MASTERSERVICES AGREEMENT
***Confidential Treatment Requested. Certain omitted portions of this exhibit have been filed with the Securities and Exchange Commission pursuant to a request for confidential treatment under Rule 406 promulgated under the Securities Act of 1933.
Exhibit 10.11
MASTER SERVICES AGREEMENT
This Master Services Agreement (“MSA”) is effective as of November 28, 2012 (“Effective Date”), by and between Castlight Health, Inc., a Delaware corporation located at 685 Market Street, Suite 300, San Francisco, CA 94105 (“Castlight”) and the Administrative Committee of the Wal-Mart Stores, Inc., Associates’ Health and Welfare Plan (“Plan”), located at 508 SW 8th Street, Bentonville, AR ###-###-#### (“Customer”).
RECITALS
A. WHEREAS, Castlight provides web-based and other services that provide health care cost and transparency to users.
B. WHEREAS, Customer desires to enter into this MSA and related attachments, addenda, Service Addendums (as defined below) and exhibits, collectively the “Agreement” to set forth the terms and conditions upon which Castlight shall provide certain services to or on behalf of Customer, and Castlight desires to provide such services under the terms and conditions of this Agreement.
NOW, THEREFORE, in consideration of the covenants and agreements hereinafter set forth, the parties agree as follows:
ARTICLE 1. DEFINITIONS
1.1 “Castlight Platform” means Castlight’s proprietary technology platform and system (including without limitation software, algorithms and proprietary and technical information therein) for gathering, analyzing, modifying and making available to its users certain health-related user and provider data and related information, guidance and services.
1.2 “Castlight Service” means services that Castlight provides using the Castlight Platform which are more fully described in the applicable Service Addendum.
1.3 “Data” means the following categories of data or information: (i) User Data, (ii) Customer Data, and (iii) TPA(s) Data.
1.4 “Employee User” means each Customer employee who meets the Eligibility Criteria to participate in or be provided the Castlight Service, as defined in the applicable Service Addendum.
1.5 “TPA” means any third party administrator designated by Customer which may include ***, which are Customer’s third party administrators of health services, including physician network management, as of the Effective Date.
1.6 “TPAs Data” means data provided by the TPAs on behalf of the Customer such as, but not limited, to formulary data, provider directories, network data, national pre-authorization procedures, clinical policy bulletins and proprietary rate tables as agreed to by the TPAs.
1.7 “New Data” means (a) a modified version of User Data or Customer Data or (b) new data created with reference to User Data or Customer Data, in each case whether through aggregation, cleansing, scrubbing, reverse engineering, extraction or other means, such that (i) with respect to modified User Data or new data created with reference thereto, the applicable User has been de-identified in accordance with 45 CFR section 164.514, as applicable and (ii) with respect to modified Customer Data or new data created with reference thereto, Customer has been de-identified in accordance with 45 CFR section 164.514, as applicable.
1.8 “Customer Data” means data specific to Customer provided by or on behalf of Customer to Castlight, such as, but not limited to, Summary of Plan Design and medical and claims histories.
1.9 “Services” means (a) the Castlight Service, and (b) the Other Services (as defined in the applicable Service Addendum).
1.10 “Providers” means certain third parties that provide services to Customer, such as employee benefits portals, and in connection with such provision of services to Customer will be providing information to Castlight in connection with this Agreement.
1.11 “User” means Employee Users and Adult Dependent Users.
1.12 “User Data” means demographic and other User-specific information and data, whether or not such information or data is Protected Health Information (as defined in the Business Associate Agreement between Castlight and Customer dated September 20, 2012 (the “BAA”)). User Data includes, without limitation, each Employee User’s name, address, dependent information, claims histories and explanations of benefits.
1.13 “Launch Date” shall have the same meaning as such term is defined in the First Services Addendum executed between Castlight and the Plan, dated of even date hereof (the “First Services Addendum”).
ARTICLE 2. SERVICES.
The specific Services to be provided and related terms and conditions shall be specified in writing (each such writing, a “Service Addendum”). Each Service Addendum shall (a) be signed by an authorized representative of each party; (b) include the applicable term, the description of Services to be performed, the responsibilities of the parties, compensation and payment terms and any additional terms and conditions as needed; (c) be subject to all of the terms and conditions of this MSA and the BAA. The terms and conditions of the MSA and the BAA shall control in the event of a conflict with the Service Addendum, except to the extent that the applicable Service Addendum expressly states that it supersedes this MSA.
ARTICLE 3. TERM AND TERMINATION
3.1 Term. The initial term of this Agreement (the “Initial Term”) commences on the Effective Date and continues until December 31, 2015. (The Initial Term is also referred to as the “Term.”) This Agreement may be terminated during the Term as provided below in Section 3.2 and Section 3.3.
3.2 Termination for Cause. Either party may terminate this Agreement at any time during the Term: (a) immediately for a material breach of this Agreement by the other party unless such material breach is cured within such 30 day period; or (b) immediately if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
3.3 Termination without Cause.
| (a) | Termination ***. Upon the effective date of such termination, Castlight shall immediately cease work on the effective Service Addendum(s) and deliver to Customer all Services |
2
| performed to date of termination. In the event ***, Customer shall pay Castlight a fee to allow Castlight the recover a portion of the costs it has incurred (e.g., software, hardware, IT infrastructure, engineering resources, management resources, new hires, training, increased third party vendor costs) in anticipation of providing services under this Agreement. The fee shall be equal to the ***. Castlight represents that the fee will not exceed *** under this Agreement. |
| (b) | Termination after First Contract Year. Upon written notice to Castlight, at any time during any Term subsequent to the First Contract Year, Customer may terminate this Agreement *** prior written notice. Upon the effective date of such termination, Castlight shall immediately cease work on the effective Service Addendum and deliver to Customer all Services performed to date of termination. In the event of such termination, Customer shall only be responsible for the payment of fees described in Section 3.4. |
3.4 Effect of Expiration or Termination. Upon expiration or termination of this Agreement (a) Castlight shall have no further obligation to perform the Services and shall cease performing the Services; (b) neither party shall be relieved from any obligation accrued up to and including the date of such expiration or termination nor deprived of any right or remedy otherwise available to it hereunder; (c) within 30 days Customer will pay Castlight for all Services performed. Article 4 (including the sections of any Service Addendum regarding payment obligations), Article 6, Section 7.1 (except Customer shall have no further obligation under Section 7.l(b)), Article 8 (except for Section 8.1), Article 9 and those provisions of any Service Addendum that survive such expiration or termination as specified in such Service Addendum shall survive any termination or expiration of this Agreement.
ARTICLE 4. FEES, PAYMENT AND PAYMENT TERMS
4.1 Service Fees, Invoicing and Payment Terms. Castlight’s compensation and payment for the Services and the applicable invoicing and payment terms shall be as set forth in the applicable Service Addendum.
4.2 Taxes. Castlight’s fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including but not limited to value-added, sales and use, or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Castlight has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section 4.2, the appropriate amount shall be invoiced to and paid by Customer.
ARTICLE 5. REPRESENTATIONS AND WARRANTIES
5.1 By Both Parties. Each party represents and warrants to the other party that: (a) it has all requisite power and authority to enter into this Agreement and to carry out its obligations hereunder and (b) by entering into this Agreement, including any Service Addendum, it does not and will not violate or constitute a breach of any of its contractual obligations with third parties.
5.2 By Castlight. Castlight represents and warrants to Customer that (a) Castlight shall properly supervise all persons performing Services and shall require that all such persons comply with the applicable terms of this Agreement, including any applicable Service Addendum and the BAA; (b) to
3
Castlight’s knowledge as of the Effective Date, the Castlight Platform does not infringe any registered U.S. copyright, patent or trademark of any third party; and (c) Castlight will perform the Services in a professional manner, and such Services will comply in all material respects with the descriptions set forth in the applicable Service Addendum, subject to the terms and conditions thereof.
5.3 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTIES SET FORTH IN SECTIONS 5.1 AND 5.2, CASTLIGHT MAKES NO WARRANTY IN CONNECTION WITH THE SUBJECT MATTER OF THE AGREEMENT (INCLUDING, WITHOUT LIMITATION, THE SERVICES AND THE CASTLIGHT PLATFORM) AND HEREBY DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING OR USAGE OF TRADE, REGARDING SUCH SUBJECT MATTER.
ARTICLE 6. CONFIDENTIAL INFORMATION. (a) Both Parties acknowledge that either party may receive (the “Receiving Party”) Confidential Information (as defined hereinafter) from the other Party (the “Disclosing Party”) during the Term of this Agreement and such Confidential Information will be deemed to have been received in confidence and will be used only for the purposes of this Agreement. The Receiving Party shall use the Disclosing Party’s Confidential Information only to perform its obligations under this Agreement and disclose the Disclosing Party’s Confidential Information only to the Receiving Party’s personnel having a need to know the information for the purpose of this Agreement; provided that Customer acknowledges that certain Confidential Information is disclosed to users of the Services as necessary to provide the Services. The Receiving Party shall treat the Confidential Information as it does its own valuable and sensitive information of a similar nature and, in any event, with not less than a reasonable degree of care. Upon the Disclosing Party’s written request, the Receiving Party shall return or certify the destruction of all Confidential Information, and the obligation of confidentiality shall continue for three (3) years from the expiration or termination of this Agreement except as noted below in Section 6(a)(i) and 6(a)(ii); provided however, the parties agree and acknowledge that it will be infeasible for Castlight to return or destroy PII (as defined below) related to a User that has requested Customer retain information related to such User; and PII stored on encrypted back-up tapes that are stored in a secure location; provided further, however, the Receiving Party shall keep (i) any personally identifiable information and personal health information as defined in 45 CFR section 160.l03 (collectively, “PII”) confidential in perpetuity; and (ii) any trade secrets of the Disclosing Party confidential as long as such information is deemed a trade secret. (b) The term “Confidential Information” includes, without limitation, (i) PII; (ii) all information communicated by the Disclosing Party that should reasonably be considered confidential under the circumstances, notwithstanding whether it was identified as such at the time of disclosure; (iii) all information identified as confidential to which Receiving Party has access in connection with the subject matter hereof, whether before or after the Effective Date; and (iv) this Agreement and shall include without limitation, (A) all trade secrets, (B) existing or contemplated products, services, designs, technology, processes, technical data, engineering techniques, methodologies and concepts and any information related thereto, and (C) information relating to business plans, sales or marketing methods and customer lists or requirements. (c) The obligations of either Party under this Article 6 will not apply to information that the Receiving Party can demonstrate (i) was in the possession at the time of disclosure and without restriction as to confidentiality; (ii) at the time of disclosure is generally available to the public or after disclosure becomes generally available to the public through no breach of agreement or other wrongful act by the Receiving Party; provided, however, the Receiving Party remains subject to confidentiality obligations regardless of its availability to the public or availability through unauthorized disclosure; (iii) has been received from a third party without restriction on disclosure and without breach of agreement or other wrongful act by the Receiving Party; or (iv) is independently developed by the Receiving Party without regard to the Confidential Information of the other party. (d) In the event the Receiving Party is required by law, regulation, stock exchange requirement or legal process to disclose any of the Confidential Information, the Receiving Party agrees
4
to (i) give Disclosing Party, to the extent possible, advance notice prior to disclosure so the Disclosing Party may contest the disclosure or seek a protective order, and (ii) limit the disclosure to minimum amount that is legally required to be disclosed.
ARTICLE 7. INTELLECTUAL PROPERTY AND DATA RIGHTS
7.1 Improvements and Feedback. Castlight will exclusively own all right, title and interest in and to (a) the Castlight Platform and to the Castlight Service; (b), any improvements, enhancements, derivative works, modifications, additional modules or features to or for the Castlight Platform or the Castlight Service developed or created during the Term, whether created or developed solely or jointly by or for the parties or any User; and (c) all intellectual property rights in the foregoing. Castlight will exclusively own all right, title and interest in and to any feedback, ideas, suggestions or information that Customer provides relating to the Castlight Service or the Castlight Platform, including all intellectual property rights therein.
7.2 Access and Use of Data. Customer will provide, or direct the TPA(s) and/or Providers to provide, Data to Castlight for Castlight’s performance of the Services. Castlight may access, reproduce, modify and prepare derivative works of, aggregate, analyze, cleanse, scrub, reverse engineer, distribute, display, present and otherwise use Data as reasonably necessary for the purposes of performing and providing Services. Customer shall ensure that (i) all information that Customer provides to Castlight, including but not limited to eligibility files, is authentic, accurate, reliable, complete and confidential and (ii) Castlight may use such information in accordance with the terms of this Agreement without violating or infringing any third party rights. Customer’s security measures shall include, but are not limited to: (a) maintaining, and requiring agents and subcontractors to maintain, administrative, technical and physical safeguards to protect the security, integrity and confidentiality of data provided to Castlight, including up-to-date and anti-virus software; (b) not accessing or using the electronic systems of Castlight for any purpose that is illegal or unauthorized; and (c) maintaining and enforcing security management policies and procedures and utilizing mechanisms and processes to prevent, detect, record, analyze, contain and resolve unauthorized access attempts and for periodically reviewing its processing infrastructure for potential security vulnerabilities. Castlight is entitled to rely on the information submitted by the Customer and TPA(s) unless Castlight knew or should have known the information was erroneous.
7.3 Ownership. As between the parties (a) Customer shall own all rights, title and interest in and to any and all Customer Data and (b) Castlight shall own all rights, title and interest in and to any and all New Data.
7.4 Effect of Termination on Data Rights. Castlight will, within ninety (90) days after written request by Customer, purge all Customer Data received from the Customer except (a) to the extent a User has requested that Castlight retain information related to such User or (b) stored on encrypted back-up medium that are stored in a secure location; provided, however Castlight will not be required to purge any New Data and will, at all times, be free to use such New Data for any purpose without restriction of any kind.
5
ARTICLE 8. INSURANCE, INDEMNIFICATION AND LIMITATIONS OF LIABILITY
8.1 Insurance. During the Term of this Agreement and for a period of 3 years following the expiration or termination, Castlight shall obtain and maintain a policy or policies of liability insurance covering Castlight’s obligations under this Agreement to include (i) commercial general liability insurance, (ii) workers’ compensation insurance as required by applicable law; (iii) insurance covering intellectual property infringement; and (iv) professional liability insurance protecting Castlight and Customer from errors and omissions of Castlight in connection with the performance of Services. All such insurance required herein shall be with companies and in amounts reasonably acceptable to Customer (and Customer acknowledges that Castlight’s existing insurance amounts and companies are acceptable) and the coverage thereunder may not be reduced or canceled without Customer’s prior written consent. All insurance shall be primary and not contributory with regard to any other available insurance to Customer. All insurance shall be written by companies with a BEST Guide rating of B+ VII or better. Certificates of insurance (or copies of policies) shall be furnished to Customer upon Customer’s request. All such policies shall include Customer as an additional insured and contain a waiver of subrogation. Such policy(ies) shall have a minimum coverage of $*** per occurrence and in the aggregate.
8.2 Indemnity by Castlight. Castlight agrees to defend, indemnify and hold harmless Customer, its directors, officers, employees and agents for that portion of any loss, liability, damage, expense, settlement, cost or obligation (including court costs and reasonable attorneys’ fees) arising from third party claims of Castlight’ s actual or alleged (a) negligence, or willful or criminal misconduct; (b) material breach of this Agreement; or (c) misrepresentation or fraud related to or arising out of the Services and/or Castlight’s performance of the Services.
8.3 Indemnity by Customer. Customer agrees to defend, indemnify and hold harmless Castlight, its directors, officers, employees and agents for that portion of any loss, liability, damage, expense, settlement, cost or obligation (including court costs and reasonable attorneys’ fees) arising from third party claims of Customer’s actual or alleged (a) negligence or willful or criminal misconduct; (b) material breach of this Agreement; or (c) misrepresentation or fraud related to or arising out of the performance of this Agreement.
8.4 Limitation of Liability. NEITHER CUSTOMER NOR CASTLIGHT SHALL BE LIABLE TO THE OTHER UNDER THIS AGREEMENT UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY, TORT OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES OF ANY NATURE WHATSOEVER, REGARDLESS OF W HETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING THE ABOVE, NOTHING IN THIS SECTION SHALL LIMIT THE ABILITY OF EITHER PARTY TO OBTAIN DAMAGES THAT FULLY COMPENSATE SUCH PARTY FOR ACTUAL LOSSES, FINES, PENALTIES AND REASONABLE ATTORNEY’S FEES OR OTHER COSTS OR TO OBTAIN AN Y RELIEF PROVIDED UNDER ***. THE LIMITATIONS SPECIFIED IN THIS SECTION 8.4 WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REM EDY SPECI FIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. THE FOREGOING SHALL NOT LIMIT CUSTOMER’S PAYMENT OBLIGATIONS UNDER THIS AGREEMENT OR ANY SERVICE ADDENDUM.
ARTICLE 9. MISCELLANEOUS
9.1 Complete Agreement. This Agreement, including all exhibits and addenda hereto, sets forth the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, representations or understandings between them, written or oral, concerning such subject matter. No waiver or modification of any provision of this Agreement may be made unless by a written instrument duly executed by both parties. Any waiver or breach of any term or condition shall not be deemed to be a waiver of any preceding or succeeding breach of the same or any other term or condition.
6
9.2 Assignment. Neither Customer nor Castlight may assign this Agreement, or any rights, duties or obligations contained herein, to any other person, firm, corporation or other business entity without the prior written consent of the other party except that this Agreement may be assigned by either party to any of its parent, subsidiary or affiliate organizations or any successor (whether direct or indirect, by purchase, merger, consolidation or otherwise) to all or substantially all of its business assets which assignment shall be subject to the other party’s prior written consent, which consent shall not be unreasonably withheld or delayed. Any assignment in violation of this Section 9.2 shall be void and of no force or effect. If Customer consents to any assignment, Castlight shall remain liable for the action of any party to whom Castlight assigns this Agreement, or its rights or obligations. If Castlight subcontracts any of its obligations under this Agreement, it shall be fully responsible for the performance of its subcontractors as if they were employees.
9.3 Notices. All notices and other communications required or permitted under this Agreement shall be in writing, served personally on, delivered by recognized overnight courier or mailed by certified or registered United States mail to, the party to be charged with receipt thereof at the address first listed above. Notices and other communications served by mail shall be deemed given hereunder 72 hours after deposit of such notice or communication in the United States Post Office as certified or registered mail with postage prepaid and duly addressed to whom such notice or communication is to be given. All other notices shall be deemed given hereunder upon actual receipt. Any such party may change said party’s address for purposes of this Section by giving to the parties intended to be bound thereby, in the manner provided herein, a written notice of such change.
9.4 Severability. All Sections, clauses thereof and covenants contained in this Agreement are severable, and in the event any of them shall be held to be invalid by any court, this Agreement will remain in full force and effect, such Sections, clauses or covenants will be deemed stricken and the remaining provisions will not be affected or impaired and will be interpreted as if such invalid Sections, clauses or covenants were not contained herein.
9.5 Applicable Law and Waiver of Jury Trial. This Agreement is made and shall be governed by and construed, interpreted and enforced in accordance with the laws of the State of Delaware, without regard to principles of conflicts of law. Each party waives any right to jury trial in connection with any dispute arising out of or concerning the Agreement.
9.6 Relationship of Parties. The parties are independent contractors. This does not create a partnership, joint venture, franchise, agency, fiduciary or employment relationship between the parties.
9.7 Attorneys’ Fees. If any action at law or in equity is necessary to enforce the terms of the Agreement, the substantially prevailing party will be entitled to reasonable attorneys’ fees, costs and expenses in addition to any other relief to which such prevailing party may be entitled.
9.8 Force Majeure. Neither party shall be responsible or liable to the other party for nonperformance or delay in performance of any terms or conditions of this Agreement (except payment obligations) due to acts of God, acts of governments, wars, riots, strikes or other labor disputes, fire, flood, or other causes beyond the reasonable control of the nonperforming or delayed party and without the negligence of such party, provided, however, nonperformance or delay in excess of one hundred eighty (180) days shall constitute cause for termination of this Agreement by either party. Castlight shall maintain disaster backup plans and procedures as reasonably necessary to minimize the interruption of its services to be provided to the Customer pursuant to this Agreement.
7
9.9 Audit. Once in each 12 month period and upon at least 10 days prior written notice, Castlight shall allow Customer or its duly authorized representative (at Customer’s sole cost and expense), the right during the Term of this Agreement and for two (2) years after its termination or expiration to conduct in a manner that does not unreasonably interfere with Castlight’s business further full and independent audits and investigations during normal business hours of (i) Castlight’s business; and (ii) all information, books, records and accounts, including, but not limited to, wages due to individuals performing Services under this Agreement, taxes, including unemployment, income and social security, which are due, may be payable, or may otherwise be required to be withheld from wages (but subject to Castlight’s obligations of confidentiality to third parties). Castlight shall keep accurate and complete accounts and time records related to this Agreement.
9.10 Publicity and Use of Trademarks. Neither party shall use the name, logo, trademarks or trade names of the other party in publicity releases, promotional material, customer lists, advertising, marketing or business-generating efforts whether written or oral, without obtaining that party’s prior written consent, which consent shall be given at its sole discretion.
9.11 Headings. The headings of this Agreement are intended solely for convenience of reference and shall be given no effect in the interpretation or construction of this Agreement.
9.12 Counterparts. The Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same Agreement.
IN WITNESS WHEREOF, the parties hereto have caused this MSA to be duly executed as of the date(s) set forth below to be effective as of the Effective Date.
ACCEPTED AND AGREED TO FOR:
| CASTLIGHT HEALTH, INC. | ADMINISTRATIVE COMMITTEE OF THE WAL-MART STORES, INC. ASSOCIATES’ HEALTH AND WELFARE PLAN | |||||||
| By: | /s/ Randall J. Womack | By: | /s/ Illegible | |||||
| Its: | COO | Its: | 11/29/12 | |||||
| Date: | 11/26/12 | Date: |
| |||||
8
FIRST SERVICE ADDENDUM, aka Statement of Work
This First Service Addendum (this “First Addendum”), aka Statement of Work, is made and entered into by and between the Administrative Committee of the Wal-Mart Stores, Inc. Associates’ Health and Welfare Plan (“Plan”) located at 508 SW 8th Street, Bentonville, AR ###-###-#### (“Customer”) and Castlight Health, Inc. (“Castlight”), to be effective as of the same date as that certain Master Services Agreement dated November 28, 2012, entered into by the parties (the “MSA,” and collectively with its attachments, addenda and exhibits, the Business Associate Agreement and this First Addendum, the “Agreement”) to which this First Addendum is attached and incorporated. All capitalized terms not otherwise defined herein shall have the meanings assigned to them in the Agreement.
Recitals
| A. | WHEREAS, the Plan is sponsored by Wal-Mart Stores, Inc. (“Wal-Mart”) and governed under the Employee Retirement Income Security Act of 1974, as amended. |
| B. | WHEREAS, the benefit program offered under the Plan is available to covered associates and their dependents as defined below. |
1. DEFINITIONS. For purposes of this First Addendum, unless otherwise agreed by the parties in writing:
| a. | “Eligibility Criteria” means, |
| (i) | a Wal-Mart employee for whom *** acts as the third party administrator (“TPA”) as of the Effective Date (“*** Employee User”) and an Adult Dependent User for whom *** acts as TPA as of the Effective Date (“*** Adult Dependent User”) as identified by Castlight based on information provided by Customer to Castlight (*** Employee Users and *** Adult Dependent Users collectively “*** Users”); |
| (ii) | a Wal-Mart employee for whom *** acts as TPA as of the Effective Date (an “*** Employee User”) and an Adult Dependent User for whom *** acts as TPA as of the Effective Date (“*** Adult Dependent User”) as identified by Castlight based on information provided by Customer to Castlight (*** Employee User and *** Adult Dependent User collectively “*** Users”); |
| (iii) | a Wal-Mart employee for whom *** acts as TPA as of the Effective Date (“*** Employee User”) and an Adult Dependent for whom *** acts as TPA as of the Effective Date (“*** Adult Dependent User”) as identified by Castlight based on information provided by Customer to Castlight (*** Employee Users and *** Adult Dependent Users collectively “*** Users”). |
| b. | “Launch Date” means the day immediately following the day Castlight delivers notice that implementation is complete for Castlight Service for the *** Users and *** Users and the Castlight Service (and to *** Users subject to Section 2.d below). Customer agrees that its purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Castlight regarding future functionality or features. The Launch Date is currently targeted for April 1, 2013. |
| c. | “*** Launch Date” means the day immediately following the day Castlight delivers notice that (a) *** has provided Castlight sufficient data for Castlight to provide the Castlight Service (as defined below) and (b) that implementation is complete for *** |
1
| Users of such full Castlight Service. The *** Launch Date is the date that the full Castlight Service is available to be rolled out to *** Users. The *** Launch Date will be determined in accordance with this First Addendum. |
| d. | “User” means an *** User, an *** User and a *** User. |
| e. | “Adult Dependent User” means a person that is an adult dependent of an Employee User or is an adult otherwise eligible to receive health care coverage through an Employee User under the applicable rules of the Plan. |
| f. | “Uptime” shall mean all times when the Castlight Service is running and is available to be accessed by Users as measured by the site monitoring software operated by Castlight (the “Monitoring Software”). |
| g. | “Available Time” shall mean the number of hours in any given month less the amount of Downtime related to events outside of Castlight’s control such as force majeure events, Standard Maintenance Windows, Emergency Maintenance Windows, internet-wide disruptions, denial of service attacks. |
| h. | “Downtime” shall mean all times in which the Castlight Service fails HTTP checks, content verification checks and a service check as measured by the Monitoring Software. |
| i. | “Standard Maintenance Window” consists of a weekly maintenance hour between 10:00 p.m. and 2:00 a.m. Pacific Time every second and fourth Friday of each month or at such other time on Saturday or Sunday as may be scheduled from time to time with ten day prior notice to Customer. |
| j. | “Emergency Maintenance Window” means emergency updates as result of vendor recommended patches to deal with high risk security threats as well as hardware replacement, which maintenance Castlight will use commercially reasonable efforts to perform maintenance during periods of low usage (such as evenings) and to promptly notify Customer of emergency maintenance. |
| k. | “Other Services” means the implementation services and premium communication services more fully described in Section 3 and Section 4 below. |
2. CASTLIGHT SERVICE. During the term of this First Addendum, Castlight will use commercially reasonable efforts to provide Users with the services described in Section 2a, 2b, 2c, 2d and 2e (collectively, the “Castlight Service”), a healthcare navigation service that uses the Castlight Platform to bring price and quality transparency to Users. The Castlight Service is intended to help Users answer basic questions about their healthcare costs, quality of providers and plan benefits by showing them past care expenses, medical policy information, past savings opportunities and estimated prices for providers/services they are considering. The Castlight Service will be comprised of the following:
a. Castlight’s Online Service: Commencing with the Launch Date, Castlight will allow Users access to the online portion of the Castlight Service (the “Online Service”). Commencing with the Launch Date, the Online Service will include the functionality detailed below. Castlight will provide Customer advance written notice of any material changes to the functionality described below will have an impact on User functionality or an impact on the manner in which TPAs interface with the Castlight Platform or assist in the delivery of Castlight Service, including but not limited to Customer claims feed described in Section 3(d), services related to provider directories as described in Section 3(e) and services related to the provision of Accumulator Data described in Section 3(h), provided that no change in functionality shall, at the Customer’s sole determination, adversely affect the functionality of the Castlight Service that existed as of the Launch Date:
i. User Account Management features:
| • | User registration |
| • | User password change/reset |
2
| • | User e-mail address change |
| • | User communication opt out options |
ii. Past care features:
| • | History of past medical services with costs |
| • | Cost detail for past medical services |
| • | Periodic email notices for claims activity |
| • | Out of network alerts |
iii. Insurance plan and coverage features:
| • | Key medical policy features |
| • | Accumulator snapshots |
iv. Prospective services search features:
| • | Provider and services search box |
| • | Out-of-pocket estimates for select inpatient and outpatient services/providers (list of supported inpatient and outpatient services is at the discretion of Castlight and may vary over time or by geography) |
| • | Sort results by out of pocket costs and distance |
| • | Care synonyms, spelling correction and other tools to make search intuitive |
| • | Detailed provider information (e.g. languages spoken, schooling) for select providers |
| • | Detailed explanation and educational content on pricing and/or coverage for select outpatient services |
| • | Consumer ratings |
v. Online support features:
| • | “Ask Castlight” support feature |
| • | Toll-free support number |
vi. Security features:
| • | Secure platform |
| • | HIPAA compliant |
vii. Mobile platform providing access to certain features via mobile devices:
| • | Apple iPhone app |
| • | Google Android app |
| • | Mobile web application |
viii. Pharmacy services: subject to *** agreement with Castlight, an integration of ***s web site that includes links to the certain pages via single sign on technology which may include:
| • | Claims History |
| • | Search Results |
| • | Financial savings opportunities |
b. Castlight User support: Online and phone support in English for registered Users, 7AM – 8PM Central Time, in the following areas: (i) technical support including password reset, bug reporting; (ii) clarification support including answering questions to increase health literacy and explanation of how to use the Online Service; and (iii) shopping support including guiding Users on searching for outpatient providers/services and how to interpret search results. For purposes of this performance standard, the call center shall be deemed not available during Castlight Support’s hours of operation (hereinafter, “downtime”) whenever callers receive a busy signal, there is no answer to a telephone call, or the telephone call is answered by voicemail during Castlight’s hours of operation and there is no option for the caller to speak to a customer service representative.
3
c. Basic reporting services: Castlight standard reporting, as enhanced by Castlight from time to time, which shall include quarterly reporting on utilization of the Castlight Service related to registration, engagement, search activity, spend and support utilization.
d. Castlight Service for *** Users. For *** Users, on the Launch Date Castlight will offer the Castlight Service, provided that the Online Service portion of such Castlight Service offered to *** Users shall not include certain functionality set forth in Section 2.a above, including but not limited to Past Care Features (Section 2.a.ii above). Notwithstanding the foregoing, upon the *** Launch Date, *** Users will receive the full Castlight Service as outlined in Sections 2.a, 2.b, 2c and 2.e.
e. Centers of Excellence Support. Castlight will support the selection of Customer’s Centers of Excellence providers through display in the Castlight Platform according to established quality parameters for Centers of Excellence providers. In addition, Castlight will support the evaluation of providers based on such parameters in order to determine if they meet quality expectations for the Centers of Excellence program.
3. IMPLEMENTATION SERVICES. During the term of this First Addendum, Castlight will also use commercially reasonable efforts to provide related implementation services described below, which, for purposes of this First Addendum, will be deemed the Implementation Services. The Implementation Services will be comprised of the following:
a. Eligibility feeds: Set up a Customer feed so that Castlight can receive User Eligibility Criteria information;
b. Email feeds: Set up a Customer feed so that Castlight can maintain a set of current email addresses to send alert notifications and other product updates;
c. Benefits Information: Customer shall provide all Plan information, open enrollment materials and TPA key contacts;
d. Customer Claims Feed: Set up *** and *** feeds to enable regular imports of Plan’s claims information into the Castlight Platform;
e. Provider directories: Set up monthly TPA feed to provide Castlight with a monthly provider directory;
f. Customer support plan: Co-develop a Customer support plan (e.g. who handles what calls); and
g. Testing plan: Co-develop an integration testing plan for the Castlight Service.
h. Accumulator Data. Set up a feed from each TPA (or the clearinghouse used by such TPA) for Customer’s Accumulator Data (defined as information provided in the form of HIPAA 270/271 transaction data for use by Castlight in identifying deductible accumulations and other information necessary for Castlight’s display of out-of-pocket cost estimates to Users as part of the Castlight Services).
4. PREMIUM COMMUNICATION SERVICES. The following “premium” communication services or their equivalents:
(a) co-development of a comprehensive marketing and communications plan;
4
(b) development of a personnel manager communications toolkit including all required copyrighting and design of print and on-line collateral;
(c) development and execution of regional WebEx training sessions for personnel managers;
(d) development of comprehensive on-line communications collateral for Customer benefits portal and intranet sites;
(e) customization of Customer specific communications microsite, incorporating the Customer logo, Customer-specific home page messaging, and Customer-specific support phone number;
(f) design and execution of print or on-line collateral specific to the needs of home office, distribution, and trucking locations including podcasts, newsletter articles, and digital collateral;
(g) full design and execution for three communications pilots to test the effectiveness of home print, employee incentives, and manager incentives, as well as similar design and execution for up to three follow on pilot expansions;
(h) monthly management reporting on engagement and end user success stories;
(i) e-mail invitations for Users to register for the Online Service;
(j) translation of any requested communications pieces to Spanish;
(k) generation and sending of e-mail marketing communications;
(l) tracking of Castlight-generated e-mail marketing campaigns;
(m) in-product training materials (e.g. a product tour) for all Users;
(n) quarterly User surveys;
(o) ongoing communications to Users regarding changes/upgrades to the Online Service, health care consumerism education, user feedback surveys, and other related topics;
(p) up to 24 graphically designed in-application targeted messages;
(q) full project management of Castlight-related communications including weekly check-in calls;
(r) up to four on-site meetings annually including store and distribution center visits, and attendance at annual shareholders meeting and annual internal managers meeting;
(s) annual refresh of all appropriate communications in advance of annual enrollment; and
(t) full participation and collaboration in including appropriate messaging regarding Castlight in all other benefits communications. Customer acknowledges that Castlight will host the microsite referenced in section 4.e above under a Customer specific public URL for the benefit of Customer and Customer grants Castlight license to use Customer’s name and logo on such microsite.
5
5. SERVICE EXCLUSIONS. Subject to change from time to time at the sole discretion of Castlight, except as specifically set forth above the Castlight Service and the Other Services do not include the following:
(a) prospective search and out of pocket cost information for dental, vision or other non-outpatient services and certain inpatient and outpatient procedures;
(b) additional customizations of the Online Service;
(c) customized reporting or data analytics;
(d) additional communications or training;
(e) additional Customer support services (e.g. claims dispute resolution);
(f) supporting a change in Customer’s third party administrator from the TPA to another party;
(g) supporting the addition of other third party administrators beyond the TPAs named in Section 1.4 of the MSA;
(h) supporting data feeds in addition to the data feed from the TPAs; and
(i) provision of the Castlight Service to persons other than Users. Provision of any of these additional services to persons other than Users will require a separate Service Addendum, including terms and conditions and additional associated service fees to be mutually agreed by the parties.
6. PROJECT STAFF.
| a. | Castlight will provide the following resources prior to launch: |
| 1. | Implementation Manager; |
| 11. | Marketing/Communications lead; |
| iii. | Legal/Finance resources to support scoping and contracting; |
| iv. | Staff as needed to detail and execute technical work; and |
| v. | Leadership support. |
| b. | Customer will similarly commit the following resources: |
| 1. | Implementation Project Manager; |
| ii. | Business Development/Legal resource to support scoping and contracting; |
| 111. | IT/Delivery staff as needed for integration, data feeds, etc.; and |
| iv. | Leadership support. |
7. UPTIME COMMITMENT. Castlight warrants to Customer that each month Uptime shall constitute at least 99.9% of Available Time for the Castlight Service (“Service Level Warranty”). If Castlight breaches the Service Level Warranty (as confirmed by the Monitoring Software), Castlight will issue a credit against the next invoice payable by Customer (and if no further invoices are due, Castlight will pay Customer the amount of the credit within thirty days of the end of this First Addendum). Such credit will be equal to five percent (5%) of Customer’s monthly Service Fee.
6
8. TELEPHONE INQUIRY HANDLING.
| a. | Calls Answered < 30 seconds: 80% of all telephone calls answered during a calendar month by Castlight’s customer service representatives will be answered in thirty (30) seconds or less. |
| b. | Abandonment Rate: The telephone call abandonment rate will be 3.0% or less. The telephone call abandonment rate will be calculated by dividing the total number of telephone calls from persons covered under the Plan that are terminated by the caller after the call is queued by the automated telephone system for the next available customer service representative, but before the caller speaks with a customer service representative, by the total number of telephone calls from persons covered under the Plan received at Castlight’s office each month. |
| c. | Performance Guarantee: In the event that Castlight’s service performance level is determined to be less than any of the standards described in Section 8(a) and 8(b), above, during any month for any reason (except related to events outside of Castlight’s control such as force majeure events), Castlight will be responsible for issuing a credit against the next invoice payable by Customer (and if no further invoices are due, Castlight will pay Customer the amount of the credit within thirty days of the end of this First Addendum). Such credit will be equal to five percent (5%) of Customer’s monthly Service Fee. |
9. IMPLEMENTATION FEES. In consideration of Castlight’s provision of the Implementation Services under Section 3 of this First Addendum and the Communications Services under Section 4 above, Customer shall pay Castlight a nonrefundable Implementation and Communications Fee of $***, payable concurrent with the execution of this First Addendum. Fees that Customer may be charged by the TPAs, any providers or other third parties in connection with the implementation of the Castlight Service and integration of Castlight with such parties (which may include but are not limited to fees for marketing collateral/agency costs for additional marketing developed by Customer, costs for claims extracts and/or provider directory feeds to Castlight, eligibility file feeds and time/materials payments to support Customer’s outsourced call center integration into Castlight) shall be the sole responsibility of Customer.
10. FEES FOR THE CASTLIGHT SERVICES.
a. Monthly Service Fees. In consideration of Castlight’s provision of the Castlight Services (including the Castlight Services to *** Users) under Section 2 of this First Addendum, for each month (or portion thereof) during the Term (as defined in the MSA) after the Launch Date, Customer will pay Castlight, in accordance with Section 11, the Service Fee (as calculated under this Section 10).
b. Monthly Service Fees. The “Service Fee” for each month commencing with the Launch Date will be the sum of:
i. the product of: (A) the number of eligible *** Employee Users each month; and (B) the per *** Employee User per month rate of $*** (the “Monthly *** Employee Fee”); plus
ii. the product of: (A) the number of eligible *** Adult Dependent Users each month; and (B) the per *** Adult Dependent User rate of $*** (the “Monthly *** Dependent Fee”); plus
iii. the product of: (A) the number of eligible *** Users each month (which is the sum of the *** Employee Users and the *** Adult Dependent Users); and (B) the per *** User per month rate of $*** (the “Monthly *** Fee”); plus
7
iv. the product of: (A) the number of eligible *** Users each month; and (B) the per *** User per month rate of $*** (the “Monthly *** Fee”); provided that following the *** Launch Date, the Monthly *** Fee during the remainder of the Initial Term shall be the product of (x) the number of eligible *** Users each month and (y) $***, commencing with the first day of the first month following the *** Launch Date.
c. Partial Months. Service Fees will not be adjusted on a pro rata basis. In the event of any partial month, such as upon termination of the Agreement, the full amount of the Service Fees will be payable for such month. If an employee or an adult dependent is a User on the eligibility file run on the 15th day of a month (the “Billing File Run”) he/she will be included in Customer’s self-billing process and will be deemed a User for the full month, even if the User was only a User for a portion of that month.
d. Calculation of Service Fee. On a set date each month, Customer will determine the number of *** Employee Users, *** Adult Dependent Users, *** Users and *** Users who meet the Eligibility Criteria, and Customer ‘will calculate the full fee payable for such *** Employee Users, *** Adult Dependent Users, *** Users and *** Users, as applicable, for such month. Customer will report results of each monthly Billing File Run and the related full fee payable to Castlight by the last day of such applicable month. Castlight may verify the amount calculated by Customer by comparing the number in the Billing File Run for the applicable month to the eligibility file run with the date closest to the Billing File Run for the applicable month. A variance of up to I% is acceptable with no risk for payment adjustments.
11. PAYMENT AND INVOICES. Customer’s payment to Castlight for the Service Fee will be due no later than thirty (30) days after the end of each month. Castlight will calculate and invoice the Customer Support Fee, if any, each month for the prior month. For all other fees (or if there are no more invoices for the Customer Support Fee), Castlight will invoice Customer and payment will be due thirty (30) days after Customer’s receipt of each invoice. If any charge owing by Customer (other than charges disputed in good faith) is 30 days or more overdue, Castlight may, without limiting its other rights and remedies, suspend the Castlight Service until such amounts are paid in full. Additionally, all amounts not paid when due will accrue interest (without the requirement of a notice) at the lower of 1.5% per month or the highest rate permissible by law until the unpaid amounts are paid in full.
12. TERM. This First Addendum shall terminate upon the termination of the MSA unless otherwise mutually agreed by the parties.
ACCEPTED AND AGREED TO FOR:
| CASTLIGHT HEALTH, INC. | ADMINISTRATIVE COMMITTEE OF THE WAL-MART STORES, INC. ASSOCIATES’ HEALTH AND WELFARE PLAN | |||||||
| By: | /s/ Randall J. Womack | By: | /s/ Illegible | |||||
| Its: | COO | Its: | Illegible | |||||
| Date: | 11/26/12 | Date: | 11/29/12 | |||||
8
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is by and between the Administrative Committee on behalf of the Wal-Mart Stores, Inc. Associates’ Health & Welfare Plan (“Covered Entity”) and Castlight Health, Inc. (“Business Associate”), and, except as expressly provided below, is effective as of September 11, 2012 (the “Agreement Effective Date”).
RECITALS
| A. | In accordance with a separate agreement (“Services Agreement’’) the Business Associate has agreed to perform, or assist in the performance of, functions, activities, or services on behalf of the Covered Entity involving the use or disclosure of PHI (“Services”). |
| B. | Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to this Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 (“HIPAA”), regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HIPAA Regulations”), and other applicable laws. |
| C. | The purpose of this Agreement is to satisfy certain standards and requirements of HIPAA, the Privacy Rule and the Security Rule, as defined below, including, but not limited to, Title 45, Sections 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“CFR”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) Pub. Law No. 111-5 and its implementing regulations. |
In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
1. Definitions.
a. “Breach” shall mean the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI subject to the exceptions set forth in 45 C.F.R. 164.402.
b. “De-identified PHI” shall mean PHI that has been de-identified in accordance with the standards set forth in 45 CFR § 164.514(b).
c. “Designated Record Set” shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR Section 164.501.
d. “Discovery” shall mean the first day on which a Breach is known to Business Associate (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate, to have occurred.
1
e. “Electronic Protected Health Information” or “Electronic PHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR Section 160.103, as applied to the information that Business Associate creates, receives, maintains or transmits from or on behalf of Covered Entity.
f. “Individual” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section l64.502(g).
g. “PHI” shall mean Protected Health Information and Electronic Protected Health Information.
h. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 162 and Part 164, Subparts A and E.
i. “Protected Health Information” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR Section 160.l03, as applied to the information that Business Associate creates, receives, maintains or transmits from or on behalf of Covered Entity.
j. “Required by Law” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR Section 164.103.
k. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
l. “Secured PHI” shall mean PHI which is secured through the use of a technology or methodology consistent with HIPAA and HITECH and which is not Unsecured PHI.
m. “Security Incident” shall have the meaning given to such term under the Security Rule, including, but not limited to, 45 CFR Section 164.304, but shall not include, (i) unsuccessful attempts to penetrate computer networks or servers maintained by Business Associate and (ii) immaterial incidents that occur on a routine basis, such as general “pinging” or “denial of service” attacks.
n. “Security Rule” shall mean the Security Standards at 45 CFR Parts 160 and 162 and Parts 164, Subparts A and C.
o. “Unsecured PHI” shall mean PHI that is not secured through the use of a technology or methodology consistent with HIPAA and HITECH.
p. “Users” shall mean those subcontractors, agents, or third parties of the Business Associate who or which shall, in accordance with an agreement consistent with HITECH Section 13404, use or disclose the minimum necessary PHI for the purpose of providing Services.
2
2. Uses and Disclosures of PHI.
a. Permitted Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform the Services, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity; and (ii) use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. If Business Associate is carrying out Covered Entity’s obligations under the Privacy Rule or Security Rule pursuant to this Agreement, then Business Associate shall comply, to the extent applicable, with the requirements of the Privacy Rule and Security Rule in the performance of such obligations. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
b. Data Aggregation. To the extent permitted by Covered Entity in this Agreement, Business Associate may use De-identified PHI to provide Data Aggregation services as permitted by 45 CFR § 164.504(e)(2)(i)(B), including use of PHI for statistical compilations, reports, research and all other purposes allowed under applicable law.
c. De-identified Data. Business Associate may create De-identified PHI and may use or disclose such De-identified data for the provision and development of Business Associate’s Services on Business Associate’s password protected web based service. Business Associate shall not separately sell such de-identified data to third parties and shall not disclose such de-identified data to third parties except to users of such password protected web based service; provided, however that Business Associate may aggregate such de-identified data as permitted by the Covered Entity in this Agreement.
d. Disclosure Pursuant to Authorization. Without limiting the generality of the foregoing, Business Associate reserves the right at its sole discretion to disclose PHI in response to and in accordance with a valid written authorization executed by such individual that meets the requirements set forth in the HIPAA Privacy Rule.
3. Obligations of Business Associate.
a. Appropriate Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI, as required by the Security Rule.
3
b. Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by the Agreement and this Agreement within five (5) days of becoming aware of such use or disclosure. Business Associate shall report to Covered Entity any Security Incident within five (5) days of becoming aware of such incident. Business Associate shall notify Covered of any Breach of Unsecured PHI as soon as practicable, and no later than thirty (30) days after discovery of such Breach. Business Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 42 U.S.C. § 17932 and 45 C.F.R. § 164.404, and identify a contact person for more information when reporting.
c. Business Associate’s Agents. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI, agrees to restrictions and conditions at least as restrictive as those that apply through this Agreement to Business Associate with respect to such PHl. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI, agrees to implement reasonable and appropriate safeguards to protect such information. If any agents or subcontractors of the Business Associate are not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing Services will be outside of the jurisdiction of the United States, such entities must agree by written contract with the Business Associate to be subject to the jurisdiction of the Secretary, the laws and the courts of the United States, and waive any available jurisdictional defenses as they pertain to the parties’ obligations under this Agreement, the Privacy Rule or the Security Rule.
d. Access to PHI. Business Associate shall provide access, at the request of Covered Entity, within 10 business days and in the manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR Section 164.524. If the Covered Entity directs, the Business Associate shall act as the Covered Entity in complying with 45 CFR Section 164.524, including providing access and notices within 10 business days and in the manner directed under that regulation, and providing periodic notice of such access and compliance to the Covered Entity, within 10 business days and in the manner directed by it.
e. Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR Section 164.526, at the request of Covered Entity or an Individual, and within 10 business days and in the manner designated by Covered Entity. If an Individual requests an amendment of PHI directly from Business Associate or its agents or subcontractors, Business Associate must notify Covered Entity in writing within five (5) business days of receiving such request. Any denial of amendment of PHI maintained by Business Associate or its agents or subcontractors shall be the responsibility of Covered Entity, unless the Covered Entity directs the Business Associate to act on its behalf in the manner required under 45 CFR Section 164.526.
f. Documentation of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI
4
in accordance with 45 CFR Section 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
g. Accounting of Disclosures. Business Associate agrees to provide to Covered Entity or an Individual, within 10 business days and in the manner designated by Covered Entity, information collected in accordance with Section 3(f) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. In the event that the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, Business Associate shall, as directed by Covered Entity, prepare and deliver such accounting directly to the Individual in accordance with 45 CFR Section 164.528, and shall notify Covered Entity of such response. In the absence of direction from Covered Entity, Business Associate shall forward such request for an accounting to Covered Entity in writing within five (5) business days of receipt of such request. It shall be Covered Entity’s responsibility to prepare and deliver any such accounting requested.
h. Retention of PHI. Notwithstanding Section 4(c) of this Agreement, Business Associate shall only retain PHI throughout the term of the Services Agreement as necessary to perform the Services and upon termination or expiration of this Agreement all PHI shall be returned to the Covered Entity or destroyed in accordance with section 4.c of this Agreement.
i. Governmental Access to Records. Business Associate shall make its internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule.
j. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
k. Minimum Necessary. Business Associate (or its agents or subcontractors) shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
l. Electronic Transmission Standards. Business Associate agrees to comply with all applicable electronic transactions and code sets standards under HIPAA no later than October 16, 2003.
4. Term and Termination.
a. Term. The term of this Agreement shall commence as of the Agreement Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business
5
Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
b. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate of this Agreement, Business Associate agrees that Covered Entity may provide a 30 day opportunity for Business Associate to cure the breach or end the violation, or if cure is not possible then terminate this Agreement and, if necessary and appropriate, the Services Agreement.
c. Effect of Termination. Except as provided in paragraph (ii) of this Section 4(c) and except as to PHI that has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b), upon termination of this Agreement for any reason, as directed by Covered Entity, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, and shall retain no copies of the PHI. This provision shall apply to PHI that is in the possession of Users.
In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The parties agree and acknowledge that it will be infeasible for Business Associate to return or destroy PHI: (i) related to a user of Business Associate’s service that has requested Business Associate retain information related to such user; and (ii) PHI stored on encrypted back-up tapes that are stored in a secure location.
5. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended, and for which compliance is required.
6. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule, the Security Rule and HIPAA.
7. Survival. The respective rights and obligations of Business Associate under Section 4(c) of this Agreement shall survive the termination of this Agreement and the Services Agreement.
8. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
9. Effect on Services Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Services Agreement shall remain in full force and effect.
6
10. Indemnification. In addition to, and not in limitation of, any indemnification rights of Covered Entity in the Services Agreement, Business Associate shall defend, indemnify and hold harmless the Covered Entity, the plan administrator and the plan sponsor, and their respective officers, directors, employees or agents, for any and all liabilities, damages, claims and expenses, including penalties and reasonable attorneys’ fees, incurred as a result of Business Associate’s material violation of the Privacy Rule, the Security Rule or this Agreement.
11. Right to Audit. During the term of this Agreement, no more than once in each 12 month period, Covered Entity may inspect and audit its records in Business Associate’s or Users’ custody at reasonable times during normal business hours and upon reasonable advance notice to Business Associate.
12. Interpretation. Any ambiguity or inconsistency in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule, the Security Rule, and HITECH.
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Agreement Effective Date.
7
| COVERED ENTITY | BUSINESS ASSOCIATES | |||||||
| Wal-Mart Stores, Inc. Associates’ Health & Welfare Plan | Castlight Health, Inc. | |||||||
| By: | /s/ Lisa Woods | By: | /s/ Charles Ott | |||||
| Print Name: | Lisa Woods | Print Name: | Charles Ott | |||||
| Title: | SR. Director of U.S. Healthcare | Title: | Corporate Counsel | |||||
| Date: | 9-20-2012 | Date: | September 11, 2012 | |||||
8
