations, Business Associate shall comply with such requirements of the HIPAA Regulations that apply to Covered Entity in the performance of such obligations. Business Associate shall recognize that the HITECH Act of 2009 and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. b) Administrative Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may only use or disclose Protected Health Information DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 3 for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate provided the disclosures are Required by Law. Notwithstanding anything to the contrary set forth herein, Business Associate may use and or disclose the PHI only as follows: i) Business Associate may use or disclose PHI as Required by Law; ii) Business Associate may use or disclose PHI as necessary to carry out the Services set forth in the Worksite Wellness Services Agreement; iii) Business Associate may use PHI in its possession for the proper management and administration of any of its subcontractors or to carry out its legal responsibilities; iv) Business Associate may disclose PHI for the proper management and administration of any of its subcontractors or to carry out the legal responsibilities of any of its subcontractors, provided the disclosures are Required by Law, or subcontractor obtains written assurances from the person or entity to whom the information is disclosed that the information will remain confidential and be used or further disclosed as required by 45 C.F.R. § 164.504(e)(4) and § 164.314, and the person or entity notifies subcontractor in writing of any instances of which it is aware in which the confidentiality of the information has been breached or compromised; and v) If specifically identified in the Worksite Wellness Services Agreement, Business Associate is authorized to provide data aggregation services relating to the Covered Entity or use the PHI for data aggregation purposes. c) Data Aggregation. Business Associate may provide Data Aggregation services relating to the health care operations of Covered Entity. d) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity as identified in Section 2(a), Business Associate may disclose Protected Health Information, to other business associates of Covered Entity and may use and disclose Protected Health Information, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity. e) Permitted Uses and Disclosures. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this Agreement, the Worksite Wellness Services Agreement, or as Required by Law. f) Safeguards for Protection of Protected Health Information. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 to protect the confidentiality, integrity, and availability of and prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement, the Worksite Wellness Services Agreement, or as Required by Law. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 4 g) Reporting of Unauthorized Uses or Disclosures. Business Associate agrees to report to Covered Entity, in writing any use or disclosure, including Breach, of the Protected Health Information not provided for by this Agreement or in the Worksite Wellness Services Agreement. All reports of unauthorized uses or disclosures, including Breaches, shall be made within three (3) business days of Business Associate discovering the unauthorized uses or disclosures, including Breaches, and shall include the information specified at 45 CFR § 164.410 h) Content of Report of Breach. In the event of a Breach of Protected Health Information, Business Associate shall provide Covered Entity a written report, to include: i) the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach; ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; iii) a description of the types of PHI that were involved in the Breach i.e., full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information that were involved); iv) any steps that Covered Entity or the Individual (impacted by the Breach) should take to protect himself or herself from potential harm resulting from the Breach; v) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to the Individual, and to protect against further Breaches; and vi) contact procedures for Covered Entity to ask Business Associate questions or learn additional information from Business Associate, which shall include a telephone number, an e-mail address, and postal address. i) Mitigation of Unauthorized Uses or Disclosures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate, or one of its agents or subcontractors, of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement or the HIPAA Regulations. Business Associate shall promptly reimburse Covered Entity all reasonable costs incurred by Covered Entity with respect to providing notification of and mitigating a Breach involving Business Associate, including but not limited to printing, postage costs and toll-free hotline costs. Attorney’s fees are not considered a reimbursable expense under this provision unless Business Associate retains the attorney and has the ability to supervise and control the attorney with full consent of the Covered Entity. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 5 j) Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Business Associate or on behalf of Covered Entity, agrees to protect the PHI and such agents, including a subcontractor, is subject to the same restrictions and conditions as the Business Associate. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards and security measures to protect such Electronic Protected Health Information. k) Authorized Access to Protected Health Information. Business Associate agrees to provide access, at the written request of Covered Entity, and in the time and manner (including, as applicable, in electronic format or electronic copies) reasonably designated by Covered Entity, to PHI in a Designated Record Set, to the Individual or to Covered Entity in order to allow Covered Entity to meet the requirements under 45 C.F.R. 164.524. l) Accounting for Uses and Disclosures. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with: i) the HIPAA Regulations accounting requirements as provided in 45 C.F.R. 164.528; and ii) the accounting requirements as provided in the HITECH Act, as amended, in the event Covered Entity uses or maintains an electronic health record at any time during this term of this Agreement. Business Associate agrees to provide to Covered Entity information collected in accordance of this Section to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information. m) Safeguards for Protection of Electronic Protected Health Information. Business Associate shall utilize appropriate and commercially reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of Electronic Protected Health Information maintained or transmitted on behalf of Covered Entity, other than as provided for by this Agreement. n) Security Incidents. Business Associate agrees to report to Covered Entity, within a reasonable time from discovery, any security incident involving a breach of unsecure PHI of which Business Associate becomes aware. o) General Privacy Rule and Security Standards Compliance. Business Associate acknowledges that Business Associate is Required by Law to comply with the HIPAA Security Standards in accordance with 45 C.F.R. 164.302 through 164.316 and the provisions of the HIPAA Privacy Rule in accordance with 45 C.F.R. 164.504(e) in the DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 6 same manner that such sections apply to Covered Entity, with respect to compliance with the standards in 45 C.F.R. 164.502(e) and 45 C.F.R. 164.504(e). p) Minimum Necessary Requirement. Business Associate shall comply with the minimum necessary requirement, in accordance with 45 C.F.R. 164.502(b) of the HIPAA Regulations, with respect to the use, disclosure, or request of Protected Health Information by limiting such Protected Health Information, to the extent applicable, to: i) the Limited Data Set; or ii) the minimum necessary to accomplish the intended purpose of such use, disclosure or request. q) Data Ownership. Business Associate acknowledges that it has no ownership rights with respect to PHI. r) Business Associate Insurance. Business Associate shall maintain insurance to cover loss of Protected Health Information data and claims based upon alleged violation of privacy rights through the improper use or disclosure of Protected Health Information. s) Audits, Inspection, and Enforcement. Within ten (10) business days of a written request by Covered Entity, Business Associate and its agents or subcontractors shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies, and procedures relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement; provided, however, that: (i) Business Associate and Covered Entity shall mutually agree in advance upon the scope, timing, and location of such an inspection; and (ii) Covered Entity shall protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, books, records, agreements, policies, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. The Covered Entity may request one (1) audit within a twelve 12) month period, unless extenuating circumstances require additional audit requests. Section 3. Obligations of Covered Entity. a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with its Notice of Privacy Practices, as well as any changes to such notice, if such changes affect Business Associate’s use or disclosure of PHI or ePHI. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 7 b) Revocation of Permitted Use or Disclosure of Protected Health Information. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures. c) Restrictions on Use of Disclosure of Protected Health Information. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. d) Requested Uses or Disclosures of Protected Health Information. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity and affirms that any request to use or disclose Protected Health Information meets the minimum necessary requirement. Except that Business Associate may use or disclose Protected Health Information for management, administrative, and legal activities of Business Associate and for Data Aggregation. Section 4. Term and Termination. a) Term. Except as otherwise provided, this Agreement shall commence on the Effective Date and continue until all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity (except for any data maintained for Data Aggregation purposes or as otherwise allowed to be retained pursuant to the Worksite Wellness Services Agreement) or, if Business Associate believes that it is infeasible to return or destroy such Protected Health Information, the protections are extended to such information in accordance with the termination provisions in this Section. Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such Protected Health Information, the terms and provisions of this Agreement shall survive such termination or expiration and such Protected Health Information shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information. b) Termination for Cause. Upon Covered Entity’s knowledge of an activity or practice of Business Associate that constitutes a material breach or violation of this Agreement by Business Associate, Covered Entity shall inform Business Associate in writing of such breach or violation within five business days of discovery and provide Business Associate an opportunity to cure the breach or violation within thirty (30) business days. Provided that Covered Entity gave Business Associate notice within five 5) business days of discovery of a material breach of this Agreement, and if Business Associate does not cure the breach or violation within thirty (30) business days, Covered DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 8 Entity may immediately terminate this Agreement upon written notice to Business Associate. c) Effect of Termination. i) Except as provided in paragraph (ii) of this Section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity (except for any data maintained for Data Aggregation purposes or as otherwise allowed to be retained pursuant to the Worksite Wellness Services Agreement). This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. ii) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Section 5. Miscellaneous. a) Amendment. Business Associate and Covered Entity agree to take such action as is reasonably necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the HIPAA Regulations and any amendment thereto. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed and agreed to by Business Associate and Covered Entity. b) Indemnification. Business Associate shall indemnify and hold harmless Covered Entity, and any of its directors, officers, employees, and agents from and against any and all losses, claims, damages, actions, or liabilities arising out of, directly or indirectly, this agreement, or are based upon any performance or nonperformance by Business Associate, its directors, officers, employees, sub-contractors or agents hereunder; and Business Associate shall reimburse Covered Entity for reasonable attorney fees and costs legal and other expenses incurred by Covered Entity in connection with investigating or defending any such loss, claim, damage, liability or action. To the extent permitted by law, Covered Entity agrees to indemnify and hold harmless Business Associate, and its directors, officers, shareholders, employees and agents, from and against any and all claims, actions, or liabilities which may be asserted against them by third parties determined to have arisen out of, or in connection with, the tortious acts or omissions of Covered Entity, its directors, officers, employees, contractors or agents under this Agreement. The Parties agree to provide prompt written notice to the other DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 9 Party of any claim or circumstance that likely will give rise to a request for indemnification. This indemnification shall not apply to claims by third parties against the Covered Entity to the extent that Covered Entity is liable to such third party for such claims without regard to the involvement of the Business Associate. This paragraph shall survive expiration or termination hereof. c) Limitation of Liability. Except as otherwise dictated by this contract, Neither Healthbreak (nor its contractors or subcontractors) nor Client will be responsible for special, indirect, incidental, punitive, consequential, or other similar damages, including but not limited to lost profits, that the other Party may incur or experience in connection with this Agreement, whether in contract, tort, or otherwise, however caused, even if such Party has been advised of the possibility of such damages. d) Interpretation. In the event of an inconsistency between the provisions of this Agreement and the mandatory terms of the HIPAA Regulations, the HIPAA Regulations shall prevail. Where provisions of this Agreement are different from those mandated by the HIPAA Regulations, but are nonetheless permitted by law, the provisions of this Agreement shall control. e) No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Covered Entity, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. f) Notices. Any notices to be given hereunder shall be made via U.S. Mail or express courier, or hand delivery to the respective address given below, and/or email with return receipt at the information listed below. g) Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required. h) Subpoenas. In the event that Business Associate or Covered Entity receives a subpoena or similar notice or request from any judicial, administrative or other Party in connection with this Agreement, including, but not limited to, any unauthorized use or disclosure of PHI in breach of this Agreement or in violation of the HIPAA Regulations, such Party shall notify the other Party as soon as practicable and forward a copy of such subpoena, notice or request to the other Party and afford the other Party an opportunity to exercise any rights it may have under the law. i) Severability. If any one or more of the provisions contained in this Agreement should be held invalid, illegal or unenforceable in any respect, then the validity, legality and enforceability of the remaining provisions contained shall not in any way be affected or impaired thereby. The Parties shall endeavor in good-faith negotiations to replace the invalid, illegal or unenforceable provisions with valid provisions, the economic effect of which comes as close as possible to that of the invalid, illegal or unenforceable provisions. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 10 j) Construction, Jurisdiction and Venue. This Agreement shall be governed by the laws of the State of Colorado and, in the event that any Party hereto shall bring a suit or cause of action in a court of law for construction, interpretation or enforcement of this Agreement, or for damages for any alleged breach of the terms or provisions of this Agreement, then venue for any such suit or cause of action shall lie exclusively in the Eagle County, Colorado. k) Other Federal and State Law. The parties agree to comply with other federal and state law as may apply to the Protected Health Information. In the event of a conflict between the requirements of such other law and the requirements stated herein, the applicable law under a conflict-of-law analysis, including the preemption analysis required under HIPAA, shall apply. l) Waiver. No failure to exercise and no delay in exercising any right, remedy or power hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, remedy or power hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy or power provided herein or by law or in equity. m) No Waiver of Immunity. No term or condition of this Agreement shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection or other provisions of the Colorado Governmental Immunity Act, C.R.S. § 24-10-101 et seq., or the Federal Tort Claims Act 28 U.S.C. 2671 et seq. as now in effect or hereafter amended. n) Binding Effect. This Agreement shall be binding upon the parties hereto and their respective heirs, executors, administrators, successors and permitted assigns. o) Signatures. This Agreement may be executed in counterparts, each of which when so executed and delivered shall be deemed an original and all of which taken together shall constitute one instrument. This Agreement and any counterpart original may be executed and transmitted by facsimile. The facsimile signature shall be valid and acceptable for all purposes as if it were an original. p) Survival. The respective rights and obligations of Covered Entity and of the Business Associate under the effect of termination (Section 4) and third party beneficiaries sections (Section 5(e)) of this Agreement shall survive the termination of this Agreement. DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 11 IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf as of the Effective Date. BUSINESS ASSOCIATE: Healthbreak, Inc. 601 – 16th Street, Suite C-311 Golden, Colorado 80401 Telephone: (720) 344-9507 Email: kknudsen@healthbreakinc.com Attention: Kathy Knudsen By Name Kathy Knudsen Title President DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F 12 COVERED ENTITY: Eagle County, Colorado Attention: Human Resources 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-8790 Facsimile: 970-328-8799 E-Mail: echr@eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 Facsimile: 970-328-8699 E-Mail: atty@eaglecounty.us COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager DocuSign Envelope ID: 7AF684C2-662E-4F42-98D6-B6DB3126B4C2DocuSign Envelope ID: D7C7D127-3744-41B9-9A36-DA931D0FD91F