Privacy Policy for CoreAdmin, Core Documents, Inc.

Privacy Policy — General

CoreAdmin and Core Documents, Inc., realize the value of the privacy of your personal information. This Privacy Policy is intended to provide you with information about our privacy practices. This Privacy Policy applies to all ways you might access our web site and services: website, mobile app, or other online access that links or refers to it. It does not govern or apply to information gathered by through other means.

Information we share

We do not share personal information with companies, organizations, and individuals outside of CoreAdmin, Core Documents, Inc., or your Employer unless one of the following circumstances applies:

Upon your request:

We will share personal information with companies, organizations or individuals outside of CoreAdmin, Core Documents, Inc., or your Employer only when you request that we do so.

For legal reasons:

We will share personal information with companies, organizations or individuals outside of CoreAdmin, Core Documents, Inc., or your Employer if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

• Meet any applicable law, regulation, legal process or enforceable governmental

   request.

• Enforce applicable Terms of Service, including investigation of potential violations.

• Detect, prevent, or otherwise address fraud, security or technical issues.

• Protect against harm to the rights, property or safety of Core Documents, CoreAdmin,

   our users or the public as required or permitted by law.

Information we may share

We may share non-personally identifiable information publicly and with potential clients, advertisers, or connected sites. For example, we may share information publicly to show trends about the general use of our services.

If CoreAdmin or Core Documents, Inc. is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

Security of Information

We work hard to protect CoreAdmin and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold.

We restrict access to personal information to CoreAdmin employees, contractors, and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

Privacy Policy — HIPAA

CoreAdmin and Core Documents, Inc., hereinafter “CORE,” adhere to the following online Privacy Policy in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) in regards to personal health information (PHI).

Definitions

Capitalized terms used in this Section (but not otherwise defined in this Policy) shall have the same meaning as defined in 45 C.F.R. §§ 160.103, 164.103, 164.304, and 164.501.

Business Associate

CORE recognizes that it is considered a “Business Associate” with regard to Employer’s Health FSA for purposes of the privacy and security rules under HIPAA.

General Responsibilities

Upon the relevant HIPAA applicability dates with regard to Employer’s tax-free benefit(s), the following provisions will apply:

(a) General Responsibilities as a “Business Associate.”

1.  CORE agrees not to use or further disclose PHI other than as permitted or required by this Agreement or as required by law.

2. CORE agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

3. CORE agrees to mitigate, to the extent practicable, any harmful effect that is known to CORE of a use or disclosure of PHI by CORE in violation of the terms of this Agreement.

4. CORE agrees to report to Employer any use or disclosure of PHI not provided for by this Agreement.

5. CORE agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by CORE on behalf of Employer agrees to the same restrictions and conditions that apply throughout this Agreement to CORE with respect to such information.

6. CORE agrees to provide access, at the request of Employer, and in the time and manner designated by Employer, to PHI in a Designated Record Set, to Employer or, as directed by Employer, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524.

7. CORE agrees to make any amendment(s) to PHI in a Designated Record Set that Employer directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Employer or an Individual, and in the time and manner designated by Employer.

8. CORE agrees to make internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by CORE on behalf of Employer available to Employer, or at the request of Employer, to the Secretary, in the time and manner designated by Employer or the Secretary, for purposes of the Secretary determining Employer’s compliance with the privacy rule.

9. CORE agrees to document such disclosures of PHI and information related to such disclosures as would be required for Employer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

10. CORE agrees to provide to Employer or an Individual, in the time and manner designated by Employer, information collected in accordance with Section 3.11(a)(9) to permit Employer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

11. In the event that CORE conducts Standard Transactions with or on behalf of the Health FSA, CORE will comply with the requirements in 45 C.F.R Part 162. CORE will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply with each applicable requirement of 45 C.F.R. Part 162.

12. CORE agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that CORE creates, receives, maintains, or transmits on behalf the Employer.

13. CORE agrees to ensure that any agent, including a subcontractor, to whom it provides electronic PHI created, received, maintained, or transmitted on behalf of the Employer agrees to implement reasonable and appropriate safeguards to protect such electronic PHI.

14. CORE agrees to report to Employer the aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify, or destroy electronic PHI or to interfere with system operations in an information system containing electronic PHI, including pings. Such reports will be provided upon request to Employer. CORE will report to Employer (if requested) any successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI or any successful interference with system operations in an information system containing electronic PHI, in writing, as soon as feasible once requested by Employer.

(b) Permitted Uses and Disclosures by CORE.

CORE may use and disclose any PHI on behalf of, or to provide services to Employer, as specified in their Agreement; for the proper management and administration of CORE; to carry out the legal responsibilities of CORE; and to provide data aggregation services to Employer. Notwithstanding the foregoing, such use and disclosure of PHI may not violate the privacy rule.

In addition, at termination of the Agreement with your Employer, CORE agrees to return or destroy all PHI received by CORE under this Agreement or, to the extent that it is not feasible, to continue to limit the further uses and disclosures of that information as provided by Section 3.11 of the Agreement between CORE and your Employer.

Contact Information:

We welcome feedback if you have any questions regarding our Privacy Policy or the use of your information. For additional information about our Privacy Policy, please contact us at CoreService@coredocuments.com.