BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made and entered into by and between (“Covered Entity”) and Uptick, LLC, dba, Doulado (“Business Associate”) as of the date of execution by the parties (“Effective Date”). Business Associate and Covered Entity are hereinafter individually referred to as “Party” or collectively as the “ Parties”.

RECITALS

WHEREAS, Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, and its implementing regulations, including the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (collectively, the “HIPAA Rules”); WHEREAS, Business Associate provides certain services to Covered Entity (the “Services”) pursuant to a [SaaS or Services Agreement] (the “Services Agreement”) that involve the use or disclosure of protected health information (“PHI”), as defined by the HIPAA Rules; WHEREAS, Covered Entity must have an existing Services Agreement in place for this Agreement to be valid and effective, which Services Agreement governs the functions, activities, and services that Business Associate performs for Covered Entity. Together with the Services Agreement, this Agreement will govern each Party’s respective obligations regarding PHI; WHEREAS, in connection with the provision of such services, Business Associate may create, receive, maintain, or transmit PHI on behalf of Covered Entity; and WHEREAS, Covered Entity and Business Associate desire to comply with the requirements of HIPAA and to protect the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Rules.

NOW, THEREFORE, the Parties agree as follows:

1. DEFINITIONS.

Capitalized terms used but not defined in this Agreement shall have the same meanings as those terms in the HIPAA Rules.

1.1. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R.§ 164.402. For clarity, a Breach will not include an acquisition, access, use or disclosure of PHI with respect to which Business Associate has deemed in accordance with 45 C.F.R. § 164.402 that there is a low probability that the PHI has been compromised.

1.2. “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. §160.103.

1.3. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

1.4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, and is limited to (a) the PHI to which Business Associate has access to through the Services in connection with Covered Entity’s permitted use of the Services and (b) the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Obligations and Activities of Business Associate

2.1. Use and Disclosure. Business Associate agrees to use and disclose PHI only as permitted or required by this Agreement, or as required by law, or as otherwise authorized by Covered Entity in writing.

2.2. Appropriate Safeguards.

2.2.1. Business Associate agrees to use appropriate safeguards to prevent against unauthorized use or disclosure of PHI other than as provided for by this Agreement or as provided by applicable law.

2.2.2. Business Associate agrees to comply with the HIPAA Security Rule with respect to ePHI, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.

2.3. Subcontractors and Agents.

2.3.1. Business Associate agrees to ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same material restrictions and conditions that apply to Business Associate with respect to such PHI under this Agreement.

2.3.2. Business Associate agrees to ensure that any individuals who are authorized to access PHI on its behalf comply with the same restrictions and conditions that apply to Business Associate with respect to such PHI under this Agreement.

2.4. Reporting.

2.4.1. Business Associate agrees to report to Covered Entity any unauthorized use of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410.

2.4.2. For Breaches and security incidents that do not result in access to, use, disclosure, modification, or destruction of PHI in violation of this Agreement, this Section 2.4.2 will be deemed notice to Covered Entity that Business Associate periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information or interference with the general operation of Business Associate’s information systems and the Services, including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denial-of-service attacks, and even if such events are defined as a security incident under HIPAA, Business Associate will not provide further notice regarding such unsuccessful attempts other than this Section 2.4.2 .

2.4.3. Subject Section 2.4.2 , Business Associate agrees to provide notification to Covered Entity following Business Associate’s discovery of any successful security incident, including any unauthorized use, modification, or destruction of ePHI, as required by 45 C.F.R. § 164.410.

2.4.4. Business Associate agrees to use commercially reasonable efforts to mitigate, to the extent practicable, any further harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

2.5. Business Associate agrees to make available PHI in accordance with 45 C.F.R. § 164.524.

2.6. Access to Records. To the extent required by law, and subject to applicable attorney client privileges, Business Associate agrees to make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

2.7. Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

2.8. Access to PHI.

2.8.1. Business Associate agrees to make available PHI in accordance with 45 C.F.R. § 164.524.

2.8.2. Business Associate agrees to provide access, at the request of Covered Entity, to the PHI provided by Covered Entity in a designated record set to Covered Entity or its designee, as required by 45 C.F.R. §164.524.

2.9. Business Associate agrees to provide notification to Covered Entity of any security incident, including any unauthorized use, modification, or destruction of ePHI, as required by 45 C.F.R. § 164.410. Business Associate agrees to ensure that any individuals who are authorized to access PHI on its behalf agree to comply with the same restrictions and conditions that apply to Business Associate with respect to such PHI under this Agreement.

2.10. Business Associate agrees to comply with the HIPAA Security Rule with respect to ePHI, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.

2.11. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

3. Permitted Uses and Disclosures by Business Associate

3.1. (a) Business Associate may make all uses and disclosurees of PHI as necessary to perform its obligations under this Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

3.2. (b) Business Associate may use PHI for the proper management and administration of its business or to carry out the legal responsibilities of Business Associate.

3.3. (c) Business Associate may disclose PHI to a third party for the proper management and administration of its business or to carry out the legal responsibilities of Business Associate, provided that the disclosures are (a) required by law, or (b) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosedrecipient that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the personrecipient, and the recipientperson notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.4. Business Associate has no obligations under this Agreement with respect to any PHI that Covered Entity creates, receives, maintains, or transmits outside of the Services.

4. Obligations of Covered Entity

4.1. (a) Covered Entity shall:

4.1.1. notify Business Associate of any limitation(s) in its notice of privacy practices or in its individual authorizations under 45 C.F.R. § 164.508, to the extent that such limitation may affect Business Associate’s permitted or required use or disclosure of PHI;.

4.1.2. (b) Covered Entity shall

4.1.3. notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's permitted or required use or disclosure of PHI; and

4.1.4. Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's permitted or required use or disclosure of PHI. Any such changes and restrictions required pursuant to Section 4.1.1 - 4.1.3 shall not be binding on Business Associate until agreed to in writing by Business Associate, where such agreement may require changes to the Services and/or additional fees.

4.2. [Except for data aggregation or management and administrative activities of Business Associate,] Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

4.3. Covered Entity warrants that it has obtained and will obtain any consents, authorizations, and/or other legal permissions required under HIPAA and/or other applicable law for the disclosure of PHI to Business Associate. If there are any changes in, or revocation of, the permission given by an individual for use or disclosure of PHI, Covered Entity is responsible for managing its use of the Services accordingly to update and/or delete such PHI from the Services.

4.4. Covered Entity will use appropriate safeguards to ensure the confidentiality, privacy, and security of the PHI transmitted to or received from Business Associate and to prevent use or disclosure of PHI, other than as provided under this Agreement or provided for by applicable law.

4.5. The only PHI that Covered Entity may disclose to Business Associate is Electronic PHI or ePHI. Covered Entity may not disclose any PHI to Business Associate that is not electronic and not provided through the Services. Covered Entity is solely responsible for the form and content of PHI provided to Business Associate, including whether Covered Entity maintains such PHI in a Designated Record Set. Covered Entity will take appropriate measures to limit the disclosure of PHI to Business Associate to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

5. Term and Termination

5.1. This Agreement shall become in effective as of the Effective Date and shall continue in effect until (a) terminated in accordance with this Section 5 or (b) until all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such PHI, in accordance with the termination provisions in this Section 5.

5.2. (b) Covered Entity may terminate this Agreement immediately if Business Associate breaches a material term of this Agreement and Business Associate fails to cure the breach within thirty (30) days after its receipt of written notice of the breach from Covered Entity.

5.3. (c) Business Associate may terminate this Agreement immediately if Covered Entity breaches a material term of this Agreement, or with ten (10) days written notice.

5.4. This Agreement will automatically terminate without any further action by the Parties upon the termination or expiration of the Services Agreement between the Parties or in the event Covered Entity pauses, suspends, or cancels the Services or its account with Business Associate.

5.5. On termination of this Agreement, if feasible and at Covered Entity’s written request, Business Associate will return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Customer; provided, however, that if such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

6. Miscellaneous

6.1. This Agreement may not be amended except in writing and signed by both Parties.

6.2. This Agreement and the rights and obligations of the Parties under this Agreement shall be governed by and construed in accordance with the laws of the Sstate of South Carolina in which Business Associate is located without giving reference to the principles thereof relating to the conflict of law. Each Party irrevocably agrees that any legal action, suit or proceeding brought by it in any way arising out of this Agreement must be brought solely and exclusively in the state courts located in Greenville County, South Carolina, and irrevocably accepts and submits to the sole and exclusive jurisdiction of each of the aforesaid courts in personam, generally and unconditionally with respect to any action, suit or proceeding brought by it or against it by the other Party. This Section shall not prevent a Party against whom any legal action, suit or proceeding is brought by the other Party in the state courts of the State of South Carolina from seeking to remove such legal action, suit or proceeding, pursuant to applicable federal law, to the district court of the United States for the district and division embracing the place where the action is pending in the state courts of the State of South Carolina, and in the event an action is so removed each Party irrevocably accepts and submits to the jurisdiction of the aforesaid district court.

6.3. (c) Any notice required or permitted under this Agreement shall be in writing and shall be delivered personally or sent by certified or registered mail, postage prepaid, or by overnight courier service, and addressed to the Parties at the addresses set forth in this Agreement, or to such other address as a Party may designate in writing from time to time. Notices shall be deemed given when received.

6.4. (d) This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous communications, understandings, negotiations, commitments, and proposals, whether oral or written, with respect to such subject matter. The terms of this Agreement shall prevail in the case of any conflict with the terms of the Services Agreement solely to the extent and only to the extent necessary to allow Covered Entity to comply with applicable law. Except as expressly modified or amended under this Agreement, the terms of the Services Agreement remain in full force and effect.

6.5. Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules.

6.6. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

6.7. Section 5 (Term and Termination) and 6 (Miscellaneous) will survive termination or expiration of this Agreement.

6.8. Either Party shall be permitted to assign its rights and interests under this Agreement to an entity that purchases the assets of the such Party or merges with the Party, so long as (a) the assignee agrees to be bound by all of the terms and conditions of this Agreement and (b) the assignee operates the business as a continuation of that Party’s business.

6.9. The Parties to this Agreement do not intend to create any rights in any third parties and agree that they are independent contractors and not agents of each other.

6.10. (g) This Agreement may be executed in counterparts, including PDF or other electronic copies, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.