BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the “Agreement) is effective as of the date of the purchase and is made by and between Lasso MD, Inc., (“Business Associate”) and the purchasing entity (“CoveredEntity”) (Covered Entity and Business Associate are, at times, hereinafter referred to jointly as the “Parties”).

WHEREAS, Covered Entity is subject to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HITECH Act and its implementing regulations (collectively “HIPAA Regulations”);

WHEREAS, Business Associate provides certain marketing and administrative services to CoveredEntity pursuant to the Services Agreement between the Parties dated as of the purchase date (the “Services Agreement”);

WHEREAS, in connection with Business Associate’s performance of services for Covered Entity,Business Associate will create and receive health information related to an Individual that constitutesProtected Health Information within the meaning of the HIPAA Privacy Rule and the HIPAA Security Rule;

WHEREAS, this Agreement is intended to ensure that Business Associate has established and implemented safeguards for, and otherwise comply with its obligations related to, such Protected HealthInformation is consistent with HIPAA and the HIPAA Regulations.

NOW THEREFORE, in consideration of the mutual promises and obligations set forth below, the adequacy and sufficiency of which hereby are acknowledged, the Parties agree as follows:

I. Catch-all Definitions. The following terms used in this Agreement shall have the same meaning as set forth in the HIPAA Rules: Breach, Designated Record Set, Disclosure, Health CareOperations, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (“PHI”),Required By Law, Secretary, Subcontractor, Unsecured Protected Health Information, and Use.

II. Specific Definition.

• “C.F.R.” means the Code of Federal Regulations. A reference to a C.F.R. section means that section as amended from time to time; provided that if future amendments change the designation of a section referred to herein, or transfer a substantive regulatory provision referred to herein to a different section, the section references herein shall be deemed to be amended accordingly.
• “Data Aggregation Services” means Business Associate’s combining of Protected HealthInformation received from, or created on behalf of, two or more covered entities to permit data analysis related to any of the covered entities whose Protected Health Information is being analyzed.
• “De-identified Information” means health information, stripped of identifiers as required by theHIPAA Privacy Rule, that does not identify the Individual, and with respect to which there is no reasonable basis to believe that the Individual could be identified.
• “Discover,” with respect to a Security Event, means knowledge by any member of BusinessAssociate’s workforce (as defined in 45 C.F.R. 160.103) — other than the person responsible for the Security Event — that the Security Event has occurred.
• “HIPAA Privacy Rule” means the Standards for Privacy of Individually Identifiable HealthInformation, codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as authorized by the HealthInsurance Portability and Accountability Act of 1996 (“HIPAA”).
• “HIPAA Security Rule” means the Security Standards for Protected Health Information, codified at45 C.F.R. pts. 160, 162, and 164, as authorized by HIPAA.
• HITECH Act means Health Information Technology for Economic and Clinical Health Act.
• “Individual” means any person who is a patient or customer of Covered Entity and who is the subject of PHI maintained by, or on behalf of, Covered Entity.
• “Security Event” means (i) unauthorized access to, or acquisition, use, disclosure, modification or destruction, of Covered Entity’s unsecured PHI, whether in paper or electronic form; or (ii) the attempted or successful interference with system operations in an information system containingCovered Entity’s PHI. The term does not include (1) disclosure of PHI to an unauthorized person in circumstances where that person would not reasonably have been able to retain the information; or (2) good faith unintentional access to, or acquisition or use of, PHI by Business Associate’s employees, agents or subcontractors in the course of such person’s performance of services authorized by the Services Agreement provided that such PHI is not further accessed, acquired, used, or disclosed by any person.

III. Business Associate’s Use And Disclosure Of PHI

A. Services Provided. Business Associate agrees to create, use, maintain, receive, disclose and request PHI: (1) only to the Minimum Necessary extent to provide services on behalf of CoveredEntity consistent with the Services Agreement; and (2) only in a manner that is consistent with theHIPAA Regulations and applicable state law. Business Associate agrees not to use or discloseProtected Health Information, other than as permitted or required by this Agreement, or as Required by Law.

B. Proper Management And Administration Of Business Associate.

1. Business Associate may use PHI for its own proper management and administration or to carry out its legal responsibilities.
2. Business Associate may disclose PHI for its own proper management and administration, or to carry out its legal responsibilities, if (a) the disclosure is Required By Law, or (b)Business Associate obtains reasonable assurances that the person or entity to whom PHI is disclosed under this paragraph will (i) maintain the confidentiality of the information disclosed, (ii) use or further disclose such information only as Required By Law or for the purpose for which it was disclosed to such person, and (iii) immediately notify BusinessAssociate of any Security Event.

C. Data Aggregation & De-Identification. Except as otherwise limited in this Agreement, BusinessAssociate may use Protected Health Information to provide Data Aggregation services to CoveredEntity or to de-identify Protected Health

IV. Business Associate’s Duties Regarding The Exercise Of Individual Rights

• Access to Individuals. Business Associate agrees to provide individuals with access to theirProtected Health Information, as held in a Designated Record Set by Business Associate, in order to meet the requirements under 45 CFR 164.524.
• Amendment of Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information it holds in a Designated Record Set, as directed by the Covered Entity pursuant to 45 CFR 164.526.
• Accounting of Disclosures. Business Associate agrees to document and provide a description of any disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. BusinessAssociate agrees to provide such information to Covered Entity, or to an Individual at the direction of the Covered Entity, in order for Covered Entity to comply with the accounting requirements in 45CFR 164.528.
• Covered Entity's Right to Restrict. Business Associate agrees to comply, upon communication byCovered Entity, with any restrictions to the use or disclosure of Protected Health Information thatCovered Entity has agreed to in accordance with 45 CFR 164.522.
• Demands To Produce PHI Directed To Business Associate. Business Associate shall (1) immediately notify Covered Entity of any judicial or administrative order, subpoena, civil discovery 3request or other legal process requiring or requesting that Business Associate produce PHI; and (2) before responding to any such request, permit Covered Entity adequate time to exercise its legal options to prohibit or limit disclosure of PHI.

Business Associate’s Duties Regarding Safeguards For PHI

A. Safeguards. Business Associate shall implement technical, physical, and administrative safeguards for PHI — that are appropriate to Business Associates’ size, the complexity of its operations and the nature and scope of its activities — to protect against reasonably foreseeable risks to the security, confidentiality and integrity of PHI which risks could result in the unauthorized disclosure, use, alteration or destruction of PHI. Business Associate will comply with the requirements contained in parts 164.308 (Administrative Safeguards), 164.310 (PhysicalSafeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures) of theHIPAA Security Rule.

B. Business Associate’s Agents And Subcontractors. Business Associate shall obtain reasonable assurances in writing from any agent or subcontractor to whom Business Associate discloses PHI, or who creates or receives PHI on Business Associate’s behalf, that the agent or subcontractor (i)will comply with the restrictions and conditions on the use and disclosure of PHI which thisAgreement imposes on Business Associate, (ii) will implement reasonable and appropriate safeguards to protect Covered Entity’s PHI received from Business Associate, and (iii) will promptly notify Business Associate of any Security Breach involving Covered Entity’s PHI. BusinessAssociate will not disclose PHI to any agent or subcontractor except as permitted by thisAgreement.

C. Security Event. Business Associate agrees to report to Covered Entity any Security Event under the HIPAA Privacy & Security Rules of which it becomes aware, including the identities of any individual whose Electronic Protected Health Information was breached.

D. Responsibilities If Security Breach. Business Associate shall notify Covered Entity immediately if there is a breach by either Business Associate or one of its agents of unsecured protected health information, as defined in, and consistent with, the HITECH Act and any regulations or guidance issued thereunder, including 45 CFR Part 164, Subpart D. Such notification shall:

1. Be made in writing to the Covered Entity's Privacy Officer.
2. Be made within ten (10) days of discovery.
3. Include the names of the individuals whose information was breached, the circumstances surrounding the breach, the date of the breach and date of discovery, the information breached, any steps the individuals should take to protect themselves, the steps BusinessAssociate (or its agent) is taking to investigate the breach, mitigate losses, and protect against future breaches, and a contact person for more information.

If requested by Covered Entity, Business Associate shall notify the individuals involved, or the media or the US Department of Health and Human Services, as applicable, in accordance with theHITECH Act, and regulations or guidance issued thereunder, including 45 CFR Part 164, SubpartD. For purposes of this provision, Business Associate is considered an independent contractor ofCovered Entity.

E. Mitigation Of Damages By Business Associate. Business Associate agrees to take measures reasonably necessary to mitigate the known harmful effects of an unauthorized use of disclosure of PHI, Security Incident, or Security Breach..

F. Internal Practices. Business Associate agrees to make its internal practices, books, and records, including, but not limited to, policies and procedures and information relating to the use and 4disclosure of Covered Entity’s PHI, available in response to the Secretary’s written request or a subpoena so that the Secretary may evaluate Covered Entity’s compliance with the HIPAARegulations. Such access to, or production of, information shall be made within the time frame established by the Secretary, or any agreed-to extension thereof. Business Associate shall notifyCovered Entity of any such request by the Secretary within three business days of receiving the request

VI. Covered Entity’s Obligations

A. Notice Of Privacy Practices. Covered Entity will, upon Business Associate’s request, provideBusiness Associate with the notice of privacy practices (“Notice”) applicable to Covered Entity under 45 C.F.R. pt. 164.520 and with any changes to the Notice that may affect BusinessAssociate’s use or disclosure of PHI. Business Associate shall act promptly upon notification of such changes to ensure that its uses and disclosures of PHI comply with the Notice and that its own internal policies and procedures comply with the Notice as well.

B. Notice Of Changes In, Or Revocation Of, Authorizations. Covered Entity shall notify BusinessAssociate of any changes in, or revocation of, an Individual’s authorization to use or disclose PHIto the extent the change may affect Business Associate’s use or disclosure of PHI. BusinessAssociate shall act promptly upon notification of any such change to ensure that its uses and disclosures of PHI comply with the change.

C. Notice Of Restrictions. Covered Entity shall notify Business Associate of any restriction upon the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. pt.164.522 to the extent the restriction may relate to PHI used or disclosed by Business Associate.Business Associate shall act promptly upon notification of any such restriction to ensure that its uses and disclosures of PHI comply with the restriction.

VII. Term and Termination

A. Term. This Agreement shall become effective on the effective date stated on page 1, above. ThisAgreement shall remain in effect until termination of the Services Agreement, unless terminated sooner pursuant to paragraph VI.B below.

B. Termination. This Agreement shall remain in effect for the term of the applicable ServiceAgreement. Upon termination of the Service Agreement, Business Associate will retain no copies of the Protected Health Information and will return or destroy the same. If such return or destruction is not feasible, Business Associate will continue to extend the protections afforded to ProtectedHealth Information hereunder. This provision also applies to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.

C. Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity is authorized to terminate this Agreement and the ServiceAgreement.

VIII. Notices/Supplying Information

Except as stated otherwise in this Agreement, any notice or information required, or permitted to be provided, by this Agreement shall be given in writing (except where oral notice is expressly permitted).

IX. Miscellaneous

A. Construction. The Services Agreement and this Agreement shall be interpreted to permit theParties to comply with HIPAA and the HIPAA Regulations.

B. Entire Agreement; Relationship To Other Agreements. This Agreement contains the entire understanding of Covered Entity and Business Associate with respect to the subject matter of thisAgreement. In the event of any inconsistency between the terms of this Agreement or any other agreement including the Services Agreement, this Agreement supersedes all other agreements, whether written, oral or implied, regarding the subject matter of the Agreement.5

C. Indemnification. Business Associate shall defend and indemnify Covered Entity from any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by them as a result of any breach of this Agreement by Business Associate.Covered Entity shall defend and indemnify Business Associate and its representatives for any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Business Associate and its representatives as a result of any breach of thisAgreement by Covered Entity.This paragraph shall survive the termination of this Agreement.

D. Modification. This Agreement may be modified only by a writing signed by the Parties. The Parties agree to amend this Agreement and/or the Services Agreement from time to time as may be necessary to permit Covered Entity to remain in compliance with the HIPAA and the HIPAARegulations.

E. Waiver. No provision of this Agreement, or any breach thereof, shall be deemed waived unless such waiver is in writing and signed by the party claimed to have waived such provision or breach.No waiver of a breach shall waive or excuse any different or subsequent breach.

F. Assignment. This Agreement may not be assigned without the consent of all parties to thisAgreement.

G. Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of the Agreement’s remaining provisions.

H. No Third-Party Beneficiaries. No third party shall be considered a third-party beneficiary under thisAgreement, nor shall any third party have any rights as a result of this Agreement.

I. Nature Of Agreement. Nothing in this Agreement shall be construed to create (1) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, or (2)a relationship of employer and employee between the Parties. This Agreement does not express or imply any commitment to purchase or sell goods or services.

J. Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought.

IN WITNESS WHEREOF, and intending to be legally bound, the Parties agree to this agreement through the purchase of services.