HIPAA Compliance

This Agreement is made by and between YOU, hereinafter referred to as

"Covered Entity", and CHILDBE LLC, hereinafter referred to as "Business Associate",

(individually, a "Party" and collectively, the "Parties").

WITNESSETH:

WHEREAS, pursuant to Sections 261 through 264 of the federal Health Insurance

Portability and Accountability Act of 1996 ("HIPAA"), the Secretary of Health and

Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the "HIPAA

Security and Privacy Rule"); and

WHEREAS, the American Recovery and Reinvestment Act of 2009, pursuant to

Title XIII of Division A and Title IV of Division B, called the "Health Information

Technology for Economic and Clinical Health" ("HITECH") Act, provides modifications

to the HIPAA Security and Privacy Rule (hereinafter, all references to the "HIPAA

Security and Privacy Rule" are deemed to include all amendments to such rule contained

in the HITECH Act and any accompanying regulations, and any other subsequently

adopted amendments or regulations); and

WHEREAS, the Parties wish to enter into an arrangement whereby Business

Associate will provide certain services in connection with Covered Entity, and, pursuant

to such arrangement, Business Associate may be considered a "business associate" of

Covered Entity as defined in the HIPAA Security and Privacy Rule; and

WHEREAS, Business Associate may have access to Protected Health Information

(as defined below) in fulfilling its responsibilities under such arrangement;

THEREFORE, in consideration of each Party's continuing obligations to the other

Party and obligations of each Party to an applicable individual, compliance with the

HIPAA Security and Privacy Rule, and for other good and valuable consideration, the

receipt and sufficiency of which is hereby acknowledged, and intending to be legally

bound, the Parties agree to the provisions of this Agreement in order to address the

requirements of the HIPAA Security and Privacy Rule and to protect the interests of both

Parties.

DEFINITIONS

Except as otherwise defined herein, any and all capitalized terms in this Section shall

have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an

inconsistency between the provisions of this Agreement and mandatory provisions of the

HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule

shall control. Where provisions of this Agreement are different than those mandated in

the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA

Security and Privacy Rule, the provisions of this Agreement shall control.

The term "Protected Health Information" means individually identifiable health

information including, without limitation, all information, data, documentation, and

materials, including without limitation, demographic, medical and financial information,

that relates to the past, present, or future physical or mental health or condition of an

individual; the provision of health care to an individual; and that identifies the individual

or with respect to which there is a reasonable basis to believe the information can be used

to identify the individual. "Protected Health Information" includes without limitation

"Electronic Protected Health Information" as defined below.

The term "Electronic Protected Health Information" means Protected Health Information

that is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy

Rule) or maintained in Electronic Media.

Business Associate acknowledges and agrees that all Protected Health Information that is

created or received by Covered Entity and disclosed or made available in any form,

including paper record, oral communication, audio recording, and electronic display by

Covered Entity or its operating units to Business Associate or is created or received by

Business Associate on Covered Entity's behalf shall be subject to this Agreement.

CONFIDENTIALITY AND SECURITY REQUIREMENTS

Business Associate agrees:

(1) to use or disclose any Protected Health Information solely: (a) for meeting

its obligations as set forth in any agreements between the Parties evidencing or related to

their business relationship or any agreements, authorizations or consents to use or

disclose Protected Health Information, or (b) as required by applicable law, rule or

regulation, or by accrediting or credentialing organization to whom Covered Entity is

required to disclose such information or as otherwise permitted under any agreements,

authorizations or consents to use or disclose Protected Health Information, or the HIPAA

Security and Privacy Rule, and (c) as would be permitted by the HIPAA Security and

Privacy Rule if such use or disclosure were made by Covered Entity. All such uses and

disclosures shall be subject to the limits set forth in the HIPAA Security and Privacy Rule

regarding limited data sets and the minimum necessary requirements;

(2) at termination of this Agreement, any agreement or documentation related

to a contractual or business relationship of the Parties, Business Associate will return or

destroy all Protected Health Information received from or created or received by Business

Associate on behalf of Covered Entity that Business Associate still maintains in any form

and retain no copies of such information, or if such return or destruction is not feasible in

the sole discretion of Business Associate, Business Associate will extend the protections

of this Agreement to the information and limit further uses and disclosures to those

purposes that make the return or destruction of the information not feasible;

(3) to ensure that its agents, including a subcontractor, to whom it provides

Protected Health Information received from or created by Business Associate on behalf

of Covered Entity, agrees to the same restrictions and conditions that apply to Business

Associate with respect to such information, and agrees to implement reasonable and

appropriate safeguards to protect any such information that is Electronic Protected Health

Information. In addition, Business Associate agrees to take reasonable steps to ensure

that its employees' actions or omissions do not cause Business Associate to breach the

terms of this Agreement;

(4) Business Associate shall, following the discovery of a breach of unsecured

Protected Health Information, as defined in the HITECH Act or accompanying

regulations, notify the Covered Entity of such breach pursuant to the terms of the HIPAA

Security and Privacy Rule and cooperate in the Covered Entity's breach analysis

procedures, including risk assessment, if requested. A breach shall be treated as

discovered by Business Associate as of the first day on which such breach is known to

Business Associate or, by exercising reasonable diligence, would have been known to

Business Associate. Business Associate will provide such notification to Covered Entity

without unreasonable delay and in no event later than 60 calendar days after discovery of

the breach. Such notification will contain the elements required in the HIPAA Security

and Privacy Rule; and

(5) Business Associate will, pursuant to the HITECH Act and its

implementing regulations, comply with all additional applicable requirements of the

Privacy Rule, including those contained in the HIPAA Security and Privacy Rule, at such

time as the requirements are applicable to Business Associate. Business Associate will

not directly or indirectly receive remuneration in exchange for any Protected Health

Information, subject to the exceptions contained in the HITECH Act, without a valid

consent or authorization from the applicable individual. Business Associate will not

engage in any communication that might be deemed to be "marketing" under the

HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its

implementing regulations, comply with all applicable requirements of the HIPAA

Security and Privacy Rule, at such time as the requirements are applicable to Business

Associate.

B. Notwithstanding the prohibitions set forth in this Agreement, Business Associate

may use and disclose Protected Health Information as follows:

1. if necessary, for the proper management and administration of Business

Associate or to carry out the legal responsibilities of Business Associate, provided that as

to any such disclosure, the following requirements are met: (a) the disclosure is required

by law; (b) the disclosure is pursuant to a valid consent or authorization from the

applicable individual; or (c) Business Associate obtains reasonable assurances from the

person to whom the information is disclosed that it will be held confidentially and used or

further disclosed only as required by law or for the purpose for which it was disclosed to

the person, and the person notifies Business Associate of any instances of which it is

aware in which the confidentiality of the information has been breached;

2. for data aggregation services, if: (a) to be provided by Business Associate

for the health care operations of Covered Entity pursuant to any agreements between the

Parties evidencing their business relationship; or (b) to be provided by Business

Associate to or for the benefit of an applicable individual. For purposes of this

Agreement, data aggregation services means the combining of Protected Health

Information by Business Associate with the Protected Health Information received by

Business Associate in its capacity as a business associate of another Covered Entity, to

permit data analyses that relate to the health care operations of the respective covered

entities.

Business Associate will implement appropriate safeguards to prevent use or

disclosure of Protected Health Information other than as permitted in this Agreement.

Business Associate will implement administrative, physical, and technical safeguards that

reasonably and appropriately protect the confidentiality, integrity, and availability of any

Electronic Protected Health Information that it creates, receives, maintains, or transmits

on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.

The Secretary of Health and Human Services shall have the right to audit

Business Associate's records and practices related to use and disclosure of Protected

Health Information to ensure Covered Entity's compliance with the terms of the HIPAA

Security and Privacy Rule.

Business Associate shall report to Covered Entity any use or disclosure of

Protected Health Information that is not in compliance with the terms of this Agreement

of which it becomes aware. Business Associate shall report to Covered Entity any

Security Incident of which it becomes aware. For purposes of this Agreement, "Security

Incident" means the attempted or successful unauthorized access, use, disclosure,

modification, or destruction of information or interference with system operations in an

information system.

AVAILABILITY OF Protected Health Information

Business Associate agrees to comply with any requests for restrictions on certain

disclosures of Protected Health Information pursuant to the HIPAA Security and Privacy

Rule to which Covered Entity has agreed and of which Business Associate is notified by

Covered Entity. Business Associate agrees to make available Protected Health

Information to the extent and in the manner required by the HIPAA Security and Privacy

Rule. If Business Associate maintains Protected Health Information electronically, it

agrees to make such Protected Health Information electronically available to the

applicable individual. Business Associate agrees to make Protected Health Information

available for amendment and incorporate any amendments to Protected Health

Information in accordance with the requirements of the HIPAA Security and Privacy

Rule. In addition, Business Associate agrees to make Protected Health Information

available for purposes of accounting of disclosures, as required by the HIPAA Security

and Privacy Rule and the HITECH Act. Business Associate and Covered Entity shall

cooperate in providing any accounting required on a timely basis.

TERMINATION

Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have

the right to terminate this Agreement immediately if Covered Entity determines that

Business Associate has violated any material term of this Agreement, which shall result

in termination of any other agreement between Covered Entity and Business Associate.

If Covered Entity reasonably believes that Business Associate will violate a material term

of this Agreement and, where practicable, Covered Entity gives written notice to

Business Associate of such belief within a reasonable time after forming such belief, and

Business Associate fails to provide adequate written assurances to Covered Entity that it

will not breach the cited term of this Agreement within a reasonable period of time given

the specific circumstances, but in any event, before the threatened breach is to occur, then

Covered Entity shall have the right to terminate this Agreement immediately.

MISCELLANEOUS

Except as expressly stated herein or the HIPAA Security and Privacy Rule, the Parties to

this Agreement do not intend to create any rights in any third parties. The obligations of

Business Associate under this Section shall survive the expiration, termination, or

cancellation of this Agreement and/or the business relationship of the Parties, and shall

continue to bind Business Associate, its agents, employees, contractors, successors, and

assigns as set forth herein.

This Agreement may be amended or modified only in a writing signed by the Parties. No

Party may assign its respective rights and obligations under this Agreement without the

prior written consent of the other Party. None of the provisions of this Agreement are

intended to create, nor will they be deemed to create any relationship between the Parties

other than that of independent parties contracting with each other solely for the purposes

of effecting the provisions of this Agreement and any other agreements between the

Parties evidencing their business relationship. This Agreement will be governed by the

laws of the State of Washington. No change, waiver or discharge of any liability or

obligation hereunder on any one or more occasions shall be deemed a waiver of

performance of any continuing or other obligation, or shall prohibit enforcement of any

obligation, on any other occasion.

The Parties agree that, in the event that any documentation of the arrangement pursuant

to which Business Associate provides services to Covered Entity contains provisions

relating to the use or disclosure of Protected Health Information that are more restrictive

than the provisions of this Agreement, the provisions of the more restrictive

documentation will control. The provisions of this Agreement are intended to establish

the minimum requirements regarding Business Associate's use and disclosure of

Protected Health Information.

In the event that any provision of this Agreement is held by a court of competent

jurisdiction to be invalid or unenforceable, the remainder of the provisions of this

Agreement will remain in full force and effect. In addition, in the event a Party believes

in good faith that any provision of this Agreement fails to comply with the then-current

requirements of the HIPAA Security and Privacy Rule, including any then-current

requirements of the HITECH Act or its regulations, such Party shall notify the other Party

in writing. For a period of up to thirty days, the Parties shall address in good faith such

concern and amend the terms of this Agreement, if necessary to bring it into compliance.

If, after such thirty-day period, the Agreement fails to comply with the HIPAA Security

and Privacy Rule, including the HITECH Act, then either Party has the right to terminate

upon written notice to the other Party.

IN WITNESS WHEREOF, the Parties have agreed to the terms of this

Agreement.