BUSINESS ASSOCIATE AGREEMENT

ThisBusiness Associate Agreement(this “BA Agreement”) is made by and between Topography Health, Inc. (“Company”) and Research Site (“Covered Entity”) and is effective as of __________________ (“Effective Date”). Capitalized terms used in this BA Agreement without definition shall have the respective meanings assigned to such terms in the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”) or the Services Agreement.

RECITALS

WHEREAS, Covered Entity and Company are parties to that certain agreement setting forth certain services that require Company to have access to Protected Health Information (as defined below) (the “Services Agreement”); and

WHEREAS, it is the intent of Covered Entity and Company, pursuant to the Services Agreement as described in this BA Agreement, for the parties to comply with HIPAA.

NOW THEREFORE, in consideration of the mutual premises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Company agree as follows:

AGREEMENT

  1. GENERAL PROVISIONS

    1.1.Effect. The provisions of this BA Agreement shall control with respect to Protected Health Information that Company receives from or on behalf of Covered Entity (“PHI”), and the terms and provisions of this BA Agreement shall supersede any conflicting or inconsistent terms and provisions in the Services Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference, to the extent of such conflict or inconsistency. This Agreement shall not modify or supersede any other provision of the Services Agreement.

    1.2.No Third Party Beneficiaries. The parties have not created and do not intend to create by this BA Agreement any third party rights, including, but not limited to, third party rights for Covered Entity’s patients.

    1.3.HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this BA Agreement as if set forth in this BA Agreement in their entirety, effective on the later of the effective date of this BA Agreement or such subsequent date as may be specified by HIPAA.

    1.4.Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as it may be amended from time-to-time.

    1.5.Status. The parties acknowledge and agree that Company is not acting as an agent or employee of Covered Entity under the Services Agreement.

  2. COMPANY’S OBLIGATIONS

    2.1.Use and Disclosure of PHI. Company may use and disclose PHI as permitted or required under the Services Agreement, this BA Agreement and as Required by Law, but shall not otherwise use or disclose any PHI. Company shall not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as set forth in Sections 2.1 (a), (b) and (c) of this BA Agreement). To the extent Company carries out any of Covered Entity’s obligations under the HIPAA privacy standards, Company shall comply with the requirements of the HIPAA privacy standards that apply to Covered Entity in the performance of such obligations. Company is permitted to use or disclose PHI as set forth below:

    (a) Company may use PHI internally for its proper management and administrative services or to carry out its legal responsibilities;

    (b) Company may disclose PHI to a third party for Company’s proper management and administration, provided that the disclosure is Required by Law or Company obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Covered Entity of any instances of which the third person is aware in which the confidentiality of the PHI has been breached;

    (c) Company may use PHI to provide Data Aggregation services as defined by HIPAA; and

    (d) Company may use Protected Health Information to create de-identified health information in accordance with the HIPAA de-identification requirements. Subject to the terms of the Services Agreement, Company may disclose de-identified health information for any purpose permitted by law.

    2.2.Safeguards. Company shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI, except as otherwise permitted or required by this BA Agreement. In addition, Company shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Covered Entity. Company shall comply with the HIPAA Security Rule with respect to EPHI.

    2.3.Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Company shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

    2.4.Mitigation. Company shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Company) of a use or disclosure of PHI by Company in violation of this BA Agreement.

    2.5.Subcontractors. Company shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Company. Company shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Company under this BA Agreement.

    2.6.Reporting Requirements.

    (a) If Company becomes aware of a use or disclosure of PHI in violation of this BA Agreement by Company or by a third party to which Company disclosed PHI, Company shall report any such use or disclosure to Covered Entity without unreasonable delay.

    (b) Company shall report any Security Incident involving EPHI of which it becomes aware in the following manner:  (1) any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay, and (2) any attempted, unsuccessful Security Incident of which Company becomes aware will be reported to Covered Entity orally or in writing on a reasonable basis, as requested by Covered Entity. If the HIPAA security regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.

    (c) Company shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later 10 business days after discovery of the Breach.

    2.7.Access to PHI. Within 15 business days of a written request by Covered Entity for access to PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Company, if any, Company shall make available to Covered Entity such PHI for so long as Company maintains such information in the Designated Record Set. If Company receives a request for access to PHI directly from an Individual, Company shall forward such request to Covered Entity within 10 business days. Covered Entity shall have the sole responsibility for determining whether to approve a request for access to PHI.

    2.8.Availability of PHI for Amendment. Within 15 business days of receipt of a written request from Covered Entity for the amendment of an Individual’s PHI contained in a Designated Record Set of Covered Entity maintained by Company, if any, Company shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI (for so long as Company maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Company receives a request for amendment to PHI directly from an Individual, Company shall forward such request to Covered Entity within 10 business days. Covered Entity shall have the sole responsibility for determining whether to approve an amendment to PHI.

    2.9.Accounting of Disclosures. Within 30 business days of written notice by Covered Entity to Company that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Company shall make available to Covered Entity such information as is in Company’s possession and is required for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. If Company receives a request for an accounting directly from an Individual, Company shall forward such request to the Covered Entity. Covered Entity shall have the sole responsibility for providing an accounting to the Individual.

    2.10.Availability of Books and Records. Following reasonable advance written notice, Company shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Company on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.

  3. OBLIGATIONS OF COVERED ENTITY

    3.1.Permissible Requests. Covered Entity shall not request Company to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except as provided in Sections 2.1 (a), (b) and (c) of this BA Agreement).

    3.2.Minimum Necessary PHI. When Covered Entity discloses PHI to Company, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Company’s purpose.

    3.3.Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Company. Covered Entity shall notify Company of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Company’s use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Company’s use or disclosure of PHI under this Agreement unless such restriction is Required By Law or Company grants its written consent, which consent shall not be unreasonably withheld.

    3.4.Notice of Privacy Practices. Except as Required By Law, with Company’s consent or as set forth in the Services Agreement or this BA Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Company’s use or disclosure of PHI under the Services Agreement.

  4. TERMINATION OF THE AGREEMENT

    4.1.Termination Upon Breach of Provisions Applicable to PHI. Any other provision of the Services Agreement notwithstanding, the Services Agreement and this BA Agreement may be terminated by either party (the “Non-Breaching Party”) upon 30 days written notice to the other party (the “Breaching Party”) in the event that the Breaching Party materially breaches any provision contained in this BA Agreement in any material respect and such breach is not cured within such 30-day period.

    4.2.Return or Destruction of PHI upon Termination. Upon termination of this BA Agreement, Company shall return or destroy all PHI received from Covered Entity or created or received by Company on behalf of Covered Entity and which Company still maintains as PHI. Notwithstanding the foregoing, to the extent that Company reasonably and in good faith determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BA Agreement shall survive termination of the Services Agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

  5. COUNTERPARTS

This BA Agreement may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this Agreement.

IN WITNESS WHEREOF, the Parties have executed this BA Agreement as of the date of the last signature below.

__________________________

By: _______________________

Name: _____________________

Title: ______________________

Date: _____________________

TOPOGRAPHY HEALTH, INC.

By: _______________________

Name: _____________________

Title: ______________________

Date: ______________________