FOLLOWING IS THE CURRENT FORM OF OPERATING AND PRIVACY REQUIREMENTS REQUIRED AS PART OF THE CONTRACT TO OPERATE A SOLUTION WITH THE HEALTHVAULT PLATFORM. NOTE: THESE REQUIREMENTS ARE SUBJECT TO CHANGE BY MICROSOFT AT ANY TIME.

OPERATING REQUIREMENTS

Company Solutions must satisfy the following minimum requirements: 

1. Support for Company Solutions. Company Technical Contact will coordinate technical issues and resolution of any problems related to Company Solutions. 
2. HealthVault Technology Requirements.
1. Company Solutions must securely interoperate with HealthVault Technology and comply with all requirements in HealthVault Technology documentation.  All Company Solutions services and components that access HealthVault or utilize HealthVault Technology must invoke only those features and functions supported by HealthVault Technology.
2. Company Solutions must not modify the standard HealthVault links to launch into the Company Solutions. Company Solutions must always obtain affirmative End-User approval prior to modifying any configuration, application, service, End-User data, or other information stored on End-User’s hardware.  Company Solutions must contain clear and conspicuous branding, logos, and other indicators so End-Users are aware of when they are accessing features and functions made available in Company Solutions.
3. End-User Support. Company must provide direct End-User support for Company Solutions, including any services. Company must provide support under terms at least as favorable to the End-User as the terms used by Company to support other online or computer system products and services. At a minimum, Company will provide commercially reasonable e-mail support.
4. Security Vulnerabilities. Each Party will notify the other Party if it identifies security vulnerabilities related to Company Solutions, categorized as:



Severity Rating	Description
Critical/Important	A vulnerability where exploitation could (a) allow the self-propagation of an Internet worm, virus, or similar security threat without End-User action; or (b) result in compromise of the confidentiality, integrity, or availability of End-User Data or the integrity or availability of processing resources.
Moderate/Low	A vulnerability where exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

1. Company must acknowledge receipt of Microsoft’s notice of (a) critical/important vulnerability within 4 hours and (b) moderate/low vulnerability, within 24 hours of the time of Microsoft’s notice by sending an e-mail message to hsgse@microsoft.com (or any successor e-mail alias that Microsoft provides).
2. Company must address vulnerabilities as follows:
1. For security vulnerabilities with a Critical/Important Severity Rating, Company must work with Microsoft to resolve the security vulnerability immediately. Company may elect to (a) suspend, remove, or disable the features or functions involved, in whole or in part; (b) patch, correct, or fix the vulnerability; or (c) take any other action that it believes will prevent the exploitation of such vulnerability in a commercially reasonable way.
2. For vulnerabilities with a Moderate/Low Severity Rating, Company will send Microsoft within 72 hours of the initial notice a plan to resolve the security vulnerability and, unless otherwise mutually agreed, resolve the vulnerability within 7 days of the initial notice.
3. Microsoft may suspend connectivity or remove the Company Solutions until the vulnerability is resolved to Microsoft’s satisfaction.
5. Security Program. Company must implement and maintain an information security program reasonably designed to maintain the security, integrity, and availability of End-User Data, and which meets a widely recognized U.S. or international security standard.
6. Geographic Restrictions. Company may not store End-User Data outside the U.S. Company acknowledges that HealthVault Accounts are currently offered only to U.S. End-Users.
7. Usability. Company Solutions must provide commercially reasonable End-User experience, including usability, performance, and availability.
8. Branding. Company will use the appropriate Microsoft Marks in accordance with the user interface and branding guidelines Microsoft provides, to promote HealthVault compatibility and indicate HealthVault functionality in Company Solutions. Company Solutions must be designed in accordance with HealthVault user interface guidelines. Neither party may use the other Party’s Marks in a way that: 
• may cause confusion about whether the products or services are products or services of the other Party;
• may cause confusion about ownership of the Marks;
• alters, animates, or distorts the Marks or combines them with any other symbols, words, images or designs; or
• on or in connection with related products, premiums, or promotional items, whether sold or given away to promote the sale of the Company's Solutions without prior written consent.
9. Installation. Company Solutions must not, automatically or otherwise, install any software on an End-User’s hardware without the End-User’s prior affirmative consent. No icons for any software, such as a systray application or a background process, shall be installed and/or displayed in the Company Solutions if such icons subvert the End-User’s selection of an active service or if such icons subvert any of the End-User’s choice options exposed by Windows (e.g., file extension ownership).

PRIVACY REQUIREMENTS

If the Company receives any End-User Data, Company shall comply with the following provisions:

1. Accountability. Company must maintain and comply with a privacy statement at least as protective of the security, confidentiality, integrity, and accuracy of End-User Data as the HealthVault Privacy Statement, and which must comply with all legal requirements applicable to Company’s collection of personal health data from its End-Users. If Company uses sub-contractors or vendors, they must agree in writing (i) to comply with the same policies and procedures as disclosed in Company’s privacy statement, including (ii) that they cannot transfer End-User Data to other third parties without the End-User’s explicit opt-in consent. Company will maintain and implement reasonable and appropriate technical, administrative, organizational, and physical security practices to protect all End-User Data.
2. Notice. Company will present its privacy statement and terms of use in an accessible and prominent manner upon the End-User’s initial use, each subsequent use, and on each Web page of Company Solution. Any new or revised privacy statements or terms of use must be presented to the End-User prior to installation or use of a Company Solution (or update/upgraded Solutions) under the new terms. Company must submit its privacy statement and terms of use (and any revisions or updates) to Microsoft, which Microsoft may publish/post on HealthVault. Receipt or publishing does not constitute Microsoft approval of Company’s privacy statement or terms. Microsoft reserves the right to advise End-Users about privacy or use terms. Company will inform the End-User of the origin of all information it transfers into HealthVault.
3. Consent; Information Use and Retention.
1. Company must obtain explicit opt-in End-User consent through then-existing HealthVault mechanisms prior to accessing any End-User Data and will provide Microsoft an explanation of its intended use of each type of End-User Data it requests access to. Company will not disclose End-User Data to a third party without first obtaining explicit opt-in consent from the End-User with respect to the specific third party. Company will provide the End-User the ability to access and/or update any End-User Data that is extracted from HealthVault. Microsoft reserves the right to display to the End-User the types of data that Company asserts are required to use the Company Solutions, and the right to programmatically allow Company access to only those types of End-User Data. Company will maintain End-User Data only for purposes the End-User has consented to. Company must not attempt to identify de-identified End-User Data (by, for example and without limitation, combining it with other databases of information), and must prohibit any third parties who receive de-identified End User Data from doing so. Except for data retention required by law, if Company retains End-User Data beyond an active session, the End-User must always have the ability to delete the information.
2. If Company provides healthcare-related services that are regulated under state or federal law, Company acknowledges and agrees that (i) Microsoft is not a business associate for purposes of the U.S. Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (HIPAA), (ii) Microsoft does not act as Company’s agent,(iii) Company will not use data located in a HealthVault Account as the basis for any decisions about individuals, but will make such decisions only using a copy of End-User Data received and copied into Company’s own system, and (iv) Company is responsible for determining the form of and obtaining consent and/or authorization, if any, required by HIPAA, state, or other laws or regulations prior to transmitting any End-User Data to HealthVault.
4. Breach. Company will immediately inform Microsoft in writing of any material data breach involving End-User Data.   
5. Explicit opt-in consent means for the purpose of this Exhibit C, that the End-User must take an explicit action to indicate its consent before data is accessed.

February 27, 2008