The URL can be used to link to this page

08-01-2017 Client Contract DocuSign 29161ADMINISTRATIVE SERVICES AGREEMENTS The attached agreements (the “Agreements”) are entered into by and between TOWN OF AVON (“Employer”) and Discovery Benefits, Inc. (“DBI”) as of 08/01/2017 (“Effective Date”). Agreements Attached: N/A COBRA N/A Direct Billing N/A Premium Conversion X Reimbursement Account N/A Health Savings Account N/A Arrears Billing N/A Education Assistance Program N/A SmartCompliance Non-Discrimination Testing _______________________________________________________________________________________________ X HIPAA Business Associate Agreement (signed for by the Employer as the Sponsor on behalf of and as a representative of the Employer health plan) AUTHORIZATION AND SIGNATURE Neither party to Agreements, when dealing with the other party in relation to the Plan, will be obliged to determine the other party’s authority to act pursuant to Agreements. Furthermore, the individuals executing the Agreements on behalf of DBI and Employer do each hereby represent and warrant that: they are duly authorized by all necessary action to execute the Agreements on behalf of their respective principals; and the execution and delivery of the Agreements and the consummation of the transactions herein provided have been duly approved by Employer and DBI and do not violate any agreements to which Employer or DBI is a party or otherwise bound. If legal agreements are not signed and returned to DBI prior to the date our services commence, consent to the contract terms and conditions will be presumed and deemed to have been obtained upon submission of Employer data through the DBI portal, the DBI Design Guide or any other DBI authorized format. The Agreements are accepted and entered into by the parties as of the Effective Date. Signed for Employer by Signed for DBI by Suzanne Rehr Printed Name Chief Compliance Officer / EVP TOWN OF AVON (29161) PAGE 1 OF 36 Scott Wright Fee Schedule Effective Date 08/01/2017 or later if plans start different months Fee Minimum FrequencyFee Amount Bill To FSA - Monthly $4.85 $50.00 Monthly Consultant Fees per FSA Participant per monthIncludes Dependent Care & Benefits Debit Card Spouse, dependent, and replacement Benefits Debit Cards available at no additional fee Fees are guaranteed until 01/01/2021 ("Rate Expiration Date"). Printing and postage are included for standard material and mailings. Additional charges/fees will apply for non-standard mailings and/or expedited requests. Additional fees may apply for non-discrimination testing services. WebEx meetings are included at no additional fee. Enrollment meetings (optional) are $350 per day plus travel expenses. If Employer/Customer has contracted with a third party whereby the third party pays DBI’s fees on Employer’s behalf, DBI’s fees will be invoiced to that third party and are due within thirty (30) days after the date the invoice is received. If the third party fails to pay DBI, Employer remains responsible to pay DBI’s fees. Fee rates may be based on a third-party discount. If DBI’s fees are no longer to be paid by the third party on Employer’s behalf, guarantees could be voided and the fee schedule revised. 254568345 29161 TOWN OF AVON (29161) PAGE 2 OF 36 REIMBURSEMENT ACCOUNT ADMINISTRATIVE SERVICES AGREEMENT RECITALS Employer has adopted an Internal Revenue Code Section 125 (26 USC § 125) Cafeteria Plan (the “125 Plan”) for its eligible employees. Included in the 125 Plan is one or more of the following plans or arrangements: a health flexible spending arrangement (“Health FSA”); a dependent care flexible spending arrangement (“Dependent Care FSA”) (a health FSA and a Dependent Care FSA are referred to collectively as an “FSA”); and/or a limited purpose health flexible spending arrangement (“Limited Health FSA”). Employer may have also adopted one or more of the following for its eligible employees: a health reimbursement arrangement (“HRA”) Internal Revenue Code Section 105 (26 USC § 105); a limited purpose health reimbursement arrangement (“Limited HRA”) Internal Revenue Code Section 105 (26 USC § 105); and/or a transportation fringe benefit plan spending account (“TSA” or “Commuter”) qualified under Internal Revenue Code Section 132(f) (26 USC § 132(f)). Individually and collectively, as the context may require, the foregoing shall be referred to as the “Plan.” Employer desires DBI to assist in its administration of the Plan and DBI desires to assist Employer in the administration of the Plan. DBI and Employer agree that DBI shall assist in the administration of the Plan on the terms and conditions set forth in this Agreement, including without limitation that: Employer has established the Plan for the exclusive benefit of its employees. Employer is the administrator of the Plan. Employer remains the administrator of the Plan and responsible for the operation and maintenance of the Plan, including the establishment of eligibility and benefits and funding payment of benefits owed to participants under the Plan. DBI is an independent contractor in relation to Employer and to the Plan and acts as an agent on behalf of Employer in rendering services for Employer pursuant to this Agreement. DBI is to provide the agreed upon services without assuming any liability for the performance of any services beyond those set forth below. NOW, THEREFORE, in consideration of the premises and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: ARTICLE 1 – DBI ADMINISTRATIVE SERVICES 1.1 Plan Administration Assistance DBI shall assist Employer in the administration of the Plan as provided in this Agreement. DBI’s duties with respect to the Plan are limited to those expressly provided for in this Agreement. The benefit plan or plans covered for services under this Agreement are limited to plans selected by Employer via the DBI portal or design guide. If a plan is not selected, the plan is not covered for services under this Agreement and DBI shall have no responsibility or duty with respect to such non-selected plan. 1.2 Plan Documents Assistance (a) Upon request, DBI will assist Employer in the establishment and operation of its health plan by providing, for review by Employer, DBI’s standard documents, including a plan document, a summary plan description, and other standard documents relating to the administration of a health plan. TOWN OF AVON (29161) PAGE 3 OF 36 (b) Employer is under no obligation to use the standard documents from DBI in establishing and maintaining its health plan. (c) DBI’s standard plan document, summary plan description, and the other standard documents are based on the legal and regulatory requirements then in effect and on DBI’s internal policies and procedures, which may change from time to time. (d) It is Employer’s responsibility to determine whether DBI’s standard documents are legally compliant for Employer’s purposes, are appropriately completed, are in compliance with the requirements of its health plan, and are appropriately and timely adopted by Employer. (e) Employer must provide DBI with an executed copy of its plan document. (f) When there is a change in applicable domestic law or regulation or when requested by Employer due to Employer changing plan design, DBI will provide Employer with its standard plan amendments. (g) It is Employer’s responsibility to determine whether DBI’s standard plan amendments or other revisions are legally compliant for Employer’s purposes, are in compliance with the requirements of its health plan, are appropriately completed, and are appropriately and timely adopted by Employer. (h) Employer must provide DBI with an executed copy of its amended plan document. (i) For the establishment of HRAs, Limited HRAs, and TSAs, DBI provides a prototype plan with an agreement, that once adopted, becomes Employer’s HRA, Limited HRA or TSA plan document. 1.3 Recordkeeping DBI shall assist Employer in the development and maintenance of administrative and recordkeeping systems for the Plan. DBI’s recordkeeping services are listed in the Services and Recordkeeping Addendum. 1.4 Information for Employer Disclosure and Plan Reporting DBI shall provide Employer with general information about disclosure and Plan reporting requirements that relate to the Plan and information reasonably available to DBI that is necessary for Employer to prepare the annual Form 5500. DBI shall not be responsible for the accuracy of any information provided by Employer nor shall DBI be responsible for determining the level of compliance required by the Plan. It is the sole responsibility of Employer to assure compliance with all legal disclosure and Plan reporting requirements. 1.5 DBI Reporting to Employer DBI shall provide the following reports to Employer: Employer Funding Report (daily or monthly – the frequency of this report is dependent on funding method selected) Payment History Report (on demand) Enrollment Report (monthly and on demand) Account Balance Detail Report (monthly and on demand) Payroll Deduction Report (frequency based on payroll frequency for auto-post groups) Statement of fees due to DBI (monthly invoice) Commuter Voucher Report (TSA only) TOWN OF AVON (29161) PAGE 4 OF 36 1.6 Forms DBI shall provide Employer forms for use in administering the Plan. The forms are available at www.discoverybenefits.com. All forms and all user guide information will be subject to periodic updates and revision. DBI shall also provide Employer instructions and forms for use in the processing of benefit claims under the Plan. 1.7 Plan Payments Using funds received from Employer, DBI shall pay the amounts due as a result of the operation of the Plan and in compliance with the participant’s current Plan elections. 1.8 Claims Processing (a) DBI shall process claims received from Employer or from Plan participants on a daily basis during regular business hours (6:00 a.m. to 6:00 p.m. Central Time Zone, Monday through Friday excluding holidays). (b) DBI shall arrange for the payment of approved reimbursement requests as provided in the Plan. (c) DBI shall consider any initial claim for benefits made under the Plan provided the claim is submitted in accordance with the Plan, the summary plan description, and any reasonable rules established by DBI and communicated to Employer and participants. (d) DBI will accept or deny (in whole or in part) an initial claim for benefits after making such investigation as it deems necessary. (e) To the extent DBI determines that a participant is entitled to the claimed benefits under the Plan, DBI will arrange for the proper payment from the Plan using the funds provided by Employer. (f) To the extent DBI determines that a participant is not entitled to claimed benefits under the Plan, DBI shall provide to such participant a written notification of its decision as soon as administratively practicable after the claim was received by DBI, but no later than within the time required per Section 503 of ERISA (29 USC § 1133) and 29 CFR § 2590.715-2719 as applicable. (g) Said notification shall comply with the requirements set out in Section 503 of ERISA (29 USC § 1133) and 29 CFR § 2590.715-2719 as applicable. (h) DBI shall be responsible for making the decision to accept or deny (in whole or in part) all appeals of denied benefit claims consistent with Section 503 of ERISA (29 USC § 1133) and 29 CFR § 2590.715-2719. (i) DBI shall be responsible for notifying the participant of its decision regarding an appeal consistent with Section 503 of ERISA (29 USC § 1133) and 29 CFR § 2590.715-2719. (j) In making decisions regarding claims for benefits and appeals of denied benefit claims, DBI shall have discretionary authority to construe and interpret the terms of the Plan and to determine whether a benefit claim is properly payable under the Plan. (k) Notwithstanding anything herein to the contrary, Employer shall be responsible for all eligibility claims, eligibility appeals, and eligibility determinations. (l) To the extent that DBI provides written non-English assistance to a participant during the course of claims processing as required by Section 503 of ERISA (29 USC § 1133) and 29 CFR § 2590.715-2719, Employer shall reimburse DBI for the related fees and expenses, if any. 1.9 Claim Fiduciary DBI has a fiduciary duty under the Plan only to the extent described in Section 1.8. All remaining fiduciary duties under the Plan are the responsibility of Employer. TOWN OF AVON (29161) PAGE 5 OF 36 1.10 Employer Funds and Custodial Account Funds received by DBI from Employer for the payment of Plan benefits shall be held in the Custodial Account pursuant to Article 3. 1.11 Unused Amounts and Unclaimed Amounts Except for those amounts that are subject to any Health FSA carryover elected by the Plan in accordance with IRS Notice 2013-71 (as such guidance may be modified or updated), all amounts that remain unused in an FSA or a TSA after the end of the period specified by the Plan during which a participant can make a claim plus any periods for appeal or claim dispute shall be forfeited by the participant and returned to Employer less any undisputed fees and expenses that are due and owing to DBI under this Agreement. The direct terms of an applicable plan may alter the forfeiture provisions of this Section 1.11 only with respect to a Plan participant. Any amounts unclaimed by participants, including any unclaimed reimbursement checks (or other methods of payment) that have been issued but remain unendorsed or uncashed and unpaid after the end of the plan year’s run- out period elected by the Plan, shall be returned to Employer less any undisputed fees and expenses that are due and owing to DBI under this Agreement. Employer shall be responsible to report unclaimed amounts in accordance with the Plan and applicable state law. 1.12 Retention and Release of Plan Data, Records, and Files (a) DBI shall retain a copy of all information (as information is defined in Section 2.14, excluding emails or similar electronic communications destroyed in the ordinary course of business pursuant to DBI policy) for eight (8) years from the date created at DBI, including without limitation, a record of all assets and transactions involving the Custodial Account (defined in Article 3). (b) Following the termination of this Agreement, DBI shall cooperate with Employer or Employer’s subsequent service provider to effect an orderly transition of services provided under this Agreement and, within a reasonable time, will release to Employer a copy of all data, records, and files in DBI’s standard format. (c) Upon termination of this Agreement, DBI is entitled to retain a copy of all information including the data, records, and files released by DBI pursuant to Section 1.12(b) and to use and disclose such information for claims, audits, and legal and contractual compliance purposes to the extent permitted by law. 1.13 Notice of Litigation DBI shall notify Employer promptly of any summons, complaint or other communication concerning threatened litigation and any inquiry by any governmental agency that is related to the Plan unless such notification would be a violation of applicable law. 1.14 Confidentiality of Plan Information DBI shall keep confidential all information that it obtains concerning the Plan. Other than in due course of business, such information shall not be disclosed without prior approval of Employer or as otherwise provided in Article 4. Employer may request that DBI share Plan information and other data with another vendor of the Plan or Employer. DBI shall consider all reasonable requests, however, prior to releasing or sharing any Plan information or other data with another vendor, Employer must enter into a confidentiality and data sharing agreement with the vendor and make a copy of such agreement available to DBI upon request. 1.15 Disclaimer DBI does not insure or underwrite Employer’s liability to provide benefits under the Plan. DBI shall not be liable or obligated to use its funds for payment of benefits under the Plan, including, without limitation, where such payment of benefits is sought as damages in an action against Employer, DBI or the Plan. Employer shall promptly reimburse DBI for any benefit payments made using DBI funds. TOWN OF AVON (29161) PAGE 6 OF 36 1.16 Audit (a) During the term of this Agreement, and at any time within six (6) months following its termination, Employer (or a mutually agreeable third party auditor) may audit DBI to determine whether DBI is fulfilling its obligations under this Agreement with respect to processing claims for benefits. The audit shall be limited to such processing claims for benefits information relating to the calendar year in which the audit begins and /or the immediately preceding calendar year. DBI will provide timely inquiry and feedback regarding the sample size and sampling methodology as it relates to the objective of the audit. The audit must be completed within six (6) months following the date the audit begins. The place, time, type, duration, and frequency of any audit must be reasonable and mutually agreeable. Employer shall pay or cause to be paid any expenses that it incurs in connection with the audit, including DBI’s then current internal billing rate for audit related tasks. (b) Any audit will be subject to these additional requirements: (i) Employer must provide DBI with a sixty (60) day advance written notice of its intent to audit. (ii) Employer must utilize individuals to conduct the audit who are qualified by appropriate training and experience for such work; who will perform their review in accordance with published administrative safeguards and procedures against unauthorized use or disclosure (in the audit report or otherwise) of any individually identifiable information (including health care information) contained in the information audited; and who will not make or retain any record of payment identifying information concerning treatment of drug or alcohol abuse, mental/nervous disorders, HIV/AIDS or genetic markers in connection with the audit (“Auditor”). (iii) At least thirty (30) days in advance of the commencement of the audit, Employer must provide DBI with a complete and accurate list of the transactions to be selected for audit, along with the specific service for which each transaction or item is being tested. The sample must be based on a statistically valid random sampling methodology (e.g., systematic random sampling, simple random sampling, or stratified random sampling). (iv) The Auditor must provide its draft findings to DBI before a final audit report is presented to Employer. The draft findings will be the basis for discussion between the Auditor and DBI to resolve any disagreement and to summarize the audit findings. (v) The Auditor must provide its final audit report to DBI before delivery to Employer and allow DBI to include with the final audit report a supplementary statement containing facts that DBI considers pertinent to the audit. (vi) The Auditor must provide DBI with a complete copy of the final audit report that is delivered to Employer. (vii) The audit will be subject to proprietary and confidentiality protections. Before the audit commences, Employer and any third party auditor shall execute a non-disclosure and confidentiality agreement, the scope of which shall be reasonable and shall be determined by DBI. 1.17 Red Flags Rule For the purposes of this Section 1.17, “Red Flags Rule” means regulation adopted by various federal agencies, including the Federal Trade Commission, in connection with the detection, prevention, and mitigation of identity theft and located at Federal Register Volume 72, Issue 217 (November 9, 2007), as amended. For the purposes of this Section 1.17, “Covered Services” means the services provided by DBI with respect to the plans selected by Employer and as described in the Debit Card Addendum that allow Plan participants to pay for eligible expenses under the Plan with a debit card or other stored-value card and any other services provided by DBI pursuant to this Agreement that fall under the protections of the Red Flags Rule as determined by DBI in its sole discretion. To the extent applicable, DBI shall comply with the Red Flags Rule with respect to Covered Services. TOWN OF AVON (29161) PAGE 7 OF 36 As part of its Red Flags Rule compliance, DBI shall adopt, maintain, and use appropriate and commercially reasonable rules, procedures, and safeguards to detect and identify red flags and to prevent and mitigate identify theft as required by the Red Flags Rule. Such rules, procedures, and safeguards are set forth in a written program (the “Red Flags Program”). DBI shall, upon request, make available to Employer a copy of its Red Flags Program. The parties agree that if a breach of unsecured protected health information (as defined in the business associate agreement between the parties) occurs and a violation of the Red Flags Rule occurs with respect to the same incident, both the Red Flags Rule and the provisions of the business associate agreement between the parties shall apply, except that the notice requirements of the business associate agreement between the parties shall satisfy any notice obligations under the Red Flags Rule and this Section 1.17. 1.18 Information Security Program DBI represents and warrants that it has implemented and maintains a written and comprehensive information security program, and complies with all applicable domestic law and regulation, including without limitation, state privacy and data security law and regulation such as the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00). 1.19 Subcontractors DBI may subcontract or delegate to a third party (“subcontractor”) any portion of DBI services. For those DBI services that are subcontracted or delegated: (a) DBI shall ensure subcontractor compliance with all applicable provisions of this Agreement; and (b) DBI shall require the subcontractor not to use subcontractors located outside the United States. Should DBI use any other person or entity to perform any of DBI services as a subcontractor of DBI, DBI shall remain responsible to Employer for the performance of the DBI services under the terms and conditions of this Agreement. For purposes of clarity, any transit authority associated with a TSA shall not be considered a subcontractor of DBI. 1.20 Overpayment Recovery If DBI determines that it has paid benefits to an ineligible person or paid more than the appropriate amount, DBI shall, with Employer’s full cooperation, undertake a good faith effort to recover such erroneous payment. For purposes of this provision, DBI shall have the sole discretion to determine what constitutes a “good faith effort,” which effort may vary from time to time depending upon the circumstances of the overpayment, but may include DBI’s attempt to contact the participant twice via letter, phone, email or another means about the recovery of the payment at issue. 1.21 Total Authority Except as otherwise expressly provided in this Agreement, Employer has total control and discretionary authority over the Plan and the manner in which the Plan is operated. DBI serves as Employer’s agent only for the processing of qualifying expense/reimbursement requests as provided under this Agreement. 1.22 External Review To the extent that the external review requirements set forth in 29 CFR § 2590.715-2719 apply to the Plan, DBI shall serve as a conduit for external review requests. Meaning, DBI will send appropriate information to, and cooperate fully with, the external review organization conducting the review. Any cost, fee or expense related to the review or request for review shall be paid by Employer. If DBI pays any such cost, fee or expense on behalf of Employer, Employer shall reimburse DBI promptly upon request. 1.23 Non-Discriminatory Plans – 125 Plans, FSA and HRA Non-Discrimination Testing Employer may subscribe to DBI’s non-discrimination testing portal per the SmartCompliance Subscription Addendum. TOWN OF AVON (29161) PAGE 8 OF 36 1.24 Direct Load Payments for TSA Using Plan funds, and based on instructions received from the participant, DBI shall pay employer-provided transportation benefits through electronic media by transmitting funds to a participant’s smartcard or account with the transit authority. Only pre-tax participant contributions are eligible for use with the transit authority smartcard. A transactional processing fee could be incurred. ARTICLE 2 – EMPLOYER RESPONSIBILITIES 2.1 Compliance with Laws Plan Compliance. Although DBI serves as Employer’s agent for services rendered pursuant to this Agreement, Employer remains responsible for all Plan activities, including compliance with the Patient Protection and Affordable Care Act of 2010 (the “PPACA”), the Employee Retirement Income Security Act of 1974 (“ERISA”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Internal Revenue Code (the “Code”), and any other law or regulation, domestic or foreign, as applicable. Employer Compliance. Employer agrees to hold DBI harmless from and against any and all liability, damages, costs, losses and expenses (including attorney fees) that result from the failure or alleged failure of Employer, its officers and employees, and any other entity related to or performing services on behalf of Employer (other than DBI) to comply with PPACA, ERISA, HIPAA, the Code, and any other law or regulation, domestic or foreign, as applicable, or the provisions of this Agreement. Medicare Secondary Payer. Employer agrees to hold DBI harmless from and against any and all liability, damages, costs, losses and expenses (including attorney fees) that result from the failure or alleged failure of Employer, its officers and employees, and any other entity related to or performing services on behalf of Employer (other than DBI) to provide DBI with the required information for proper and timely reporting under the Medicare Secondary Payer (“MSP”) for Employer’s HRA participants where DBI acts as Responsible Reporting Entity (“RRE”) for any HRA offered by Employer. Prior Activity or Occurrence. Employer expressly releases all claims against DBI in connection with any claim or cause of action based on any activity or occurrence prior to the Effective Date that results from the failure or alleged failure of Employer, its officers and employees, and any other entity related to or performing services on behalf of Employer to comply with PPACA, ERISA, HIPAA, the Code, and any other law or regulation, domestic or foreign, as applicable. 2.2 Plan Documents Employer is responsible for the final content of all Plan materials and documents. It is Employer’s responsibility to ensure that the Plan documents and any amendments to the Plan documents are legally compliant for Employer’s purposes, appropriately completed, in compliance with the requirements of the Plan, and appropriately and timely adopted by Employer. Employer shall file with the appropriate governmental agencies all required returns, reports, documents, and other papers relating to the Plan. Employer shall distribute to its employees participating in the Plan all materials and documents as may be necessary or convenient for the operation of the Plan and to satisfy the requirements of applicable law. 2.3 Summary Plan Description Employer shall distribute to its employees participating in the Plan a copy of the summary plan description and/or the summary of benefits and coverage. 2.4 Plan Amendments Employer shall provide DBI with a copy of any contemplated amendment to the Plan no less than thirty (30) days prior to the anticipated amendment effective date (or less than thirty (30) days in the unlikely event in which an amendment is required by law within less than thirty (30) days of the effective date of the amendment). Under no circumstances may Employer adopt an amendment that would alter DBI’s services or obligations under the Agreement without prior written consent of DBI. DBI has no obligation to provide any Plan amendments to Employer other than described in Section 1.2. TOWN OF AVON (29161) PAGE 9 OF 36 2.5 Eligibility and Enrollment Employer shall provide DBI a record of all employees who are eligible to participate in the Plan and notify DBI of any changes on a monthly basis. Employer shall also provide DBI with the demographic and related information that DBI may need to perform its services under this Agreement. Employer shall be solely responsible for determining which of its employees are eligible to participate in the respective plan and to collect the required information from those employees and to inform DBI of such eligible employees. Employer shall be responsible to collect and to provide to DBI, in an electronic format, all reasonably required information to ensure compliance with the MSP rules and regulations where DBI acts as RRE for an HRA offered by Employer. 2.6 Employer Assistance Employer shall assist in the enrollment of the employees in the Plan, cooperate with DBI regarding the proper settlement of claims, and transmit any inquiries pertaining to the Plan to DBI. Late notification of Plan eligibility or incorrect plan eligibility provided by Employer to DBI may result in erroneous plan benefit payments, for which Employer shall be solely responsible. Employer shall also be responsible for collecting any such erroneous payments from the employee. If there are insufficient Employer funds available to restore the erroneous payments or if the requested reimbursement of funds would otherwise cause the Minimum Account Balance deposit (if applicable) to become insufficient, DBI may suspend all services under this Agreement and request immediate restoration of funds from Employer. 2.7 Funds Employer shall deposit funds in the Custodial Account to be used to pay benefits and expenses under the Plan as agreed to herein and in accordance with the Plan documents. Funds deposited in the Custodial Account shall consist solely of general assets of Employer. Participant contributions, if any, made by employees to the Plan through salary reduction or otherwise, shall be used to reimburse Employer for the funds advanced by Employer to pay benefits under the Plan. Employer has the sole responsibility and liability for the funding of all benefits under the Plan. 2.8 Claims Based Funding Method If Employer selects the claims based funding method to pay claims, Employer gives DBI approval to withdraw applicable amounts from Employer’s designated United States bank account to deposit in the Custodial Account from which disbursements can be made on Employer’s behalf for payment of qualifying expenses, which are otherwise specified by Employer in its Plan document or as provided for under the Code. Disbursements cannot be made until the amounts are credited to the Custodial Account. 2.9 Deduction/Contribution Based Funding Method If Employer selects the deduction/contribution based funding method to pay claims, Employer establishes a pre- determined initial deposit amount that will adequately fund the reasonable needs of the Plan to be deposited into the Custodial Account (the “Minimum Account Balance”). If the deposited amount falls below the Minimum Account Balance, Employer will be notified of the deficiency and will be required to provide additional funds until such time the Minimum Account Balance can be restored. DBI may suspend all services under this Agreement until Employer restores the Minimum Account Balance. 2.10 Debit Card Payments All participants in a Health FSA, Dependent Care FSA, TSA or a comprehensive HRA shall automatically receive one or more debit cards or similar electronic payment technology, for which the terms of the Debit Card Addendum shall control. 2.11 Ownership of Account Assets All funds from Employer deposited in the Custodial Account remain Employer’s general assets. DBI shall be responsible for administering the funds in accordance with the terms of this Agreement. Funds are disbursed from the Custodial Account by DBI or any of its designees only for an allowable Plan expense as determined by Employer or a representative of Employer (including DBI) or as otherwise required by a court of competent jurisdiction. TOWN OF AVON (29161) PAGE 10 OF 36 2.12 Employer, Employee, and Plan Participant Fraud Employer is solely responsible for making the Plan whole if fraud is committed against the Plan by its employees, Plan participants or anyone (other than DBI). DBI will assist in pursuing or remedying such fraud using its standard procedures. 2.13 Plan Fiduciary (a) Except as provided in Section 1.9, Employer agrees that DBI is not a named fiduciary, or a plan fiduciary under the Plan as such terms are described under ERISA. DBI is not the plan administrator and shall have no power or authority to waive, alter, breach or modify any terms and conditions of the Plan. DBI shall make payments or distributions from the Custodial Account in accordance with the framework of policies, interpretations, rules, practices, and procedures set forth in the Plan, this Agreement, and as otherwise agreed upon or directed by Employer. (b) Except as provided in Section 1.9, DBI shall neither have nor shall be deemed to exercise any discretion, control or authority with respect to the disposition of Employer funds. Employer agrees that the use of or offset or recoupment of funds in the Custodial Account to pay undisputed fees or other undisputed amounts due to DBI pursuant to this Agreement constitutes an Employer action that is authorized by Employer under this Agreement and agrees that such actions are not discretionary acts of DBI and do not create a fiduciary status for DBI. (c) DBI agrees that it will perform services on the Plan’s behalf as set forth in this Agreement, including any addenda to this Agreement. However, DBI will not undertake any duties or responsibilities, regardless of whether they are set forth in the Plan, if such actions are in violation of any applicable domestic law or regulation. 2.14 Employer Information and Instructions (a) DBI shall be fully protected in relying upon representations and communications made by or on behalf of Employer in effecting its obligations under this Agreement. (b) DBI is entitled to rely on the most current information in its possession when providing services under this Agreement. (c) DBI shall provide the services in accordance with this Agreement based on information that is provided to DBI by Employer. (d) For this purpose, the term “information” means all data, records, and other information supplied to DBI, obtained by DBI or produced by DBI (based on data, records or other information supplied to, or obtained by, DBI) in connection with performing the services pursuant to this Agreement, regardless of the form of the information or the manner in which the information is provided to DBI. (e) In engaging DBI to perform the services under this Agreement, Employer has authorized and instructed DBI to implement its standard administrative forms and procedures. (f) DBI is not responsible for any acts or omissions it makes in reliance upon: (i) the direction or consent of Employer; or (ii) inaccurate, misleading or incomplete information received by DBI from anyone other than DBI, its agents or subcontractors. (g) Employer and DBI agree that if Employer instructs DBI with a specific written request (in a format acceptable to DBI) to provide services in a manner other than in accordance with DBI’s standard forms and procedures, DBI may (but need not) comply with such an instruction. This would include any Employer instruction to add a vendor link to the consumer portal. To the extent that DBI complies with such an instruction, Employer and not DBI shall be solely responsible for DBI’s action so taken, and Employer agrees to hold DBI harmless from and against any and all liability, damages, costs, losses and expenses (including attorney fees) and expressly releases all claims against DBI in connection with any claim or cause of action that results from or in connection with DBI complying with Employer’s specific written instruction to provide services in a manner other than in accordance with DBI’s standard procedures. TOWN OF AVON (29161) PAGE 11 OF 36 (h) Employer is responsible for the integrity of data in the files. Therefore, complete and accurate information from Employer or a vendor on behalf of Employer is required in order for DBI to perform the services set forth herein. (i) DBI’s system is unable to mask the employee identification number (“Employee ID”) field, including in reports and the online portal. Therefore, if Employer uses the social security number (“SSN”) as the Employee ID and requires that DBI set up its systems to use the SSN in the Employee ID field, Employer agrees to hold DBI harmless from and against any and all liability, damages, costs, losses, and expenses (including attorney fees) and expressly releases all claims against DBI in connection with any claim or cause of action that results from or in connection with the use of the SSN as the Employee ID. 2.15 Employer’s Electronic Account If Employer choses to access the services provided by DBI via an online account or other electronic means (“Employer’s Electronic Account”), Employer is solely responsible for: (a) Designating who is authorized to have access to Employer’s Electronic Account; (b) Safeguarding all of Employer’s passwords, usernames, logins or other security features used to access Employer’s Electronic Account (“Electronic Account Access”); (c) Employer’s use of Employer’s Electronic Account under any usernames, logins or passwords; (d) Ensuring that use of Employer’s Electronic Account complies fully with the provisions of this Agreement; and (e) Any unauthorized access or use of Employer’s Electronic Account caused by Employer’s actions or inactions, including, without limitation, its failure to safeguard the Employer’s Electronic Account or Electronic Account Access. Employer is solely responsible for the maintenance and routine review of its computing and electronic system usage records (i.e., log files) and the security of its own data, data storage, computing devices, other electronic systems, and network connectivity. Employer acknowledges and agrees that DBI has no control over and is not liable to Employer, Employer’s employees or any other third-party for any consequences, losses or damages resulting from unauthorized access or use of the Employer’s Electronic Account as set forth in this Section 2.15. 2.16 Plan Tax Obligations The Plan and/or Employer on behalf of the Plan is responsible for any state, federal or foreign tax, fee, assessment, surcharge and/or penalty imposed, assessed or levied against or with respect to the Plan and/or DBI relating to the Plan or the services provided by DBI pursuant to this Agreement, including those imposed pursuant to PPACA. This includes the funding, remittance, and determination of the amount due for PPACA required taxes and fees. In the event that DBI is required to pay any such tax, fee, assessment, surcharge and/or penalty on behalf of Employer, DBI shall report the payment to Employer along with documentation of the payment and Employer shall promptly reimburse DBI for the full amount or for Employer’s proportionate share of such amount, except as provided in Section 7.10. This reimbursement would be in addition to the fees described in Section 6.1. Employer is at all times responsible for the tax consequences of the establishment and operation of the Plan. Further, the parties agree that DBI does not provide any legal tax or accounting advice to the Plan and/or Employer. DBI is at all times responsible for all the taxes based upon its net income and its property ownership. 2.17 Health Plan Identifier Employer acknowledges and agrees that DBI does not, and shall not, have any responsibility for obtaining one or more health plan identifiers (“HPID”) for the Plan from the Enumeration System identified in 45 CFR § 162.508 or for updating the Enumeration System with respect to the HPID. TOWN OF AVON (29161) PAGE 12 OF 36 2.18 Acknowledgment Employer acknowledges and agrees that the services provided by DBI pursuant to this Agreement relate to enrollment and disenrollment in the Plan and that these services to the extent permitted under HIPAA shall be deemed to be performed by DBI on behalf of Employer in its capacity as the sponsor of the Plan. Employer further acknowledges and agrees that DBI may use or disclose enrollment or disenrollment information that it receives from Employer with respect to a particular participant to provide the participant access to additional services at no cost to Employer. ARTICLE 3 – CUSTODIAL ACCOUNT 3.1 Appointment and Acceptance of Custodian By signing this Agreement, Employer appoints DBI as custodian of Employer funds for the purposes and upon the terms and conditions set forth in this Agreement, and DBI accepts such appointment and agrees to act as custodian hereunder and to hold any Employer funds received hereunder in accordance with the terms and conditions set forth in this Agreement. 3.2 Custodial Account DBI maintains one or more depository accounts (“Custodial Account”) at Bell Bank (“Bank”), Fargo, North Dakota and holds in such Custodial Account all funds initially received from Employer plus any additional funds that may be received from Employer for Custodial Account from time to time. For administrative convenience and to reduce costs, DBI shall hold funds received from Employer together with similar funds from other employers in a single Custodial Account (or one or more Custodial Accounts as determined by DBI). DBI shall maintain records as to the exact amount of funds attributable to each employer so that each employer has a legal right to the specific amount of its funds held in the Custodial Account (less any applicable fees, costs or expenses as set forth in this Agreement). At all times, the assets comprising each employer’s funds in the Custodial Account shall be considered a separate subaccount for purposes of this Agreement. Depending upon the context, the term “Custodial Account” as used herein shall refer to either the separate subaccount for Employer or all of the subaccounts for all employers in the aggregate. 3.3 Employer Funds DBI and Employer intend and agree that all funds received from Employer for deposit in the Custodial Account shall be comprised of and shall remain Employer’s general assets. In no event will funds received from Employer and deposited in the Custodial Account constitute or include participant or employee contributions to employee benefit plans, whether made by salary reduction or otherwise, as those terms have their general meaning under ERISA. Except to the extent that outstanding checks have been written or withdrawals have been made against the Custodial Account balance on behalf of Employer, and subject to Section 6.3, all funds received from Employer and deposited in the Custodial Account may be withdrawn by Employer at any time (less applicable fees, costs or expenses as set forth in this Agreement) and are subject to the claims of Employer’s general creditors in the same manner as funds contributed to Employer’s ordinary checking accounts. Notwithstanding the foregoing, this Agreement does not alter or eliminate any separate obligation of Employer to fund and maintain the Minimum Account Balance in the Custodial Account as described in Section 2.9. 3.4 Disbursements DBI shall make payments or distributions from the Custodial Account in accordance with the framework of policies, interpretations, rules, practices, and procedures established by DBI for this purpose and as set forth in the Plan or as otherwise agreed upon or directed by Employer. DBI shall neither have nor shall be deemed to have any discretion, control or other authority with respect to the disposition of Employer funds. 3.5 Interest Earned Employer acknowledges and understands that from time to time, DBI may receive earnings and interest on the funds held in the Custodial Account and that any such earnings or interest shall be part of DBI’s compensation. Employer acknowledges and understands that fees otherwise charged by DBI for services under this Agreement would be TOWN OF AVON (29161) PAGE 13 OF 36 greater if DBI did not retain such earnings and interest on these funds. The period during which interest may be earned begins on the date Employer Funds are deposited into the Custodial Account and continues for as long as Employer Funds remain in the Custodial Account. Funds shall be disbursed on a first-in, first-out basis. 3.6 Maintenance of Records Upon Employer’s written request, DBI shall provide Employer with an accounting of all assets and transactions involving the Custodial Account in relation to Employer, including a description of all receipts, payments or disbursements, and other transactions. ARTICLE 4 – CONFIDENTIAL BUSINESS INFORMATION AND INTELLECTUAL PROPERTY 4.1 General Obligations For purposes of this Article 4, “confidential business information” shall mean any information identified by either party as “confidential” and/or “proprietary”, or which, under the circumstances, ought to be treated as confidential or proprietary, including non-public information related to the disclosing party’s business, employees, service methods, software, documentation, financial information, prices, and product plans. Neither DBI nor Employer shall disclose confidential business information of the other party. The receiving party shall use reasonable care to protect the confidential business information and ensure it is maintained in confidence, and in no event use less than the same degree of care as it employs to safeguard its own confidential business information of like kind. The foregoing obligation shall not apply to: (a) any information that is at the time of disclosure, or thereafter becomes, part of the public domain through a source other than the receiving party; (b) is subsequently learned from a third party that does not impose an obligation of confidentiality on the receiving party; (c) was known to the receiving party at the time of disclosure; (d) was generated independently by the receiving party; or (e) is required to be disclosed by law, subpoena or other process. DBI may disclose Employer’s or the Plan’s confidential business information to a governmental agency or other third party to the extent necessary for DBI to perform its obligations under this Agreement or if Employer has given DBI written authorization to do so. Each party agrees that its obligations contained in this Article 4 apply also to its parent, subsidiary, and affiliated companies, if any, and to similarly bind all successors, employees, agents, and representatives. 4.2 Financial Statements and Audit Information If Employer requests access to certain financial statements and/or service organization control audit reports or other audit information of DBI for the purpose of reviewing the financial, operating, and business condition of DBI, and DBI agrees to provide such information, Employer’s acceptance of or access to such confidential information shall constitute its agreement with the following: Employer will maintain the information (whether communicated by means of oral, electronic or written disclosures) in confidence and shall not use the same for its own benefit, or for any purpose other than the furtherance of its review, or disclose the same to any third party. Employer may only disclose the information to its own officers, employees, and agents on a need-to-know basis for the purposes of its review. If Employer is a state agency or otherwise subject to a freedom of information type statute, the information shall be treated as confidential and exempt from disclosure in accordance with the applicable law and the information contains sensitive proprietary business information and data defined as trade secret information that would not otherwise be publicly available and that disclosure of this information to the public, including DBI’s competitors, would likely result in substantial harm to DBI’s competitive positions and also contains confidential supervisory information and personal information relating to directors, officers, and major shareholders of DBI, the disclosure of which would constitute an unwarranted invasion of personal privacy. TOWN OF AVON (29161) PAGE 14 OF 36 4.3 Intellectual Property All materials, including, without limitation, documents, forms (including data collection forms provided by DBI), brochures, and online content ("Materials") furnished by DBI to Employer are licensed, not sold. Employer is granted a personal, non-transferable, and nonexclusive license to use Materials solely for Employer’s own internal business use. Employer does not have the right to copy, distribute, reproduce, alter, display or use these Materials or any DBI trademarks for any other purpose other than its own internal business use. Employer shall use commercially reasonable efforts to prevent and protect the content of Materials from unauthorized use. Employer’s license to use Materials ends on the termination date of this Agreement. Upon termination, Employer agrees to destroy Materials or, if requested by DBI, to return them to DBI, except to the extent Employer is required by law to maintain copies of such Materials. DBI retains exclusive ownership rights to and reserves the right to independently use its experience and know-how, including processes, ideas, concepts, and techniques acquired prior to or developed in the course of performing services under this Agreement. 4.4 Subcontractors or Third Parties Notwithstanding anything to the contrary, although DBI remains responsible for the confidentiality obligations as set forth in this Article 4, DBI reserves the right to have this information processed, managed, and/or stored with subcontractors or third parties. ARTICLE 5 – TERM AND TERMINATION OF THE AGREEMENT 5.1 The term of this Agreement shall commence as of the Effective Date and shall continue for a period of twelve (12) months (“Initial Term”). 5.2 This Agreement shall automatically renew for another twelve (12) months at the end of the Initial Term and every twelve (12) months thereafter unless terminated pursuant to this Article 5. 5.3 This Agreement may be terminated at any time during the Initial Term or any renewal term by Employer or by DBI without cause and without liability with written notice of the intention to terminate to be effective as of a date certain set forth in the written notice not fewer than sixty (60) days from the date of such notice. 5.4 Except as provided in Section 5.5, all obligations of DBI relating to payment of claims under the Plan will be terminated on the effective date of termination given in the notice, regardless of when the claim for such benefit is incurred. 5.5 This Agreement shall automatically terminate: (a) If any law is enacted or interpreted to prohibit the continuance of this Agreement, upon the effective date of such law or interpretation; (b) If any fee for any service provided by DBI to Employer remains unpaid to DBI beyond ten (10) days past the due date, upon notification by DBI to Employer in writing that DBI intends to exercise its option to enforce this provision; (c) If at any time Employer fails to provide funds for the payment of Plan benefits or fails to restore the Minimum Account Balance, upon written notification by DBI; or (d) If Employer fails to provide the required information in a timely manner to ensure compliance with the MSP reporting required for HRAs. 5.5 If a party is in default under any provision of this Agreement, the other party may give written notice to the defaulting party of such default. If the defaulting party has not used good faith efforts to cure such breach or default within thirty (30) days after it receives such notice or if good faith efforts to cure have begun within thirty (30) days, but such cure is not completed within sixty (60) days after receipt of the notice, the other party shall have the right TOWN OF AVON (29161) PAGE 15 OF 36 by further written notice (“Termination Notice”) to terminate this Agreement as of any future date designated in the Termination Notice. 5.6 If this Agreement is terminated under Sections 5.3 or 5.5, DBI will cease the performance of services. If, however, the parties agree in writing that this Agreement shall continue while DBI performs services during a run-out period (and upon prepayment for such run-out period if requested by DBI), DBI will continue to process qualifying expense reimbursements and to provide general Plan administration and services with respect to any claims that are received by DBI on or before the run-off period end date. The terms of this Agreement will remain in force and effect during any such run-out period. 5.7 Upon the completion of the termination of this Agreement, DBI will cease the processing of any claims that are received and Employer shall be immediately responsible for all aspects of its Plan, including the processing of all claims, annual reporting, and general plan administration. DBI shall promptly return to Employer any funds in the Custodial Account that have not been used for Plan benefit payments along with any unpaid or other pending payment requests and/or subsequent claims that are received after the end date of any specified run-out period. Such return shall remain subject to the completion of a final accounting of all account activities, as well as the deduction of any undisputed unpaid fees and other expenses under this Agreement or any other agreement between the parties. As necessary, DBI shall have the immediate right to demand and pursue collection of any unpaid fees, reimbursements or other amounts that are due and owing to DBI as of the date of termination under the terms of this Agreement or any other agreement between the parties. 5.8 Within sixty (60) days after the later of the termination of this Agreement or the specified run-out period, DBI shall prepare and deliver to Employer a complete and final accounting and report of the financial status of the Plan as of the date of termination together with all books and records in DBI’s possession and control pertaining to the administration of the Plan, all claims files, and all reports pertaining to the Plan. ARTICLE 6 – COST OF ADMINISTRATION 6.1 Plan Administrative Service Fees (a) Employer shall pay DBI a fee for its services rendered pursuant to this Agreement in accordance with the fee schedule attached hereto. Fees are invoiced monthly and are due within thirty (30) days of the invoice date. If Employer disputes any portion of the fees invoiced in good faith, Employer shall provide DBI with written notice of any disputed fees together with a complete written explanation of the reasons for the dispute (the “Dispute Notice”) within thirty (30) days of the invoice date. The parties shall work together in good faith to reach a mutually agreeable resolution of the dispute identified in the Dispute Notice for a period of ten (10) days following the date of the Dispute Notice. If the parties cannot reach such mutually agreeable resolution, the dispute shall be settled pursuant to the procedures set forth in Section 7.13. (b) Employer shall have thirty (30) days from the date of the invoice to correct a participant count for credit or refund. (c) Notwithstanding the foregoing, DBI reserves the right to increase fees at any time based on postal rate or bank fee increases or increased costs due to legislative or regulatory changes, domestic or foreign, actually incurred in performing its services. DBI shall provide Employer with reasonable prior written notice of such increases. (d) DBI reserves the right to charge fees for the provision of additional services requested by Employer that were neither included in nor contemplated by this Agreement on the Effective Date. (e) On or after the date the Rate Expiration Date noted on the fee schedule, DBI reserves the right to amend the fee schedule with sixty (60) days’ advance written notice. If Employer is unwilling to accept the changes to the fee schedule, Employer may terminate this Agreement by providing notice to DBI no later than the effective date of the fee schedule amendment. 6.2 Non-Party Payment on Behalf of Employer and Compliance with Anti-Rebating Law Employer represents and warrants that if someone other than Employer is making the payment of DBI’s fees on behalf of Employer the making of such payment does not violate any applicable anti-rebating law. Employer agrees TOWN OF AVON (29161) PAGE 16 OF 36 to hold DBI harmless and not liable and release it from all liability whatsoever from any and all losses and expenses that may result from a breach of this Section 6.2. 6.3 Past Due Fees Notwithstanding anything in this Agreement or any other agreement between the parties to the contrary, if Employer fails to pay DBI, any amount (except for amounts subject to a good faith dispute) that is due as a result of the services provided by DBI to Employer under this Agreement or any other Agreement between the parties, DBI shall be permitted to deduct (in accordance with Section 2.13(b)) the undisputed amount from any funds held by DBI that were received from Employer. This right of offset shall be in addition to any other remedies that DBI may have under this Agreement or any other agreement between the parties with respect to such non-payment, including, without limitation, any right to terminate this Agreement or right to recoupment, regardless of whether the past due amount is paid in full as a result of the offset or recoupment rights provided herein. 6.4 Participant Count Employer represents and warrants the accuracy of the information provided by or on behalf of Employer to DBI regarding the participant count. The participant count for billing purposes is determined on the last business day of each month. Participants losing eligibility after the first business day of the month are included in the count for that month’s billing. Employee means those employees eligible to participate in the Plan. For the purposes of this Section 6.4, “participants” are those individuals who are eligible for account coverage based on the Employer’s plan document, including plan run-out periods, plan carryovers in accordance with IRS Notice 2013-71 and Prop. Treas. Reg. §§ 1.125-1(o) and 1.125-5(c) and Plan grace periods in accordance with IRS Notice 2005-42, 2005-1 C.B. 1204, and Prop. Treas. Reg. § 1.125-1(e). ARTICLE 7 – GENERAL 7.1 Assignment This Agreement may not be assigned by either party without the prior written consent of the other unless in connection with a merger, acquisition or sale of all or substantially all of the party’s assets and provided that the surviving entity has agreed to be bound by this Agreement and has notified the other party in writing within thirty (30) days of the assignment. 7.2 Force Majeure Notwithstanding anything herein to the contrary, neither party shall be liable or deemed to be in default under or in breach of this Agreement for failure to perform or delay in the performance of any of their respective obligations under this Agreement to the extent that such failure or delay results from any act of God, military operation, terrorist attack, widespread and prolonged loss of use of the Internet, national emergency, government restrictions, or disruption of the financial markets. The affected party shall use all commercially reasonable efforts to remedy any inability to perform under this Agreement. 7.3 Governing Law This Agreement shall be governed and interpreted by the laws of the State of North Dakota to the extent such laws are not inconsistent with or preempted by ERISA, the Code or any other applicable federal law. In the event of any conflict of laws, the laws of the State of North Dakota shall prevail. The parties agree that any claim or action arising from this Agreement can only be brought in the United States District Court for the District of North Dakota, and both parties consent to such jurisdiction and venue. 7.4 Number Where the context of this Agreement requires, the singular shall include the plural and vice versa. TOWN OF AVON (29161) PAGE 17 OF 36 7.5 Relationship of the Parties The parties agree that in performing their responsibilities under this Agreement, they are in the position of independent contractors. This Agreement is not intended to create, nor does it create and shall not be construed to create, a relationship of partner or joint venture or any association for profit between Employer and DBI. 7.6 Severability If any provision of this Agreement is found to be unenforceable or invalid, such determination shall not affect any other provision, each of which shall be construed and enforced as if such invalid or unenforceable provision were not contained herein, and the parties will negotiate a mutually acceptable replacement provision consistent with the parties’ original intent. 7.7 Successor In the event of DBI’s resignation or inability to serve, Employer may appoint a successor. In such situations, the replacement of DBI shall be considered a termination of this Agreement and the termination provisions of Article 5 shall remain effective and controlling. 7.8 Survival The provisions of Section 2.1, 2.14, Article 4, 5.6, 5.7, 5.8, 6.2, and Article 7 shall survive the termination of this Agreement. 7.9 Waiver If either party fails to enforce any right or remedy under this Agreement, that failure is not a waiver of the right or remedy for any other breach or failure by the other party. 7.10 Indemnification (a) Subject to the limitations in Section 7.11, DBI will be liable to and will defend, indemnify, and hold harmless Employer and its respective officers, directors, employees, agents, representatives, successors, and permitted assigns from and against any and all liability, damages, costs, losses, and expenses (including attorney fees), disbursements, and court costs reasonably incurred by Employer in connection with any threatened, pending or adjudicated claim, demand, action, suit or proceeding by any third party to the extent solely and directly caused by DBI’s willful misconduct, criminal conduct, material breach of this Agreement or violation of HIPAA privacy or security rules related to or arising out of the services performed by DBI under this Agreement. (b) To the extent permitted by law and except as provided in (a) above, and in addition to the provisions in Sections 2.1, 2.14, and 6.2, Employer will be liable to and will defend, indemnify and hold harmless DBI and its respective officers, directors, employees, agents, representatives, successors, and permitted assigns from and against any and all liability, damages, costs, losses, and expenses (including attorney fees), disbursements, and court costs reasonably incurred by DBI in connection with any threatened, pending or adjudicated claim, demand, action, suit or proceeding by any third party to the extent solely and directly caused by Employer’s willful misconduct, criminal conduct, material breach of this Agreement or violation of HIPAA privacy or security rules related to or arising out of the Services performed by DBI under this Agreement. If Employer is a state agency or otherwise subject to a public entity/political subunit non-indemnification type statute and therefore unable to indemnify under this subsection, DBI shall not be responsible for any injury or damage that occurs as a result of any negligent act or omission committed by Employer including its agents, employees or assigns. (c) The party seeking indemnification must notify in writing the indemnifying party within ten (10) business days of any knowledge of any actual action, suit or proceeding (and within a reasonable period of time with respect to any threatened action, suit or proceeding) to which it claims such indemnification applies. Failure to so notify the indemnifying party shall not be deemed a waiver of the right to seek indemnification except to the extent the actions of the indemnifying party have been prejudiced by the failure of the other party to provide notice within the required time period. TOWN OF AVON (29161) PAGE 18 OF 36 (d) In addition to the foregoing, in the event of a legal, administrative or other action arising out of the administration, processing or determination of a claim for Plan benefits, which is filed or asserted against DBI (“Claim Litigation”), DBI may, at its election, select and retain its own counsel to protect its interests. DBI and Employer shall cooperate fully with each other in the defense of Claim Litigation. DBI shall consult with Employer before settling Claim Litigation. DBI shall be responsible for payment of all legal fees and expenses incurred by it in defense of Claim Litigation unless the Claim Litigation is attributable to Employer’s actions or inactions. Nothing in this subsection (d) shall prevent DBI and/or Employer from pursuing any rights that such party has under this Section 7.10. 7.11 Limitations of Liability In no event shall either party be liable to the other for consequential, special, exemplary, punitive, indirect or incidental damages, including, but not limited to, any damages resulting from loss of use or loss of profits arising out of or in connection with this Agreement, whether in an action based on contract, tort (including negligence) or any other legal theory whether existing as of the Effective Date or subsequently developed, even if the party has been advised of the possibility of such damages. In the event the foregoing is found to be invalid, in no event will DBI's liability for such damages exceed the fees paid by Employer for the services in the twelve-month period in which the cause of action occurred. In addition, notwithstanding any other provision in this Agreement to the contrary, the maximum total liability of DBI to Employer shall be limited to direct money damages in an amount not to exceed the dollar amount that is available to cover such liability under the insurance policy or policies provided for in Section 7.12. This is Employer’s sole and exclusive remedy. No action under this Agreement may be brought by either party more than two (2) years after the cause of action has accrued. DBI and Employer expressly agree that the limitation of liability in Section 7.11 represents an agreed allocation of the risks of this Agreement between the parties. This allocation is reflected in the pricing offered by DBI to Employer and is an essential element of the basis of the bargain between the parties. 7.12 Insurance During the term of this Agreement, DBI shall maintain general liability insurance and professional/cyber liability insurance with policy limits of not less than $5,000,000 per occurrence and in the aggregate for the purpose of providing coverage for claims arising out of the performance of its services under this Agreement. Upon request, DBI shall provide Employer with a certificate of insurance reflecting the general liability insurance coverage. DBI shall maintain a fidelity bond (or an insurance policy similar to a fidelity bond) for DBI and any of its employees who may collect, disburse or otherwise handle or have possession of any funds provided by Employer or who may have the authority to order disbursements or payments on behalf of the Plan. 7.13 Mediation and Arbitration of Disputes Excluding equitable relief and all matters pertaining to the collection of amounts due to DBI arising out of the services provided, the parties agree that any dispute arising out of or related to this Agreement may be submitted to a mutually agreed upon American Arbitration Association (“AAA”) mediator for non-binding confidential mediation in a location mutually agreeable between the parties. If the dispute cannot be resolved through the dispute resolution process or mediation, it shall be submitted to final, binding, and confidential arbitration before AAA in a location mutually agreeable between the parties before one (1) arbitrator. If the parties cannot agree on an arbitrator within fourteen (14) days, then the parties shall request and accept an arbitrator selected by AAA. The parties agree that the procedures outlined in this Section 7.13 are the exclusive methods of dispute resolution. 7.14 Waiver of Jury Trial Each of the parties hereto irrevocably waives any and all right to trial by jury in any legal proceeding arising out of or relating to this Agreement or the transactions contemplated hereby, provided however that for judicial economy purposes, if a party desires to implead or otherwise add the other party to a third party claim and such third party claim is already a jury trial, the foregoing waiver of jury trial shall not apply. It shall also not apply in any criminal case without the written consent of the defendant. TOWN OF AVON (29161) PAGE 19 OF 36 7.15 Notice Any notice required or permitted to be given under this Agreement shall be deemed delivered to the address set forth in this Agreement or such other physical or electronic address as specified by the party: (a) when received if delivered by hand; (b) the next business day if placed with a reputable express carrier for delivery during the morning of the following business day; (c) three (3) days after deposit in the U.S. mail for delivery, postage prepaid; or when received if delivered electronically. DBI: 4321 20th Avenue South, Fargo, ND 58103, Attention: Chief Compliance Officer. 7.16 Entire Agreement This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous agreements and understandings regarding the subject matter hereof, whether written or verbal. Any amendment to this Agreement must be in writing and consented to by authorized representatives of both parties. The provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their heirs, permitted assigns, and successors in interest. Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer upon any person other than the parties hereto, any rights, remedies, obligations or liabilities whatsoever. 7.17 Counterparts Any number of counterparts of this Agreement may be signed, delivered, and transmitted electronically, each of which shall be considered an original and all of which, together, shall constitute one and the same instrument. TOWN OF AVON (29161) PAGE 20 OF 36 SERVICES AND RECORDKEEPING ADDENDUM Services and Recordkeeping Adjudicate FSA, HRA and Parking/Bicycle reimbursement requests Included Administration for 2 ½ month grace period extension, if applicable Included Automatic email to participant when claims received and reimbursement is made Included Claims Based or Deduction/Contribution Based Included Daily processing of reimbursement requests Included Debit card Included Employee group meetings Additional fee IIAS compliant debit card Included Issue direct deposit to participant savings or checking accounts Included Issue reimbursement checks to participants Included Maintain and update employee FSA/HRA/TSA records Included Online enrollment presentation (Health FSA and Dependent Care FSA Only)Included Plan design and set up Included Postage for standard mailings Included Process claims during plan year run-out period Included Reconcile records to employer’s payroll, if applicable Included Retain records for 8 years from the date the record is created at DBI Included Web enrollment Included Reporting and Communication – Employer Consult on interpretation of applicable United States law Included Daily, weekly, and/or monthly reporting available on status of account balances Included Employer Administrative Guide Included Employer Web portal Included Reporting and Communication – Participant Account balance statement sent 60 days prior to end of plan year (FSA Only)Included Communication concerning ineligible claims Included Employee Administrative Guide Included Enrollment Materials Included Online access to account information 24/7 Included Quarterly emailed statements to participants Included Statement included with each reimbursement check Included Toll-free customer service line Central Time Zone Monday through Friday Clients 7:00 a.m. to 7:00 p.m. Participants 6:00 a.m. to 9:00 p.m. In compliance with United States federal and state law, DBI may monitor and/or record calls that are made to and from the customer service line for quality assurance and training purposes and/or to ensure that DBI's services fully comply with the terms of the Agreement. Included Compliance Generic sample plan document (Section 125, FSA and HRA only)Included Generic sample plan document and summary plan description updates Included Generic sample summary plan description Included Information for annual 5500 Filing (Health FSA and HRA)Included SmartCompliancetm non-discrimination testing (cafeteria plan, FSA, HRA, self-insured medical plan)Additional fee may apply TOWN OF AVON (29161) PAGE 21 OF 36 DEBIT CARD ADDENDUM To the extent that debit cards are provided with respect to FSA accounts, TSA accounts, and/or HRA accounts, the following additional provisions shall apply with respect to the debit card services. Unless otherwise provided below, all of the provisions of the Agreement shall apply to the provision of debit card services as well. Debit cards are referred to as "Card" in this Addendum. 1 Definitions 1.1 Card Transaction means when the Card is presented for payment of Qualified Services. 1.2 For a Health FSA and/or HRA account, Qualified Services include any and all related goods and services within the meaning of the term "medical care" or "medical expense" as defined in Internal Revenue Code Section 213 (26 USC § 213) and the rulings and Treasury regulations thereunder to the extent that such goods and services are allowable for the Account in question. 1.3 For a TSA account, Qualified Services include “parking,” “transit passes,” and “commuter highway vehicle,” within the meaning of Internal Revenue Code Section 132(f) (26 USC § 132(f)) as it relates to “qualified transportation plans.” 1.4 Account means the FSA, TSA and/or HRA, as the context requires and as elected by Employer as part of this Agreement. 1.5 Employee means those employees eligible to participate in the Plan. 1.6 Plan participants or “Participants” means Employees who are eligible for account coverage based on the Employer’s plan document. 2 General Provisions 2.1 DBI shall be responsible to provide administrative services to Participants, including updating Participant records, maintaining accurate account balances and deposit information, activating and deactivating Cards, responding to Participant inquiries and providing appropriate notices of actions taken. 2.2 DBI agrees to reasonably ensure compliance with proper use of the Card and take whatever action is necessary to investigate and resolve errors in Card Transactions asserted by Participants within five (5) business days. 2.3 DBI agrees to cancel, as soon as is practical, access to a Participant's account when a Card is reported as lost or stolen. 2.4 DBI agrees, upon notice from Employer of termination or ineligibility of a Participant to deactivate, as soon as is practical, such Participant’s Card. Should Employer fail to provide this notice in a timely manner causing payment of ineligible expenses, Employer will be responsible for all costs incurred for subsequent Card Transactions made by the terminated or ineligible Participant. 2.5 DBI will make available to Employer, for distribution to the Participants, information as to the proper use of the Card. 2.6 Employer agrees to re-credit Participant Accounts by facilitating an after-tax payroll deduction in accordance with applicable law in those instances where the Card was used to pay for an ineligible expense and the participant failed to reimburse the Plan or the ineligible expense could not be offset with an eligible expense. 2.7 Employer agrees to notify DBI immediately upon suspicion or confirmation of inappropriate or fraudulent Card use. 2.8 The liability for payment of claims falls on Employer or the Plan Participant. Any additional costs, including administrative costs, shall be paid by Employer or Plan Participant. In no event shall DBI be responsible for these payments. TOWN OF AVON (29161) PAGE 22 OF 36 2.9 Employer agrees to administer the Plan in accordance with the rules and regulations of the Plan and this Agreement. 2.10 Employer understands and acknowledges that the origination of ACH transactions to the account must comply with the provisions of United States law. 2.11 Employer agrees to provide all information to be included in any reports or other required documents in a timely fashion, as established by the rules of all governmental entities involved with the Plan, including but not limited to the Department of Labor and the Internal Revenue Service. 2.12 As provided in Section 2.14 of this Agreement, Employer has authorized and instructed DBI in this Agreement to implement its standard administrative procedures to provide services in accordance with this Agreement. Such standard administrative procedures may be different for Card Transactions with respect to a health FSA, TSA and HRA and with respect to one or more groups of Card Transactions, as determined solely by DBI. Such standard administrative procedures may change without notice, as determined solely by DBI. 3 Settlement Provisions 3.1 Employer has, in conjunction with this Agreement, executed and delivered an Authorization Agreement for Direct Payment form to DBI that, among other things, authorizes the issuer of Cards ("Issuer") to debit the account ("Account") designated by Employer on such Authorization Agreement for Direct Payment as more fully set forth therein and in this Addendum. 3.2 All information regarding Employer and its Account in the Authorization Agreement for Direct Payment is true and correct. Employer will provide the Issuer's company ID and routing number to Employer's Depository. If Employer wishes to change the designated Account, Employer must submit the change to Issuer in writing at least ten (10) days before the intended effective date of the change. 3.3 Each business day, Issuer is authorized to debit Employer's Account in the amount required to settle all Card Transactions ("Daily Settlement Amount"). Each business day, collected and available funds in Employer's Account must be greater than or equal to the Daily Settlement Amount for the previous business day. 3.4 Notwithstanding whether there are sufficient funds in the Account to pay a debit originated by Issuer, Employer shall reimburse Issuer for all Card Transactions irrespective of whether any authorization for a Card Transaction was made in accordance with the terms of the applicable health or other Employer Plan. 3.5 If Employer fails to fund the Account to settle with Issuer for Card Transactions, fails to reimburse Issuer for all Card Transactions, or breaches its obligations to Issuer, Issuer may, at its option, suspend or terminate all Cards or change the method by which Employer may settle with Issuer for Card Transactions, including requiring Employer to prefund a settlement account at Issuer. 3.6 Employer acknowledges that Issuer is not a party to the agreement between Employer and DBI and Issuer has no obligation or responsibility to process and or adjudicate benefit claims. Issuer's sole role is to issue Cards and to make settlements arising from Card Transactions based solely on information provided to it by the Card processor. 3.7 Employer acknowledges that the Issuer shall be deemed to be a third party beneficiary with respect to Sections 3 and 4 of this Addendum with full rights to rely upon and enforce the provisions thereof. 4 Other Provisions Card Transactions and direct deposit payments will be settled directly to the Employer Account at the depository financial institution designated by Employer and on record with DBI. Changes to Employer Account information must be made by completing a new Authorization Agreement for Direct Payment form (provided by DBI) and submitting it to DBI. This authorization is to remain in full force and effect until DBI and Issuer receive written notification from an authorized representative of its termination in such time and in such manner as to afford DBI, Issuer and Depository a reasonable opportunity to act on it. TOWN OF AVON (29161) PAGE 23 OF 36 SMARTCOMPLIANCE SUBSCRIPTION ADDENDUM SmartCompliancetm is DBI’s non-discrimination testing portal available on LEAP®. To the extent Employer desires to access to SmartCompliance for testing one or more of its Plans, the following additional provisions shall apply with respect to non-discrimination testing. 1 DBI Non-Discrimination Testing 1.1 Plan Testing The benefit plan or plans covered for services are limited to Premium Only Plan (POP), Premium Only Plan and Flexible Spending Account (POPFSA), Health Reimbursement Arrangement (HRA), and/or Self-Insured Medical Plan (SIMP), for which DBI provides access to SmartCompliance (individually and collectively, as the context may require, all of the foregoing shall be referred to as the “Plan”). 1.2 Test Templates DBI provides Employer non-exclusive, non-transferable, non-assignable right to access and use of SmartCompliance. 1.3 Non-Discrimination Testing Report DBI provides a final testing report with test results and recommendations for correcting failed tests. The report is made available through SmartCompliance, which is a tool designed to help Employer evaluate Employer’s compliance with applicable domestic law and regulation. 1.3 Template Information Retention DBI deletes the data inputted or uploaded into SmartCompliance and the resulting completed templates ten (10) calendar days after submission by Employer. 1.4 Report Retention DBI retains the testing report for eight (8) years from the date the report is created under this Addendum. 1.5 Disclaimers All templates are subject to periodic updates and revision. DBI does not insure or underwrite Employer’s liability to provide benefits under the Plan or provide services other than those stated in this Addendum. DBI is not liable nor will DBI use its own funds for payment of benefits under the Plan, including, without limitation, where such payment of benefits is sought as damages in an action against Employer, DBI or the Plan. 2 Employer Responsibilities 2.1 System of Records Employer’s HRIS/payroll system is the system of record for non-discrimination testing information. Employer must provide DBI with the information necessary to perform the standard non-discrimination testing services and in the file format required by DBI. 2.2 Compliance It is the sole responsibility of Employer to assure compliance with all legal reporting and disclosure requirements, including non-discrimination testing rules. TOWN OF AVON (29161) PAGE 24 OF 36 2.3 Authorized Users Employer shall not make SmartCompliance available to any person or entity other than its authorized users. Employer shall maintain a written, current list of authorized users and shall provide the list to DBI upon request. 2.4 Protection of SmartCompliance Employer agrees to take all reasonable steps to protect SmartCompliance from unauthorized copying, possession, access or use. Upon Employer becoming aware of any such unauthorized copying, possession, access or use, Employer shall promptly notify DBI and assist DBI in preventing the recurrence thereof, and cooperate with DBI in any litigation or proceedings reasonably necessary to protect the rights of DBI. 2.5 Secure Passwords Employer shall ensure that each authorized user maintains the secure password for its use of the testing portal and keeps its password confidential. Employer shall immediately notify DBI of any compromise of any secured password of any authorized user, and shall cooperate with DBI in any manner deemed reasonably necessary by DBI to protect its rights. 2.6 Viruses and Improper Materials Employer shall not access, store, distribute, upload, or transmit any viruses, or any material during the course of its use of SmartCompliance that is unlawful, harmful, threatening, defamatory, libelous, obscene, infringing, harassing or racially or ethnically offensive; promotes or facilitates any unlawful activity; depicts sexually explicit images; discriminates on the basis of nationality, race, gender, color, religious belief or other characteristic protected by applicable law; or causes damage or injury to any person or property. 2.7 Employer Data Employer owns all right, title and interest in and to and is solely responsible for the reliability, integrity, accuracy, quality and lawfulness of data inputted and/or uploaded into SmartCompliance. DBI has no obligation to back up or archive any data and Employer is solely responsible therefor. 2.8 Test Results Employer acknowledges that any reports, test results, and any and all other information that Employer obtains as a result of using SmartCompliance is based solely on the data of Employer and/or its authorized users provided by or on behalf of Employer; DBI is not liable for any inaccuracies or invalid results or reports based on such data; and Employer expressly assumes all risk and liability with respect to its use and interpretation of such reports, results, and other information obtained from Employer’s use of SmartCompliance. Although SmartCompliance is a tool designed to help Employer evaluate Employer’s compliance with applicable domestic law and regulation, all legal, regulatory and administrative matters related in any way to Employer, its data, authorized users or its Plan, and the compliance of any of the foregoing with applicable domestic law, are the sole responsibility of Employer and DBI has no liability or responsibility therefor. Employer further acknowledges and agrees that DBI does not provide legal or tax advice with respect to these matters and that Employer must obtain its own legal and tax advice pertaining in any way to such matters. 2.9 Employer Systems Employer is solely responsible for the maintenance and routine review of its computing and electronic system usage records (i.e., log files) and the security of its own data, data storage, computing devices, other electronic systems, and network connectivity. 2.10 Unauthorized Access Employer acknowledges and agrees that DBI is not liable to Employer, Employer’s employees or any other third-party for any consequences, losses or damages resulting from unauthorized access to or use of its data. TOWN OF AVON (29161) PAGE 25 OF 36 3 Confidential Information and Intellectual Property 3.1 Confidentiality of Employer Data DBI shall maintain appropriate administrative, physical, and technical safeguards for protection of the confidentiality of Employer data. DBI shall not disclose any Employer data except as compelled by law in accordance with this Section 3 or as expressly permitted in writing by Employer. DBI agrees that all Employer data shall be stored on computer servers located within the United States and shall not be transferred to any computer servers located outside of the United States, without the prior written consent of Employer. 3.4 Information Security Each party agrees to use industry standard current firewall and virus-protection software. 3.5 Remedies upon Breach Each party agrees that the other party may have no adequate remedy at law if there is a breach or threatened breach of this Section 3 and, accordingly, that either party is entitled (in addition to any legal or equitable remedies available to such party) to seek injunctive or other equitable relief to prevent or remedy such breach. 3.6 Ownership As between the parties, the parties agree that the confidential information of the other party is, and will remain, the property of such other party. The receiving party obtains no right, title, interest, or license in or to any of the confidential information of the disclosing party except for the rights expressly set forth in this Addendum. 3.7 No Return of Data Employer acknowledges that DBI has no obligation to maintain Employer data relating to this Addendum. Accordingly, DBI does not return any data to Employer or make any such data available for download by Employer after the termination or expiration of the Agreement. 4 Warranties and Remedies 4.1 Limited Warranties DBI warrants that SmartCompliance will perform materially in accordance with the data submitted and the functionality of SmartCompliance will not be materially decreased during the Term. 4.2 Exclusions Notwithstanding the foregoing, DBI does not warrant, and specifically disclaims, that Employer’s access to or use of SmartCompliance and the DBI Technology will be uninterrupted or error-free or that the information obtained by Employer through SmartCompliance will meet Employer’s requirements. Further, DBI is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of Employer data any other data or information over communications networks and facilities, including the Internet, and Employer acknowledges that SmartCompliance and the resulting information may be subject to limitations, delays and other problems inherent in the use of such communications facilities. Employer further acknowledges that it is solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to DBI’s data center and all problems, conditions, delays, delivery failures, and all other loss or damage arising from or relating to Employer’s network connections or telecommunications links or that are caused by the Internet. TOWN OF AVON (29161) PAGE 26 OF 36 4.3 Exclusive Remedies Employer shall promptly notify DBI in writing of any nonconformity to the functionality described herein. DBI is not obligated to correct any such nonconformity if Employer fails to promptly notify DBI in writing, which notice must provide a detailed description of the specific existence and nature of the alleged nonconformity upon Employer’s discovery thereof. Provided the nonconformity giving rise to the warranty claim exists, Employer’s sole and exclusive remedy in relation to its access to SmartCompliance and DBI’s entire liability for any such conformity is as follows: DBI shall as promptly as practicable, and in any event within thirty (30) days after DBI’s receipt of Employer’s written notice if applicable, correct such nonconformity or provide Employer with a plan reasonably acceptable to Employer for correcting the nonconformity at DBI’s expense and in a reasonably timely fashion. If neither can be accomplished with reasonable commercial efforts from DBI, DBI will notify Employer, whereupon Employer may cancel the SmartCompliance subscription and return any and all materials and related documentation to DBI. If Employer elects not to cancel the subscription as provided in this Section 4.3, Employer waives all rights for the applicable breach of the warranty set forth herein. 4.4 Disclaimer of Warranty THE LIMITED WARRANTIES SET FORTH HEREIN CONSTITUTE THE ONLY WARRANTIES WITH RESPECT TO THE SERVICES, SMARTCOMPLIANCE, AND THE DBI TECHNOLOGY. THE LIMITED WARRANTIES ARE IN LIEU OF, AND DBI SPECIFICALLY DISCLAIMS, ANY AND ALL OTHER WARRANTIES, WHETHER WRITTEN OR ORAL, STATUTORY, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, OR ARISING FROM A COURSE OF DEALING, TITLE, NONINFRINGEMENT, USAGE OR TRADE PRACTICE. UPON ANY INTERRUPTION, DELAY OR FAILURE OF ACCESS TO SMARTCOMPLIANCE AND THE DBI TECHNOLOGY, DBI’S SOLE OBLIGATION IS TO USE COMMERCIALLY REASONABLE EFFORTS TO CORRECT THE PROBLEM AND/OR RESUME SUCH ACCESS AS SOON AS PRACTICABLE. TOWN OF AVON (29161) PAGE 27 OF 36 BUSINESS ASSOCIATE AGREEMENT RECITALS WHEREAS, DBI provides certain administrative services, activities or functions in connection with the Plan (“Services”) pursuant to a services agreement between DBI and the Sponsor (“Services Agreement”); and WHEREAS, the parties desire to enter into this Agreement as set forth below for the purpose of addressing the following law, as amended and clarified by the HIPAA Omnibus Rule or any regulation, rule or guidance that may be issued after the effective date of this Agreement: The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) enacted as part of the American Recovery and Reinvestment Act of 2009 and the regulations promulgated thereunder relating to the privacy and security of protected health information; The “Standards for Privacy of Individually Identifiable Health Information,” 45 CFR Part 160 (specifically recognizing here 45 CFR Part 160, Subparts C, D, and E (“Enforcement Rule”)) and Part 164, Subparts A and E (“Privacy Rule”); The “Standards for Electronic Transactions,” 45 CFR Part 160, Subpart A and Part 162, Subpart A and Subparts I through R (“Electronic Transaction Rule”); The “Security Standards for the Protection of Electronic Protected Health Information,” 45 CFR Part 160 and Part 164, Subparts A and C (“Security Rule”); and The “Standards for Breach Notification for Unsecured Protected Health Information,” 45 CFR Part 160 and Part 164, Subparts A and D (“Breach Notification Rule”). NOW, THEREFORE, in consideration of the premises and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Plan and DBI agree as follows: ARTICLE 1 – DEFINITIONS 1.1 “Agent” shall have the meaning given to it in Section 2.5. As provided by HIPAA, an Agent and a Subcontractor are two separate types of arrangements. 1.2 “Breach” shall have the meaning given to it by 45 CFR § 164.402. 1.3 “Business Associate” shall have the meaning given to it by 45 CFR § 160.103. 1.4 “Designated Record Set” shall have the meaning given to it by 45 CFR § 164.501. 1.5 “Health Care Operations” shall have the same meaning given to it in 45 CFR § 164.501. 1.6 “HIPAA” shall mean, collectively, the Privacy Rule, the Electronic Transaction Rule, the Security Rule, and/or the Breach Notification Rule, each as amended and clarified by the HIPAA Omnibus Rule. 1.7 “HIPAA Omnibus Rule” shall mean the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Genetic Information Nondiscrimination Act (GINA),” 78 Federal Register 5566 (January 25, 2013). 1.8 “Individual” shall mean the person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 1.9 “Individual Rights Requests” shall mean Access Requests, Amendment Requests, Accounting Requests, and requests under Section 3.3. 1.10 “Payment” shall have the same meaning given to it in 45 CFR § 164.501. 1.11 “PHI” shall mean any information, whether oral or recorded in any form or medium, that: (i) relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an TOWN OF AVON (29161) PAGE 28 OF 36 Individual; or the past, present or future payment for the provision of health care to an Individual; and (ii) identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. 1.12 “Plan” shall have the meaning provided as first written above. In all cases, the Plan shall mean the group health plan or plans of the Sponsor as set forth in 45 CFR § 160.103. 1.13 “Plan Administration Functions” shall have the same meaning given to it in 45 CFR § 164.504. 1.14 “Plan Administrator” shall mean the entity, individual, group or committee appointed by the Sponsor, or its successor or successors with the authority to administer the Plan. 1.15 “Privacy Official” shall mean the person designated by the Plan to serve as its privacy official within the meaning of 45 CFR § 164.530(a), and any person to whom the Privacy Official has delegated any of his or her duties or responsibilities. 1.16 “Protected Information” shall mean PHI received from the Plan or created, received, maintained or transmitted by DBI on behalf of the Plan. 1.17 “Required by Law” shall have the same meaning given to it in 45 CFR § 164.103. 1.18 “Secretary” shall mean the Secretary of the United States Department of Health and Human Services. 1.19 “Services” shall mean the activities, functions, and/or services that DBI from time to time renders to or on behalf of the Plan to the extent that those activities, functions, and/or services are covered by HIPAA. 1.20 “Subcontractor” shall have the same meaning given to it in 45 CFR § 160.103. 1.21 “Unsecured PHI” shall mean Protected Information that is not secured through the use of a technology or methodology that renders such Protected Information unusable, unreadable or indecipherable to unauthorized individuals as specified in 45 CFR § 164.402. ARTICLE 2 – OBLIGATIONS AND ACTIVITIES OF DBI 2.1 Status of DBI. DBI acknowledges and agrees that it is a Business Associate of the Plan for purposes of the Privacy Rule. 2.2 Permitted Uses and Disclosures of Protected Information. (a) Permitted Uses. DBI shall not use Protected Information other than as permitted by this Agreement. DBI may use Protected Information: (i) in connection with the performance, management and administration of the Services; (ii) for the proper business management and administration of DBI; (iii) to carry out DBI’s legal responsibilities; (iv) to report violations of law consistent with 45 CFR § 164.502(j); (v) to the extent and for any purpose authorized by an Individual under 45 CFR §164.508; and (vi) for any purpose provided that no data is identifiable and has been de-identified pursuant to 45 CFR §164.514(b) (including the separate de-identification guidance issued by the Secretary on November 26, 2012). Notwithstanding the foregoing sentence, DBI shall not use Protected Information in any manner that violates the Privacy Rule, or that would violate the Privacy Rule if so used by the Plan (except for the purposes specified under 45 CFR § 164.504(e)(2)(i)(A) and (B)). (b) Permitted Disclosures. DBI shall not disclose Protected Information other than as permitted by this Agreement. DBI may disclose Protected Information: (i) in connection with the performance, management and administration of the Services; (ii) to report violations of law consistent with 45 CFR § 164.502(j); (iii) to the extent and for any purpose authorized by an Individual under 45 CFR §164.508; and (iv) for any purpose provided that no data is identifiable and has been de-identified pursuant to 45 CFR §164.514(b) (including the separate de-identification guidance issued by the Secretary on November 26, 2012). In addition, DBI may also disclose Protected Information to a third party for the proper business management and administration of DBI and to carry out DBI’s legal responsibilities, provided that the disclosure is Required by Law or DBI obtains, prior to the disclosure: (i) reasonable assurances from the third party that the Protected Information will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party; and (ii) an agreement from the third party that the third party will notify DBI immediately of any instances in which it knows the confidentiality of the information has been breached. Further, DBI shall disclose, upon request, Protected Information to the Sponsor for Plan Administration Functions and to designated Sponsor employees (or designated Business Associates of the Plan) who are working for or on behalf of the Plan for purposes of Payment and Health Care Operations (including claims assistance activities) consistent with 45 CFR § 164.506(c)(1). Notwithstanding the foregoing, DBI shall not disclose TOWN OF AVON (29161) PAGE 29 OF 36 Protected Information in any manner that violates the Privacy Rule, or that would violate the Privacy Rule if so disclosed by the Plan (except for the purposes specified under 45 CFR § 164.504(e)(2)(i)(A) and (B)). (c) Minimum Necessary. To the extent required by the Privacy Rule, DBI shall only request, use, and/or disclose the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, and/or disclosure. For this purpose, the determination of what constitutes the minimum necessary amount of Protected Information shall be determined in accordance with Section 164.502(b) of the Privacy Rule. (d) Direct Application of Privacy Rules. DBI shall not use and/or disclose Protected Information or provide any Services that require the use and/or disclosure of Protected Information unless such use and/or disclosure directly complies with this Section 2.2 and Sections 164.502(a)(3) and 164.504(e) of the Privacy Rule. (e) GINA Provisions. Notwithstanding subsections (a) through (c) above, DBI shall not use and/or disclose Protected Information that is genetic information for underwriting purposes, as set forth in 45 CFR § 164.502(a)(5). 2.3 Safeguards. DBI shall maintain and use appropriate and commercially reasonable safeguards to prevent use and/or disclosure of Protected Information other than as permitted or required in this Agreement. 2.4 Reports of Prohibited Disclosures. If DBI becomes aware of a disclosure of an Individual’s Protected Information by DBI and the disclosure violated the provisions of this Agreement, DBI must inform the Privacy Official regarding the prohibited disclosure of the Individual’s Protected Information. To the extent that a disclosure described in this Section 2.4 also constitutes a Breach of Unsecured PHI, the provisions of this Section 2.4 shall not apply, but rather the provisions of Section 2.8 shall apply. 2.5 Agents and Subcontractors. DBI shall require each of its representatives, agents, and entities (collectively, “Agents”) to whom DBI provides Protected Information on behalf of the Plan to agree to observe the restrictions on use and disclosure of the Protected Information imposed upon DBI by this Agreement and the Privacy Rule. In addition, DBI shall enter into a Business Associate Agreement with each of its Subcontractors which meets the requirements of the Privacy Rule, including the requirements set forth in 45 CFR § 164.504(e). 2.6 Access by Secretary. DBI shall make available to the Secretary DBI’s internal practices, books, and records (including its policies and procedures) relating to DBI’s use and disclosure of Protected Information for the purpose of enabling the Secretary to assess the Plan’s and/or DBI’s compliance with HIPAA. DBI shall inform the Privacy Official of any request sent by the Secretary on behalf of the Plan that is received by DBI, unless it is prohibited by applicable law from doing so. 2.7 Mitigation. DBI agrees to mitigate, to the extent practicable, any harmful effect that is known to DBI of a use or disclosure of Protected Information by DBI in violation of the requirements of this Agreement. 2.8 Notice of Breach of Unsecured PHI. (a) DBI Requirements. Upon DBI’s discovery of a Breach of Unsecured PHI by DBI, DBI shall – (1) Pursuant to the requirements set forth in subsection (c) below, provide written notice of the Breach to the Privacy Official, as soon as administratively practicable, but no later than three (3) business days after the Breach is discovered; and (2) Pursuant to the requirements set forth in subsection (b) below, provide written notice of the Breach, on behalf of the Plan, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach as authorized under 45 CFR § 164.404 or such later date as is authorized under 45 CFR § 164.412 to: (i) each Individual whose Unsecured PHI has been, or is reasonably believed by DBI to have been, accessed, acquired, used or disclosed as a result of the Breach; (ii) the media to the extent required under 45 CFR § 164.406; and (iii) the Secretary to the extent required under 45 CFR § 164.408 (unless the Plan has elected to provide this notification and has informed DBI); and (3) If the Breach involves less than 500 individuals, maintain a log or other documentation of the Breach which contains such information as would be required to be included if the log TOWN OF AVON (29161) PAGE 30 OF 36 were maintained by the Plan pursuant to 45 CFR § 164.408, and provide such log to the Plan within five (5) business days of the Plan’s written request. (b) Notice Requirements. This subsection (b) provides the following special rules that shall each be applicable to the provisions of Section 2.8(a)(1)– (1) The date that a Breach is discovered shall be determined by DBI, in its sole discretion, in accordance with the Breach Notification Rule. (2) The content, form and delivery of each of the notices required by Section 2.8(a)(1) shall comply in all respects with the breach notification provisions applicable to the Plan, as set forth in the Breach Notification Rule. (3) DBI shall send the notices described in Section 2.8(a)(1)(i) to each Individual using the address on file with DBI (or as may be otherwise provided by the Plan). If the notice to any Individual is returned as undeliverable, DBI shall make one additional attempt to deliver the notice to the Individual using such information as is reasonably available to it, or shall take other action required by the Breach Notification Rule. (4) With respect to notices required under Section 2.8(a)(1)(i) and (ii), DBI and the Privacy Official shall cooperate in all respects regarding the drafting and the content of the notices. To that end, before sending any notice to any Individual or the media under Section 2.8(a)(1)(i) or (ii), DBI shall first provide a draft of the notice to the Privacy Official. The Privacy Official shall have five (5) business days (plus any reasonable extensions) to either approve DBI’s draft of the notice or revise the language of the notice. Alternatively, the Privacy Official may elect to draft the notice for review by DBI. Once DBI and the Privacy Official agree on the final content of the notice, DBI shall send the notice to the Individuals and/or the media based on the requirements of the Breach Notification Rule. (c) Privacy Official Notice. The notice to the Privacy Official pursuant to Section 2.8(a)(2) shall include any information available to DBI that is required to be included in a notification to an Individual under 45 CFR §164.404(c). To the extent that DBI does not have the information to be provided in the prior sentence when it is required to notify the Privacy Official, DBI shall provide such information as soon as administratively practicable after such information becomes available. Upon the Plan’s written request, DBI shall provide such additional information regarding the Breach as may be reasonably requested from time to time by the Plan. (d) Notice Fees. DBI reserves the right to charge reasonable, cost based fees for sending the notices required by this Section 2.8 should a Breach be due to actions on the part of the Sponsor, the Plan or any other entity other than DBI, its Agents or Subcontractors. ARTICLE 3 – INDIVIDUAL RIGHTS REQUIREMENTS 3.1 Designated Record Sets. (a) General. DBI agrees to maintain a Designated Record Set for the Plan in a manner and form that will allow the Plan to provide access and amendment rights to an Individual with respect to the Individual's Protected Information in conformance with 45 CFR §§ 164.524 and 164.526. (b) Access to Protected Information. Upon request from the Plan, DBI shall process and respond to a request by an Individual for access to an Individual’s Protected Information that is maintained by DBI in a Designated Record Set pursuant to 45 CFR § 164.524 (an “Access Request”). DBI shall respond to such Access Request by furnishing such Protected Information to the Plan within a timeframe that reasonably allows the Plan to satisfy the timeframes required by 45 CFR § 164.524. If the Protected Information that is requested is maintained electronically and the Individual requests an electronic copy of such information, DBI will provide access to the information in an electronic format that complies with 45 CFR § 164.524(c)(2)(ii). Thereafter, the Plan will be responsible for sending such information to the Individual. (c) Amendment to Protected Information. Upon request from the Plan, DBI shall process a request by an Individual for amendments to an Individual’s Protected Information that is maintained by DBI in a Designated Record Set pursuant to 45 CFR § 164.526 (an “Amendment Request”). DBI shall process such Amendment Request within a timeframe that reasonably allows the Plan to satisfy the timeframes required by 45 CFR § 164.526. (d) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping, and documentation issues relating to Access Requests and Amendment Requests. Notwithstanding the TOWN OF AVON (29161) PAGE 31 OF 36 foregoing, DBI shall not be obligated to coordinate with the Privacy Official if an Individual files an Access Request or an Amendment Request with DBI and such request is directed solely to DBI. 3.2 Accounting of Disclosures of Protected Information. (a) Documentation of Disclosures. DBI agrees to document and maintain a log of any and all disclosures from and after the date or dates required by 45 CFR § 164.528 made by DBI of Protected Information in a manner and form that will allow the Plan to provide to an Individual an accounting of disclosures or other applicable report of the Individual's Protected Information in compliance with and based on the requirements of 45 CFR § 164.528. (b) Accounting Requests. Upon request from the Plan, DBI shall process and respond to a request by an Individual for an accounting of disclosures or other applicable report of an Individual’s Protected Information pursuant to the requirements of 45 CFR § 164.528 (an “Accounting Request”). DBI shall furnish such accounting relating to the Accounting Request to the Plan within a timeframe that reasonably allows the Plan to satisfy the timeframes required by 45 CFR § 164.528. Thereafter, the Plan will be responsible for sending such information to the Individual. (c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping, and documentation issues relating to Accounting Requests. Notwithstanding the foregoing, DBI shall not be obligated to coordinate with the Privacy Official if an Individual files an Accounting Request with DBI and such request is directed solely to DBI. 3.3 Privacy Protection Requests. (a) Restriction Requests on Uses and Disclosures. The Plan and DBI on behalf of the Plan shall not agree to a restriction on the use or disclosure of Protected Information pursuant to 45 CFR § 164.522(a) without first consulting with the other party. DBI is not obligated to implement any restriction, if such restriction would hinder Health Care Operations or the Services DBI provides to the Plan, unless such restriction would otherwise be required by 45 CFR § 164.522(a). (b) Confidential Communication Requests. DBI shall implement any reasonable requests by Individuals relating to a request to receive communications of Protected Information by alternative means or at alternative locations to the extent required by 45 CFR § 164.522(b). (c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping, and documentation issues relating to requests under this Section 3.3. ARTICLE 4 – ELECTRONIC TRANSACTION RULE 4.1 Business Associate Requirements. DBI acknowledges that it is a Business Associate of the Plan for purposes of the Electronic Transaction Rule. DBI agrees that it shall comply with all Electronic Transaction Rule requirements that may be applicable to DBI with respect to the Services it provides to and on behalf of the Plan. DBI shall also require each of its Agents and Subcontractors to whom DBI provides Protected Information that is received from, or created or received by DBI on behalf of the Plan, to comply with the applicable requirements of the Electronic Transaction Rule. 4.2 Sponsor Transmissions. The Sponsor hereby represents and warrants that all electronic transmissions with respect to the Plan between the Sponsor (either directly or through its designated agent) and DBI relating to enrollment and disenrollment information and premium payment information as each are covered by the Electronic Transaction Rule are sent or received by the Sponsor (either directly or through its designated agent) in the Sponsor’s capacity as an employer and are not sent or received by the Plan. ARTICLE 5 – OBLIGATIONS OF PLAN 5.1 Privacy Notice. Upon request, the Plan will provide DBI with a copy of its notice of privacy practices pursuant to 45 CFR § 164.520. 5.2 Authorizations. The Plan will notify DBI of any changes in or revocations of Individual authorizations for use or disclosure of Protected Information to the extent that such changes or revocations may affect DBI’s use or disclosure of Protected Information. TOWN OF AVON (29161) PAGE 32 OF 36 5.3 Officials. The Plan will notify DBI of the current name and contact information of the Plan Administrator, the Privacy Official, and any other person that has the authority to act on behalf of the Plan with respect to the provisions contained in this Agreement. 5.4 Plan. Sponsor represents that its Plan documents include specific provisions to restrict the use or disclosure of PHI and to ensure adequate procedural safeguards and accounting mechanisms for such uses or disclosures, in accordance with the Privacy Rule. 5.5 Standard Requirements for Group Health Plans. The Plan represents and warrants that: (i) its plan documents, in accordance with 45 CFR § 164.504(f), allow the Plan to receive Protected Information; (ii) it has received a certification from the Sponsor in accordance with 45 CFR § 164.504(f)(2)(ii), and will provide a copy of such certification to DBI upon request; (iii) the plan document amendments permit the Plan to receive Protected Information (including detailed invoices, reports and statements from DBI); and (iv) the Plan has determined, through its own policies and procedures and in compliance with 45 CFR § 164.502(b), that the Protected Information that it receives from DBI (including the detailed invoices, reports, and statements) contains the minimum information necessary for the Plan to carry out its Payment and Health Care Operations activities. ARTICLE 6 – AMENDMENT AND TERMINATION 6.1 Amendment. No change, modification or attempted waiver of any of the provisions of this Agreement shall be binding upon any party hereto unless reduced to writing and signed by both parties. DBI agrees to take such action as is necessary to amend this Agreement from time to time as the Plan reasonably determines necessary to comply with HIPAA, or any other applicable law, rule or regulation. 6.2 Term. The Term of this Agreement shall be effective on the date first written above (except as otherwise noted herein) and shall terminate when all of the Protected Information received from the Plan, or created or received by DBI on behalf of the Plan, is destroyed in accordance with the Plan’s authorization or is returned to the Plan (or its designated agents) pursuant to Section 6.4. 6.3 Termination. If one party to this Agreement (“Non-Breaching Party”) has knowledge of a material violation of this Agreement by the other party to this Agreement (“Breaching Party”), as determined in good faith by the Non-Breaching Party, the Non-Breaching Party must promptly: (a) Provide an opportunity for the Breaching Party to end and to cure the material violation within a reasonable time specified by the Non-Breaching Party, and if the Breaching Party does not end and cure the material violation within such time (including reasonable extensions that the Non-Breaching Party determines are necessary) to the satisfaction of the Non-Breaching Party, the Non-Breaching Party shall immediately terminate the Services rendered by DBI and any agreement or contract related thereto; or (b) If a cure is not possible as determined by the Non-Breaching Party in its sole discretion, the Non-Breaching Party shall immediately terminate the Services rendered by DBI and any agreement or contract related thereto. 6.4 Effect of Termination. Upon termination pursuant to Section 6.3, the Plan within a reasonable time thereafter must inform DBI to either destroy or return to the Plan (or any agents designated by the Plan) the Protected Information that DBI and its Agents and Subcontractors maintain in any form, and DBI and its Agents and Subcontractors shall retain no copies of the Protected Information. However, in many situations DBI maintains one or more backup copies of Protected Information for auditing, data management, and other related purposes and DBI has determined that destruction of all copies of Protected Information that it maintains is infeasible. Therefore, after termination of the Services and pursuant to 45 CFR § 164.504(e)(2)(ii)(J), this Agreement shall remain in effect and DBI shall continue to observe and shall ensure that its Agents and Subcontractors continue to observe its obligations under this Agreement to the extent copies of the Protected Information are retained by DBI and shall limit further uses and disclosures of Protected Information to the purposes that make its return or destruction infeasible and that are consistent with the Privacy Rule. ARTICLE 7 – ELECTRONIC SECURITY STANDARDS 7.1 Definitions. When used in this Article, the following terms shall have the meanings set forth as follows: (a) “Electronic Media” shall have the meaning given to it in 45 CFR § 160.103. TOWN OF AVON (29161) PAGE 33 OF 36 (b) “Electronic Protected Information” shall mean Protected Information received from the Plan or created, received, maintained or transmitted by DBI on behalf of the Plan that is transmitted by Electronic Media or maintained in Electronic Media. (c) “Security Incident” shall have the meaning given to it in 45 CFR § 164.304. 7.2 Requirements. Pursuant to 45 CFR § 164.314(a)(2)(i), DBI shall: (a) Comply with the applicable requirements of the Security Rule, including the requirement that DBI implement, maintain and document administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Information to the extent required by the Security Rule; (b) Report (pursuant to the terms and conditions of Section 7.3) to the Privacy Official (or such other person designated for this purpose) any Security Incident of which DBI becomes aware and which occurred during the applicable reporting period; (c) Require each of its Agents to whom DBI provides Electronic Protected Information to agree to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Information that is provided to the Agent to the extent required by the Security Rule; and (d) Enter into a contract or other arrangement with each of its Subcontractors that create, receive, maintain or transmit Electronic Protected Information on behalf of DBI pursuant to which the Subcontractor agrees to comply with the applicable requirements of the Security Rule. 7.3 Reporting Protocols. All reports required by Section 7.2(b) shall be provided pursuant to the terms and conditions specified in this Section. (a) Attempted Security Incidents. Reporting for any Security Incident involving the attempted unauthorized access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, an “Attempted Security Incident”) shall be provided pursuant to the standard reporting protocols of DBI (as determined by DBI). (b) Successful Security Incident. Reporting for any Security Incident involving the successful unauthorized access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, a “Successful Security Incident”) shall be provided to the Plan pursuant to the standard reporting protocols of DBI (as determined by DBI), provided that: (i) the reports shall at a minimum include the date of the incident, the parties involved (if known, including the names of Individuals affected), a description of the Successful Security Incident, a description of the Electronic Protected Information involved in the incident, and any action taken to mitigate the impact of the Successful Security Incident and/or prevent its future recurrence; and (ii) the reports shall satisfy the minimum requirements for Security Incident reporting that may be required from time to time by the Secretary. In addition, Successful Security Incidents shall be reported to the Plan as soon as administratively practicable after the occurrence of the incident taking into account the severity and nature of the incident. Notwithstanding the foregoing, the Plan may request details about one or more Successful Security Incidents, and DBI shall have thirty (30) days thereafter to furnish the requested information. (c) Breach of Unsecured PHI. To the extent that a Security Incident described in this Section 7.3 also constitutes a Breach of Unsecured PHI, the provisions of this Section 7.3 shall not apply, but rather the provisions of Section 2.8 shall apply. 7.4 Mitigation. DBI agrees to mitigate, to the extent practicable, any harmful effect that is known to DBI relating to any Security Incident. 7.5 Access by Secretary. DBI shall make available to the Secretary DBI’s internal practices, books and records (including its policies and procedures) relating to the safeguards established by DBI with respect to Electronic Protected Information for the purpose of enabling the Secretary to assess DBI and/or the Plan’s compliance with the Security Rule. DBI shall inform the Privacy Official of any request sent by the Secretary on behalf of the Plan that is received by DBI, unless DBI is prevented by applicable law from doing so. TOWN OF AVON (29161) PAGE 34 OF 36 ARTICLE 8 – GENERAL 8.1 Other Agreements. The Plan and DBI acknowledge and affirm that this Agreement is in no way intended to address or cover all aspects of the relationship of the Plan and DBI and of the Services that are rendered by DBI to and on behalf of the Plan. Rather, this Agreement deals only with those matters that are specifically addressed herein. Further, this Agreement supersedes any prior business associate agreements entered into by DBI and the Plan (or any predecessor to the Plan), and shall apply to all Protected Information existing as of the effective date of this Agreement or created or received thereafter while this Agreement is in effect. 8.2 Indemnification. Any indemnification relating to violations of this Agreement by DBI or the Plan (or the Sponsor on behalf of the Plan) shall be addressed to the extent applicable by the respective Services Agreement. 8.3 Severability. The provisions of this Agreement shall be severable, and the invalidity or unenforceability of any provision (or part thereof) of this Agreement shall in no way affect the validity or enforceability of any other provisions (or remaining part thereof). If any part of any provision contained in this Agreement is determined by a court of competent jurisdiction, or by any administrative tribunal, to be invalid, illegal or incapable of being enforced, then the court or tribunal shall interpret such provisions in a manner so as to enforce them to the fullest extent of the law. 8.4 Interpretation. The provisions of this Agreement shall be interpreted in a manner intended to achieve compliance with HIPAA. Whenever the Agreement uses the term “including” followed by a specific item or items, or there is a passage having a similar effect, such passages of the Agreement shall be construed as if the phrase “without limitation” followed such term (or otherwise applied to such passage in a manner that avoids limitations on its breadth of application). Where the term “and/or” is used in this Agreement, the provision that includes the term shall have the meaning the provision would have if “and” replaced “and/or,” but it shall also have the meaning the provision would have if “or” replaced “and/or.” Any reference to a section or provision of HIPAA shall include any amendment or clarification of such section or provision contained in the HIPAA Omnibus Rule and any regulation, rule or guidance issued by the Secretary following the effective date of this Agreement. 8.5 Counterparts. Any number of counterparts of this Agreement may be signed and delivered, each of which shall be considered an original and all of which, together, shall constitute one and the same instrument. 8.6 Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their heirs, assigns and successors in interest. The Plan shall have the right to assign this Agreement to any successor or surviving health plan, and all covenants and agreements hereunder shall inure to the benefit of and be enforceable by any such assignee. 8.7 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer, upon any person other than the parties hereto any rights, remedies, obligations or liabilities whatsoever. 8.8 Applicable Law and Disputes. The provisions of this Agreement shall be construed and administered to, and its validity and enforceability determined under HIPAA. To the extent that HIPAA is not applicable in a particular circumstance, the provisions of this Agreement shall be construed and administered to, and its validity and enforceability determined under the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). In the event that HIPAA and ERISA do not preempt state law in a particular circumstance, the laws of the State of North Dakota shall govern. In the event of any conflict of state laws, the laws of the State of North Dakota shall prevail. Any disputes between the parties arising under this Agreement shall be resolved in accordance with the arbitration procedures, if any, set forth in the Services Agreement. 8.9 State Privacy and Security Laws. (a) General. Pursuant to 45 CFR § 160.203, DBI and the Plan acknowledge that HIPAA only preempts state laws which are contrary to a HIPAA standard, requirement or implementation specification, provided that state laws which relate to the privacy of Protected Information and are more stringent than the Privacy Rule are not preempted. Accordingly, the parties acknowledge that certain State Privacy Laws affecting the privacy and/or security of personally identifiable information (e.g., name, address, age, and social security number) relating to a Plan participant or beneficiary (“Privacy Restricted Data”) may apply to the Services provided by DBI to the extent such State Privacy Laws are not preempted by HIPAA. For purposes of this Section 8.9, “State Privacy Laws” shall mean any applicable state and local privacy laws governing the creation, collection, storage, maintenance, access, modification, transmission, use or disclosure of Privacy Restricted Data. (b) State Privacy Laws. All Privacy Restricted Data created, collected, received or obtained by or on behalf of DBI in the course of performing its Services shall be created, collected, received, obtained, stored, TOWN OF AVON (29161) PAGE 35 OF 36 maintained, accessed, modified, transmitted, used, and disclosed in accordance with any and all applicable State Privacy Laws. DBI shall at all times perform the Services in accordance with the State Privacy Laws and as not to cause the Sponsor or the Plan to be in violation of the State Privacy Laws. DBI shall be fully responsible for any creation, collection, receipt, access, storage, maintenance, modification, transmission, use, and disclosure of Privacy Restricted Data performed by or on behalf of DBI that is in violation of any State Privacy Laws. DBI shall remedy and mitigate the damages of any breach of privacy, security, integrity or confidentiality with respect to the unauthorized creation, collection, receipt, storage, maintenance, access, modification, transmission, use or disclosure (a “State Breach”) of Privacy Restricted Data that is or may be in violation of any State Privacy Laws. (c) Notification. DBI shall notify the Privacy Official (using the procedures that apply to Breaches of Unsecured PHI under Section 2.8(c)) of any State Breaches by or on behalf of DBI of Privacy Restricted Data that is or may be in violation of any State Privacy Laws. In addition, DBI shall also notify the affected Plan participants and beneficiaries (using the procedures that apply to Breaches of Unsecured PHI under Section 2.8(b)) of any State Breaches by or on behalf of DBI of Privacy Restricted Data that is in violation of any State Privacy Laws and any state or local governmental agencies, authorities or other entities, but only to the extent required by such State Privacy Laws. (d) HIPAA Coordination. The parties acknowledge that in certain situations the provisions of both Section 2.8 and this Section 8.9 shall apply. If both Sections 2.8 and 8.9 apply in a given situation, DBI shall comply with both Sections 2.8 and 8.9 to the extent applicable. 8.10 Obligation of Plan and DBI. To the extent that DBI carries out the HIPAA obligations of the Plan (including the obligations set forth in Section 2.8 and Article III), DBI shall comply with the applicable requirements of HIPAA as they apply to the Plan in the performance of such obligations on behalf of the Plan. TOWN OF AVON (29161) PAGE 36 OF 36