This Business Associate Agreement (“BAA”) is entered into by and between TruRev Health LLC, Inc. (“Business Associate”) and the covered entity agreeing to these terms (“Covered Entity”) and is effective as of the date Covered Entity signs the “Medical Billing Agreement”. Business Associate and Covered Entity may be referred to individually as a “Party” or, collectively, as the “Parties” in this BAA.

INTRODUCTION

This Agreement governs the terms and conditions under which Business Associate will access personal health information belonging to patients in performing services for, or on behalf of, Covered Entity, in accordance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended. Specifically, this agreement governs the terms and conditions under which Business Associate will provide services to Covered Entity.

1) DEFINITIONS

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 C.F.R. parts 160 and 164.

a) Individual: As defined in 45 C.F.R. § 160.103.

b) Privacy and Security Rules: The Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.

c) Protected Health Information (PHI): As defined in 45 C.F.R. § 160.103, limited to information created or received by Business Associate from or on behalf of Covered Entity.

d) Required By Law: As defined in 45 C.F.R. § 160.103.

e) Secretary: Secretary of the Department of Health and Human Services or designee.

f) Unsecured Protected Health Information: As defined in the HITECH Act § 4402(h)(i).

2) OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:

a) Not use or further disclose PHI other than as permitted by this Agreement or as Required By Law.

b) Use appropriate safeguards to prevent unauthorized use or disclosure of PHI.

c) Mitigate, to the extent practicable, any harmful effect known from a use or disclosure of PHI.

d) Report any unauthorized use or disclosure of PHI to Covered Entity.

e) Ensure subcontractors agree to the same restrictions and conditions regarding PHI.

f) Provide access to PHI in a Designated Record Set as required by 45 C.F.R. § 164.524.

g) Make amendments to PHI as required by 45 C.F.R. § 164.526.

h) Make internal practices and records relating to PHI available to Covered Entity or Secretary for compliance review.

i) Document disclosures of PHI for accounting purposes in accordance with 45 C.F.R. § 164.528.

j) Provide documentation to Covered Entity to respond to individual accounting requests.

k) Notify Covered Entity of any breach of Unsecured PHI, including affected individuals, details of the breach, and mitigation efforts.

3) PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Business Associate may use or disclose PHI:

a) To perform services for or on behalf of Covered Entity as permitted by their service agreement.

b) For proper management and administration, or to carry out legal responsibilities, if disclosures are Required By Law or with reasonable assurances of confidentiality.

c) To provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

d) To report violations of law to appropriate authorities in compliance with 45 C.F.R. § 164.502(j)(1).

4) OBLIGATIONS OF COVERED ENTITY

Covered Entity agrees to:

a) Provide its notice of privacy practices and any updates.

b) Notify Business Associate of changes or revocation of permission that may affect PHI use/disclosure.

c) Notify Business Associate of restrictions to use or disclosure of PHI.

5) PERMISSIBLE REQUESTS BY COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose PHI in any way that would violate HIPAA rules if done by Covered Entity.

6) TERM AND TERMINATION

a) Term. Effective from the first release of PHI and remains in effect until all PHI is returned or destroyed.

b) Termination for Cause. Covered Entity may terminate if Business Associate breaches this Agreement and fails to cure the breach within a specified time.

c) Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI. If infeasible, protections will be extended to retained PHI.

d) Survival. Obligations of Business Associate under this section survive termination.

7) MISCELLANEOUS

a) Regulatory References. Refer to the HIPAA Privacy and Security Rules as amended.

b) Limitation of Liability. Governed by the services agreement between the parties.

c) Amendment. Parties agree to amend this Agreement as necessary to comply with HIPAA.

d) Interpretation. Ambiguities shall be interpreted to comply with HIPAA.

e) Governing Law. This Agreement shall be governed by the laws of the State of New York.

f) Severability. If any provision is unenforceable, the remainder remains in effect.

g) Binding on Successors. Binding upon successors and permitted assigns.

h) Modifications. Must be in writing and executed by both parties.