MASTER SERVICES AGREEMENT

THIS MASTER SERVICES AGREEMENT (“MSA”) applies where incorporated by any Order Form (as defined below) between Kuzushi Inc., dba Zingage, with its principal place of business at 441 Broadway, Unit 3, New York NY 10015 (“Zingage”), and the entity executing the Order Form (“Customer”). Customer and Zingage are each a “party” and collectively the “parties.” This MSA and the parties’ Order Form(s) collectively form the “Agreement.”

RECITALS

Customer is in the business of providing, administering, or supporting the provision of healthcare;

Zingage provides operations and incentives platforms and related services to help customers streamline operations and reward performance;

Customer desires the right to use certain Zingage Services (defined below) from time-to-time; and Zingage offers its Services to Customer on the terms and conditions set forth herein.

NOW, THEREFORE, in consideration of the mutual promises contained herein and for other good and valuable consideration, the receipt of which is hereby acknowledged, the parties agree as follows:

1. GENERAL

   
   

   1. Ordering Services. The Agreement governs Zingage’s provision, and Customer’s access and use, of the software solution(s) and any supplemental services (“Services”) described in an executed pilot order, order form, statement of work, or other ordering document (each, an “Order Form”) incorporating this MSA.

      
      

   2. Supplemental Terms; Precedence.

      
      

      1. Unless otherwise specified by an Order Form, Zingage’s Business Associate Agreement (“BAA”) will apply to Zingage’s creation, use and disclosure of any PHI (as defined in the BAA) among Customer Data (as defined and more particularly described in Section 5).

         
         

      2. Any other documents or attachments expressly incorporated by an Order Form (“Addenda”) apply this Agreement for purposes of the Services procured under that Order Form.

         
         

      3. Except as expressly modified by an Order Form (and solely with respect to its Services), the following order of precedence applies to any conflict among the documents comprising the Agreement: (1) BAA, (2) Order Form, (3) MSA, (4) Addenda. For example, the BAA would control in any conflict.

         
         

2. RIGHTS GRANTED

   
   

   1. Access and Use Rights. Zingage hereby grants to Customer a limited, non-exclusive right to access and use the Services during the Term solely for its internal business purposes and in accordance with this Agreement and the Documentation. Customer may allow its employees, agents and contractors to access and use the Services in connection with their relationship to Customer (“Authorized Users”), subject to any limitations described in an Order Form. Customer is responsible and liable for the acts and omissions of each Authorized User irrespective of whether attributable, legally or otherwise, to Customer.

      
      

   2. Limitations on Use. Except as otherwise provided in the Agreement, neither Customer nor any Authorized User may:

      
      

      1. Reverse engineer, disassemble, decompile, or otherwise attempt to ascertain, derive, and/or appropriate for any reason or purpose:

         1. the source code for the Services or other software provided or made available for use and/or access under this Agreement; and/or

            
            

         2. any algorithm, process, procedure or trade secret information reflected by or contained in the Services, the Documentation, or any other software or materials provided by Zingage.

            
            

      2. Redistribute, encumber, sell, rent, lease or sublicense access to or use of the Services.

         
         

      3. Alter or destroy any proprietary markings, legal notices or source identifiers displayed or incorporated by the Services, the Documentation or any other Zingage software or materials.

         
         

   3. Documentation. Zingage will make available documentation describing the functional and operational characteristics, specifications, and capabilities of the Services and may provide user manuals, online help functions and user instructions regarding the operation, installation or maintenance of the Services (“Documentation”). Customer may access and use the Documentation during the Term for the sole purpose of facilitating use of the Services, in accordance with this Agreement or any applicable Order Form. Zingage will update the Documentation during the Term, including as the Services change.

      
      

   4. Intellectual Property. The Services are proprietary to Zingage. As between Customer and Zingage, all right, title, and interest in and to the Services, Custom Developments, Documentation, and any other Zingage materials provided or made available under this Agreement are and shall remain the property of Zingage and may be used by Customer only as expressly permitted by this Agreement. Zingage retains all right, title and interest in any materials, results, methods, improvements or insights relating to the Services, including any feedback provided by Customer.

      
      

   5. Third-Party Services. Customer can connect the Services to third-party software, databases and resources (“Outside Systems”), such as electronic health or medical record services (e.g., an ‘EMR’). By connecting an Outside System, Customer represents and warrants that it is authorized to connect the Outside System to the Services and will abide by any legal terms applicable to the Outside System. Zingage does not and cannot control Outside Systems. Zingage has no responsibility or liability for the provision or operation of Outside Systems, and the availability, interoperability, adequacy, integrity, quality or failure of Outside Systems will not affect either party’s obligations under this Agreement.

      
      

3. PROVISON & IMPLEMENTATION OF SERVICES

   
   

   1. Implementation. Zingage will use commercially reasonable efforts to support Customer’s efforts to implement the Services in accordance with any implementation specifics set forth in any Order Form (“Implementation”). Except as specified in an Order Form, neither party’s obligations under this Agreement are conditioned upon, nor affected by, a party’s implementation efforts or failure to implement the Services.

      
      

      1. Personnel. Zingage will designate a Zingage project manager (the “Zingage PM”) who will act as a liaison between Zingage and Customer for all matters related to this Agreement. Customer will provide a project manager (the “Customer PM”) who will act as a liaison between Zingage and Customer. The Zingage PM, Customer PM, and any other appropriate individuals will meet to discuss Implementation status on a recurring basis or as specified in the Order Form or mutually agreed.

         
         

      2. Change Order Procedure. If Customer requests a post-Implementation customization or change to the Services (a “Change Request”), the Zingage PM and Customer PM will follow the change management process set forth herein. Zingage will, within thirty (30) business days of its receipt of a Change Request, provide Customer with a proposed change order setting forth: (i) the modifications that will be required as a result of the Change Request, (ii) the effect of the Change Request on existing Implementation efforts, including the time to complete the Change Request, (iii) the total cost of the Change Request, and (iv) and any other delays or impacts resulting from such Change Request (the “Change Request Form”). Zingage will obtain the written approval of the Customer PM of such Change Request Form prior to proceeding with the Change Request.

   2. Provision of Services.

      
      

      1. Updates; Security Patches. During the Term, Zingage will install security patches, routine fixes, and other standard updates to maintain the functionality, performance, and security of the Services (“Updates”).

         
         

      2. Technical Requirements. Except as otherwise specified by an Order Form, Customer will provide all equipment and network support necessary to enable Authorized Users to access the Services.

         
         

4. FEES AND PAYMENT

   
   

   1. Fees. Customer will pay Zingage the fees and expenses specified in the Order Form (“Fees”).

      
      

   2. Payment. Zingage will invoice Customer for Fees on the cadence specified by the Order Form upon execution. Customer will pay all undisputed invoice amounts within thirty (30) days of submission to Customer’s billing email or system, unless otherwise specified in the Order Form. The parties will use good-faith efforts to resolve any disputed Fees for at least thirty (30) days prior to initiating any formal dispute resolution under Section 11 (DISPUTE RESOLUTION).

      
      

      1. Undisputed overdue amounts shall be subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum rate permitted by law, whichever is lower. Customer shall also be responsible for all expenses of collection due on any balance due, including, but not limited to, Zingage’s reasonable attorneys’ fees and expenses.

         
         

      2. In the event Customer fails to remit any undisputed overdue amounts within ten (10) days of Zingage’s written notice of Customer’s delinquency, Zingage may, in addition to any other remedy available hereunder, immediately terminate and/or suspend each or all of the following: (i) Customer access to the Services; (ii) the Agreement; and (iii) any applicable Order Form. No such termination and/or suspension waives any right to collect unpaid amounts. Customer does not have the right to set off any amounts under this Agreement.

         
         

   3. Taxes. Customer will be responsible for any sales, use, property, gross receipts, or similar taxes levied against any party to this Agreement resulting from its receipt of the Services (except the income taxes of Zingage).

      
      

5. CONFIDENTIAL INFORMATION

   
   

   1. Definitions. In performing this Agreement, each party may receive, acquire or be exposed to confidential information (“Receiving Party”) about the other party (“Disclosing Party”).

      
      

      1. “Confidential Information” means any valuable or proprietary information not generally known to the public, including information: (a) concerning the other party’s business affairs, property and operations; (b) know how, processes, trade secrets, manuals, reports, financial and operational information, code, data structures, software architecture, Personal Information, PHI and any other health and care records; and (c) information marked as “confidential,” “proprietary,” or with a similar designation.

         
         

      2. Confidential Information excludes information that is: (i) publicly available or later becomes publicly available other than through a breach of this Agreement; (ii) known to the Receiving Party or its employees or agents prior to disclosure by the Disclosing Party; (iii) independently developed by the Receiving Party or its employees or agents subsequent to such disclosure; or (iv) lawfully obtained from a third party under no duty or obligation of confidentiality.

         
         

   2. Obligations. A Receiving Party must (i) protect Disclosing Party Confidential Information using the same degree of care it applies to its own Confidential Information, but in no event less than a reasonable degree of care; (ii) not use the Disclosing Party’s Confidential Information except as specifically permitted hereunder; and (iii) except as permitted by Section 5.3, not disclose, distribute, publish or knowingly allow any third party to access to any Confidential Information of the Disclosing Party without the Disclosing Party’s prior written consent.

   3. Permitted Disclosures.

      
      

      1. The Receiving Party may disclose Confidential Information to any employee, agent or subcontractor who has a need to know the Confidential Information in connection with the Receiving Party’s performance of this Agreement, provided that the recipient is bound by confidentiality obligations commensurate with those imposed on the Receiving Party by this Agreement.

         
         

      2. If the Receiving Party is legally required or compelled to disclose any of the Disclosing Party’s Confidential Information (e.g., by law or regulation; court order, subpoena, or other request in legal, regulatory or other similar proceedings), the Receiving Party will: (i) notify the Disclosing Party (at least seventy-two (72) hours in advance, to the extent permitted by law, or as soon as is otherwise possible), furnishing any information it possesses concerning the request or requirement as could enable Disclosing Party to seek a protective order or other appropriate remedy and (ii) disclose only the Confidential Information it believes reasonably necessary to comply and (iii) cooperate with any Disclosing Party efforts to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded the Confidential Information by the recipient.

         
         

   4. Notification Obligation. If the Receiving Party becomes aware of any use or disclosure of the Disclosing Party’s Confidential Information prohibited by this Section 5, the Receiving Party will promptly notify the Disclosing Party of all facts known to it concerning such unauthorized use or disclosure.

      
      

6. INFORMATION PROTECTION

   
   

   1. Ownership of Customer Data. All information acquired, processed, stored, or distributed by virtue of Customer’s use of the Services is “Customer Data.” Customer will remain the sole and exclusive owner of all right, title and interest in and to any and all Customer Data; provided, however, Customer hereby grants Zingage a perpetual, irrevocable, royalty-free, transferable, sublicensable right and license to process and use Customer Data to provide the Services to Customer and to deidentify and anonymize Customer Data in accordance with applicable law and, as applicable, the BAA (“Deidentified Data”). Customer acknowledges that Zingage may use Deidentified Data to improve and develop the Services, for benchmarking and statistical purposes and as permitted by applicable law.

      
      

   2. No Conflict. Nothing in this Section 6 negates or limits party’s obligations under the BAA.

      
      

   3. Information Protection. Zingage will use commercially reasonable efforts to implement and maintain security procedures and practices that are designed to protect Customer Data from unauthorized access, use, modification, disclosure, or destruction by following and maintaining the security protections described at https://trust.zingage.com/ (or any successor page) (“Security Standards”). Zingage will notify Customer in advance in the event of any material degradation in its compliance or certification under the Security Standards. In the event of any actual or reasonably suspected access to Customer Data by an unauthorized third party : (i) Zingage agrees to use commercially reasonable efforts to notify Customer as soon as practicable, but no later than seventy-two (72) hours after discovery, providing such relevant information as Zingage knows at that time; and (ii) Zingage and Customer will cooperate in an investigation of the cause of the access and any remedial efforts required by law or agreed to by the parties.

      
      

7. TERM AND TERMINATION

   
   

   1. Term. The term of this Agreement will be as specified in the applicable Order Form. Except as expressly provided in this section 7, termination or expiration of an Order Form will not affect any active Order Forms subject to this Agreement.

      
      

   2. Termination for Breach. Either party may terminate this Agreement and any or all applicable Order Forms if the other party materially breaches any of its obligations under this Agreement or an applicable Order Form and fails to cure such breach within thirty (30) days after receiving written notice of the breach from the nonbreaching party. In the event of such termination: (i) neither party shall be relieved of any of its obligations incurred prior to such

      termination, and (ii) to the extent a specific Order Form is terminated, any other Order Form which is not terminated shall survive in accordance with its terms.

      
      

   3. Termination for Insolvency. Either party may terminate this Agreement and all Order Forms, effective upon notice, if the other party: (i) dissolves, liquidates, or ceases to exist without a successor; (ii) has a custodian or receiver appointed; (iii) becomes the subject of any bankruptcy, receivership, insolvency, or similar legal proceeding under applicable law; or (iv) makes an assignment or trust mortgage for the benefit of its creditors.

      
      

   4. Survival; Effect of Termination. The BAA and Sections 4, 5, 6.1, 7-12 will survive the expiration or termination of this Agreement. Within thirty (30) days of the expiration or termination of this Agreement and all applicable Order Forms, each party will destroy all Confidential Information, except to the extent otherwise required by its surviving obligations or its compliance efforts in respect of applicable law.

      
      

8. REPRESENTATIONS AND WARRANTIES

   
   

   1. General Warranty. Each party represents and warrants to the other party that such party has the required rights, power and authority to enter into this Agreement and to grant all rights granted hereunder.

      
      

   2. Zingage Warranties. Zingage represents and warrants:

      
      

      1. The Services will be provided and materially function in accordance with the Documentation, the provisions of this Agreement and the applicable Order Form.

         
         

      2. Any Zingage personnel engaged in the provision of Services to Customer have all skill, experience and qualifications appropriate or required under generally recognized industry standards.

         
         

      3. Zingage will not knowingly incorporate or allow the Services to contain any software, hardware or other technology designed or directed to allow unauthorized access, destruction or harm to Customer Data (“Harmful Code”).

         
         

      4. Zingage will perform its obligations in compliance with the BAA and applicable federal, state, and local laws, regulations, ordinances and codes.

         
         

   3. Customer Warranties. Customer represents and warrants:

      
      

      1. Customer will use the Services solely for its internal business purposes, as contemplated by this Agreement, without interfering in their normal operation or attempting to alter or exceed its authorized access.

         
         

      2. The Customer Data will be free of any Harmful Code.

         
         

      3. Customer has obtained, and hereby grants to Zingage, all rights, licenses, authorizations, and consents necessary to allow Zingage to process the Customer Data in accordance with this Agreement.

         
         

      4. Customer is and will remain solely responsible for maintaining and retaining all Customer Data provided or made available to Zingage.

         
         

   4. Disclaimer of Warranties. Except as stated in this Section 8, the parties disclaim all warranties, whether implied, by operation of law or otherwise, including, without limitation, any implied warranties of merchantability and fitness for a particular purpose. The Services are provided “as is.” Zingage does not warrant that the Services will operate uninterrupted or error-free. Zingage shall not be responsible for Customer Data nor for any other information provided by Customer, and Zingage shall not be liable for the accuracy or completeness of such Customer Data and information. Zingage makes no representation or warranty regarding the results Customer will obtain by using the Services, nor does Zingage guarantee any outcomes from use of the Services.

9. INDEMNIFICATION

   
   

   1. By Customer. Customer will indemnify, defend and hold harmless Zingage and its affiliates, directors, officers, employees, successors and assigns (collectively, “Indemnified Parties”) from and against any and all liabilities, obligations, settlements, judgments, awards, government fines, penalties, interest, losses, costs, damages and expenses, including reasonable attorneys’ fees and expenses, appellate bonds and court costs (collectively, “Losses”) in connection with third party claims, actions, judgments, suits, proceedings, causes of actions, assertions, allegations, government fees and penalties, and investigations (“Claims”) arising out of any actual or alleged: (i) breach by Customer of any warranty, covenant or other obligation under this Agreement, including Section 5; (ii) violation by Customer of any local, state or federal law, rule or regulation.

      
      

   2. By Zingage. Zingage will defend, indemnify and hold harmless Customer and its Indemnified Parties from and against any and all Losses in connection with Claims arising out of:

      
      

      1. any breach by Zingage of the BAA,

         
         

      2. any breach by Zingage of Section 8.2 or Section 5; or

         
         

      3. any allegation that the Services, or the use thereof (as permitted under the Agreement) infringes or misappropriates any third party’s intellectual property rights, except to the extent arising from Customer’s: (I) modification or alteration of the Services without Zingage’s direction or approval; (II) use of the Services in a manner not permitted by the Documentation or this Agreement; or (III) use of the Services in combination with any software or hardware not provided by Zingage, where the Claim would not have occurred but for such combination.

         
         

   3. IP Infringement Remedy. In the event of an actual or potential Claim under Section 9.2.3, then Zingage will, at its expense, and as Customer’s exclusive direct remedy:

      
      

      1. procure for Customer the right to continue using the Services,

         
         

      2. replace the Services subject to the Claim with a non-infringing product or service of equivalent functionality and performance, or

         
         

      3. modify the Services so it becomes non-infringing without adversely impacting functionality or performance.

         
         

         If Zingage fails to provide any of the foregoing remedies within thirty (30) days, Customer may terminate this Agreement with immediate effect.

         
         

   4. Procedure. In the event of a Claim subject to indemnification pursuant to this Section 9, the party entitled to indemnification will promptly notify the other party (the “Indemnitor”); provided, however, that failure to timely notify the Indemnitor will limit Indemnitor’s indemnification obligation only to the extent the delay causes actual legal prejudice or increased out-of-pocket cost. Indemnitor will control the defense or settlement of any such Claim using counsel reasonably acceptable to the party entitled to indemnification and may compromise, settle or otherwise dispose of the Claim, all at the expense of the Indemnitor; provided that the Indemnitor will not settle, or consent to any entry of judgment without obtaining either: (i) an unconditional release of all Indemnified Parties from all liability in all Claims with no admission of fault or guilt; or (ii) the prior written consent of the party entitled to indemnification. A party entitled to indemnification will not settle, or consent to any entry of judgment of a Claim without notifying and obtaining the prior written consent of the Indemnitor. The parties will fully cooperate with each other in any such Claim.

10. LIMITATION OF LIABILITY

    
    

    1. The parties each acknowledge and agree that the limitations of liability set forth in this Section 10 will not apply to any losses resulting from a party’s: (i) indemnification obligations hereunder, or (ii) fraud, willful misconduct, or gross negligence.

       
       

    2. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY LOST PROFITS OR FOR ANY SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER. REGARDLESS OF THE LEGAL THEORY OF THE CLAIM, ZINGAGE’S MAXIMUM LIABILITY SHALL NOT EXCEED THE TOTAL AMOUNTS PAID OR PAYABLE BY CUSTOMER TO ZINGAGE UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM FIRST AROSE.

       
       

    3. Except as otherwise expressly provided herein, all rights and remedies of the parties are separate and cumulative. The waiver or failure of either party to exercise in any respect any right or remedy provided herein will not be deemed a waiver of any further right or remedy hereunder.

       
       

11. DISPUTE RESOLUTION

    
    

    1. Arbitration. Any controversy or claim arising out of this Agreement shall be filed with and settled by final and binding arbitration in accordance with the then-current streamlined commercial arbitration procedures of JAMS. The arbitration shall be filed and heard on an expedited basis in New York, New York before an arbitrator experienced in commercial disputes involving healthcare technology, using virtual proceedings to the greatest extent possible. The arbitrator’s remedial authority shall be no greater than that which is available under the statutory or common law theory asserted. Judgment upon any award rendered by the arbitrator may be entered in any court with appropriate jurisdiction. Neither this agreement to arbitrate nor any demand for arbitration shall waive or otherwise affect a party’s right to obtain any provisional remedy, including, without limitation, injunctive relief. Each party understands and acknowledges that by entering into this Agreement, it waives any right to trial by jury or before a court of law.

       
       

    2. Governing Law; Exclusive Jurisdiction. This Agreement and each Order Form will be governed by the laws of the State of New York. Each party hereby irrevocably and unconditionally: (a) consents to submit to the exclusive jurisdiction of the courts of the State of New York for any proceeding arising in connection with this Agreement and each such party agrees not to commence any such proceeding except in such courts; and (b) waives any objection to the laying of venue of any such proceeding.

       
       

12. GENERAL

    
    

    1. Notices. Any written notice required or permitted to be delivered pursuant to this Agreement or any Order Form will be in writing and will be deemed delivered: (a) upon delivery, if delivered in person or by email to the addresses set forth on the Order Form; or to such other address as may be specified by either party hereto upon notice given to the other.

       
       

    2. Binding Nature, Assignment and Subcontracting. This Agreement and each Order Form will be binding on the parties and their successors and permitted assigns. Neither party may assign or transfer any of its rights, duties or obligations under this Agreement or any part thereof, whether by operation of law or otherwise, without the prior written consent of the other party; provided, however, that each party retains the right to transfer or assign this Agreement in the event of a merger, corporate restructuring or a sale of all or substantially all of its assets.

       
       

    3. Severability; Waiver. If any provision is found by a court of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability will not invalidate or render unenforceable any other part, but the Agreement and each Order Form will be construed as not containing the particular provision or provisions held to be invalid or unenforceable. No delay or omission by either party hereto to exercise any right occurring upon any noncompliance or default by the other party with respect to any of the terms will impair any such right or power or be construed to be a waiver thereof. A waiver by either of the parties hereto of any of the covenants, conditions or agreements to be

       performed by the other will not be construed to be a waiver of any succeeding breach thereof or of any covenant, condition or agreement herein contained.

       
       

    4. Interpretation. Any obligation in this Agreement on a party not to do something includes an obligation not to agree or knowingly allow that thing to be done. Any words following the terms “including,” “include,” “in particular,” “for example”, “such as” or any similar expression are illustrative, non-exhaustive and do not limit the sense of the words, description, definition, phrase or term preceding those terms. A reference to writing or written includes e-mail.

       
       

    5. Non-Exclusivity. This Agreement is non-exclusive. Nothing in this Agreement restricts either party from developing, marketing, selling, licensing, and/or distributing its products or services in the normal course of business or through its standard sales channels.

       
       

    6. Export. The parties will not export, directly or indirectly, any technical data acquired from the other party pursuant to the Agreement (including the Services) to any country for which the U.S. Government or any agency thereof at the time of export requires an export license or other government approval without first obtaining such license or approval.

       
       

    7. Relationship. Customer and Zingage agree that neither party will be an employee, agent, partner or joint venturer of or with the other. Zingage, in furnishing the Services, is acting as Customer’s independent contractor. Neither party has any authority to represent, contract, or commit the other in any matters, except to the extent expressly authorized in the Agreement. Each party will be responsible for payment of its independent contractors, subcontractors and its employees’ entire compensation and benefits, as applicable, including employment taxes, workers’ compensation, unemployment compensation and any similar taxes associated with employment or their relationship.

       
       

    8. Entire Agreement; Modification. This Agreement and each Order Form, together with all of the exhibits, schedules, attachments and addenda hereto or thereto, sets forth the entire, final and exclusive agreement between the parties as to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, between the parties. In the event of a conflict, the terms of this Agreement will control unless expressly overridden by the provisions of the Order Form that references that provision being overridden. This Agreement and Order Forms may be modified only pursuant to a writing executed by both parties. No party hereto will make any representations or warranties or incur any liability on behalf of the other. No party is the agent, representative or partner of the other party.

BUSINESS ASSOCIATE AGREEMENT

1. PREAMBLE AND DEFINITIONS.

   1. Parties. This Business Associate Agreement (“BAA”) applies between Kuzushi Inc., dba Zingage, on behalf of itself and its corporate affiliates (“Business Associate”) and the Customer party (“Covered Entity”) to the Zingage Master Services Agreement or other agreement incorporating this BAA (any, “Agreement”).

   2. Purpose. This BAA is intended to ensure Business Associate safeguards any Protected Health Information it may receive, create, maintain, use, or disclose in connection with the services provided to Covered Entity pursuant to the Agreement (“Services”).

   3. Definitions. Any capitalized terms not defined in this BAA or the HIPAA Rules have the meaning given to them in the Agreement.

      1. “ePHI” means any Electronic Protected Health Information, as defined by the HIPAA Rules, that Business Associate creates, receives, maintains, or transmits by on behalf of Covered Entity

      2. “Guidance” means, in relation to any law or rule, any official or interpretative guidance issued by the Secretary, HHS or other federal body with legal authority to supplement, enforce or otherwise clarify the law or rule.

      3. “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act and the American Recovery and Reinvestment Act of 2009.

      4. “HIPAA Rules” means the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164, as amended and in effect, and any Guidance thereto.

      5. “PHI” means any Protected Health Information that Business Associate receives, creates, maintains, uses, or discloses in connection with the Services.

      6. “Protected Health Information” has the meaning given to it by HIPAA, the HIPAA Rules and Guidance.

         
         

      7. “Privacy Rule” means the Privacy Rule at 45 C.F.R. Parts 160-164 and any Guidance.

         
         

      8. Unless the context clearly indicates otherwise, the following terms have the meanings given to them by the HIPAA Rules: “Breach”, “Data Aggregation”, “Designated Record Set”, “disclosure”, “Electronic Media”, “Electronic Protected Health Information”, “Health Care Operations”, “individual”, “Minimum Necessary”, “Notice of Privacy Practices”, “required by law”, “Secretary”, “Security Incident”, “Subcontractor”, “Unsecured PHI”, and “use”.

         
         

2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.

   1. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as required by law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

   2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent any use or disclosure of PHI other than as permitted by this BAA.

   3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

   4. Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require any Subcontractors processing PHI to agree to the same PHI restrictions, conditions, and requirements that apply to the Business Associate.

   5. Breach notification. The Business Associate agrees to the following breach notification requirements:

      
      

      1. Business Associate agrees to report to Covered Entity (i) any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410 and (ii) any Security Incident that results in unauthorized access, use, or disclosure of PHI, in each case without unreasonable delay and in any event within 10 calendar days of discovery. The report shall include, to the extent available, the information required by 45 C.F.R. § 164.410(c), and any additional information reasonably requested by Covered Entity.

   6. Security. In accordance with the Security Rule, Business Associate agrees to:

      
      

      1. Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule.

      2. Require any agent, including a Subcontractor, receiving, creating, using or disclosing PHI to implement reasonable and appropriate safeguards to protect the PHI.

   7. Designated Record Sets. Business Associate agrees to make available PHI in a Designated Record Set to the covered entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

      1. Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.

      2. Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).

      3. Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure will be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as consistent with applicable Guidance.

      4. Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

   8. Audit. Business Associate agrees to make its internal practices, books, and records, including policies and procedures for Breach of any Unsecured PHI and the use and disclosure of PHI, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule.

   9. Accounting for disclosures. Business Associate agrees to account for the following disclosures:

      
      

      1. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

      2. Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

      3. Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.9, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

      4. Business Associate agrees to account for any disclosure of PHI used or maintained as an EHR in a manner consistent with 45 C.F.R. § 164.528 and Guidance; provided that an individual will have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested of Business Associate.

         
         

3. PERMITTED USE AND DISCLOSURE.

   1. General Uses and Disclosures. Business Associate agrees to use or disclose PHI only as permitted by this BAA and the Agreement:

      1. in a manner consistent with the HIPAA Rules and

         
         

      2. in connection with providing the Services to Covered Entity, provided that no such use or disclosure in a manner that would violate HIPAA if done by Covered Entity.

   2. Minimum Necessary requirements. Business Associate agrees to comply with the following Minimum Necessary requirements in its use and disclosure of PHI:

      1. Subcontractors: Business Associate agrees that, in accordance with 45 C.F.R. § 164.502 (e)(1), if Business Associate’s Subcontractor creates, receives, maintains or transmits PHI on behalf of Business Associate, Business Associate will enter into an agreement with such Subcontractor that contains substantially the same restrictions and conditions on the use and disclosure of PHI as contained in this Agreement.

      2. Business Associate Management, Administration, and Legal Responsibilities: Business Associate may use PHI for Business Associate’s management and administration, or to carry out Business Associate’s legal responsibilities. Business Associate may disclose PHI to a third party for such purposes only if: (1) the disclosure is Required by Law; or (2) Business Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) use or disclose the PHI only as Required by Law or for the purposes for which it was disclosed to the recipient; and (iii) notify the Business Associate of any other use or disclosure of PHI.

      3. Data Aggregation and De-Identification: Business Associate may use PHI to perform data aggregation services as permitted by 45 C.F.R. § 164.504 (e)(2)(i)(B). Business Associate may also de-identify PHI in accordance with 45 C.F.R. § 164.514.

      4. Covered Entity Responsibilities: To the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity’s compliance with such obligations.

      5. Electronic Transactions: Business Associate may transmit PHI between two parties to carry out financial or administrative activities related to health care for which DHHS has established standards (as defined in 45 C.F.R. § 162.103) (“Standard Transaction”) for or on behalf of Covered Entity, Business Associate shall comply, and shall require any subcontractor or agent conducting such Standard Transaction to comply, with each applicable requirement of Title 45, Part 162 of the CFR.

         
         

4. OBLIGATIONS OF COVERED ENTITY.

   1. Covered Entity will:

      1. Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.

      2. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.

      3. Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

   2. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.

      
      

5. INDEMNIFICATION.

   The parties agree and acknowledge that, except as set forth herein, the indemnification obligations of the Agreement will apply to each party’s performance under this BAA.

   
   

6. TERM AND TERMINATION.

   1. Term. This BAA will be in effect as of the Effective Date and will terminate on the earlier of:

      
      

      1. Either party’s termination for cause as authorized under Section 6.2 (Termination of BAA for cause).

         
         

      2. The termination or expiration of the Agreement.

         
         

   2. Termination of BAA for cause. Upon either party’s knowledge of material breach by the other party, the non- breaching party will provide notice stating a reasonable timeframe (not less than thirty (30) days) to cure the breach, unless the breach is incapable of cure. Where a breach is incapable of cure or remains uncured at the end of the reasonable timeframe, the non-breaching party may terminate this BAA and the Agreement with immediate effect, upon written notice.

   3. Effect of termination. Upon termination of this BAA for any reason, Business Associate will:

      
      

      1. Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.

      2. Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that the Business Associate still maintains in any form.

      3. Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.

      4. Not use or disclose any retained PHI except for the purposes it was retained, otherwise observing the safeguards and complying with the HIPAA Rules for so long as any is retained.

      5. Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

         The requirements of this Section 6.3 (Effect of termination) shall survive termination or expiration of this BAA and shall be in force as long as any PHI remains in the custody or control of Business Associate.

         
         

7. GENERAL

   1. Interpretation. This BAA will be interpreted in the following manner:

      
      

      1. This BAA will control in the event of any inconsistency or conflict between this BAA and the Agreement.

         
         

      2. Any inconsistency between this BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the parties, will be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.

      3. Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, will be adhered to as stated in this BAA.

   2. Integration; amendment. This BAA constitutes the entire agreement between the parties related to the subject matter of processing of PHI and ePHI. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions will remain in effect.

   3. Amendment for change in law. The parties agree to negotiate in good faith mutually acceptable and appropriate amendment(s) to this BAA to give effect to any amendment to HIPAA or the HIPAA Rules or any new federal law or rule affecting PHI which materially alters either party’s obligations under this BAA; provided, however, that if the parties are unable to agree on mutually acceptable amendment(s) within sixty (60) days of the effective date of the change in law, either party may terminate this BAA and the Agreement.

   4. Transfer. This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate, but may only be transferred or assigned with the Agreement.

   5. Governing law. Except to the extent preempted by applicable federal law, this BAA will be governed by and construed in accordance with the law governing the Agreement.

   6. Execution by Agreement. This BAA is executed by execution of the Agreement incorporating this BAA by reference. Should the parties choose to execute this BAA separately, it may be executed in two or more counterparts, each of which will be deemed an original.