PanelRoute Diagnostics

Business Associate Agreement — PanelRoute Diagnostics Platform

This Business Associate Agreement (this "Agreement") is entered into by and between the legal entity identified by Provider during account registration ("Covered Entity") and OralOnly LLC, a Delaware limited liability company doing business as PanelRoute Diagnostics ("Business Associate" or "OralOnly"). This Agreement is effective as of the date Covered Entity accepts it by checking the acceptance box during account registration (the "Effective Date").

Recitals

A. Covered Entity and Business Associate have entered, or will enter, into one or more service arrangements (collectively, the "Underlying Agreement") under which Business Associate provides services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information.

B. The parties enter into this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules"), and applicable state law.

NOW, THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Definitions

Capitalized terms used in this Agreement and not otherwise defined have the meanings set forth in the HIPAA Rules. The following definitions are provided for clarity:

(a) "Breach" has the meaning set forth at 45 C.F.R. § 164.402.

(b) "Designated Record Set" has the meaning set forth at 45 C.F.R. § 164.501.

(c) "Electronic Protected Health Information" or "ePHI" has the meaning set forth at 45 C.F.R. § 160.103.

(d) "Individual" has the meaning set forth at 45 C.F.R. § 160.103 and includes any person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).

(e) "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

(f) "Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

(g) "Required by Law" has the meaning set forth at 45 C.F.R. § 164.103.

(h) "Secretary" means the Secretary of the U.S. Department of Health and Human Services or any officer or employee to whom authority has been delegated.

(i) "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304.

(j) "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

(k) "Subcontractor" has the meaning set forth at 45 C.F.R. § 160.103.

(l) "Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402.

2. Permitted Uses and Disclosures of PHI

2.1 Generally. Business Associate may use or disclose PHI only as: (a) necessary to perform its obligations under the Underlying Agreement; (b) Required by Law; or (c) otherwise permitted by this Agreement and the HIPAA Rules.

2.2 Specifically Permitted Uses and Disclosures. Business Associate may:

(a) Use PHI for its proper management and administration or to carry out its legal responsibilities;

(b) Disclose PHI for its proper management and administration, or as Required by Law, provided that any such disclosure is made only if (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient, and that the recipient will notify Business Associate of any breach of confidentiality;

(c) Provide Data Aggregation services relating to the Health Care Operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); and

(d) De-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c) and use or disclose the resulting de-identified information for any lawful purpose.

2.3 Prohibited Uses and Disclosures. Business Associate shall not:

(a) Use or disclose PHI other than as permitted by this Agreement or Required by Law;

(b) Use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted by Sections 2.2(a)–(c);

(c) Sell PHI or use or disclose PHI for marketing in violation of 45 C.F.R. §§ 164.502(a)(5) and 164.508; or

(d) Receive direct or indirect remuneration in exchange for PHI except as permitted by HIPAA.

3. Obligations of Business Associate

3.1 Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent any use or disclosure of PHI not permitted by this Agreement.

3.2 Minimum Necessary. When using, disclosing, or requesting PHI, Business Associate shall limit the PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b) and any guidance issued by the Secretary.

3.3 Reporting Improper Use or Disclosure. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware, without unreasonable delay and in no event later than ten (10) business days after discovery.

3.4 Security Incidents. Business Associate shall report Security Incidents involving ePHI as set forth in Section 3.3. The parties acknowledge and agree that unsuccessful attempts to access ePHI (including, without limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the foregoing that do not result in actual unauthorized access, use, or disclosure of ePHI) occur routinely, and that this Section 3.4 serves as notice of such unsuccessful attempts. No additional notice of any such unsuccessful attempt is required.

3.5 Breach Notification. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery. Notice shall be sent to the email address on file for Covered Entity's account. To the extent known and available at the time of the notification (or as soon thereafter as the information becomes available), the notification shall include:

(a) Identification of each Individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;

(b) A description of the nature of the Breach, including the date of the Breach and the date of discovery;

(c) A description of the types of Unsecured PHI involved (e.g., full name, Social Security number, date of birth, diagnosis);

(d) Any steps the affected Individuals should take to protect themselves from potential harm; and

(e) A description of what Business Associate has done or plans to do to investigate the Breach, mitigate harm, and prevent recurrence.

3.6 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

3.7 Subcontractors. Business Associate shall require that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agree in writing to restrictions, conditions, and requirements that are at least as stringent as those that apply to Business Associate under this Agreement, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).

3.8 Access by Individuals. Within fifteen (15) business days of a written request by Covered Entity, Business Associate shall make available PHI in a Designated Record Set to Covered Entity (or, as directed by Covered Entity, to the Individual or the Individual's designee) as necessary for Covered Entity to comply with the access requirements at 45 C.F.R. § 164.524.

3.9 Amendment. Within thirty (30) business days of a written request by Covered Entity, Business Associate shall make available PHI for amendment and shall incorporate any amendments as directed by Covered Entity in order to enable Covered Entity to comply with 45 C.F.R. § 164.526.

3.10 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528. Within thirty (30) business days of a written request by Covered Entity, Business Associate shall provide the documented disclosures to Covered Entity or, as directed, to the Individual.

3.11 Access to Records by Secretary. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules.

3.12 Compliance with Covered Entity Obligations. To the extent Business Associate is to carry out any obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.

3.13 Direct Liability. Business Associate acknowledges that, under HITECH and the HIPAA Rules, it is directly liable for compliance with applicable provisions of the HIPAA Rules and may be subject to civil and criminal penalties for violations.

4. Obligations of Covered Entity

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices under 45 C.F.R. § 164.520 to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

4.2 Restrictions and Revocations. Covered Entity shall notify Business Associate of: (a) any restriction on the use or disclosure of PHI to which Covered Entity has agreed under 45 C.F.R. § 164.522; and (b) any changes in, or revocation of, an Individual's permission or authorization to use or disclose PHI, in each case to the extent any of the foregoing may affect Business Associate's use or disclosure of PHI.

4.3 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except where Business Associate is permitted by this Agreement to use or disclose PHI for its proper management and administration, Data Aggregation, or as Required by Law.

4.4 Authorizations and Consents. Covered Entity is responsible for obtaining any Individual consent, authorization, or notice required by law for Business Associate to perform under the Underlying Agreement.

5. Term and Termination

5.1 Term. This Agreement is effective as of the Effective Date and continues until terminated as set forth in this Section 5 or until the Underlying Agreement terminates, whichever is later.

5.2 Termination for Cause. Upon either party's knowledge of a material breach by the other party of this Agreement, the non-breaching party shall: (a) provide the breaching party with thirty (30) days' written notice and an opportunity to cure; (b) if cure is not possible or not made within such period, terminate this Agreement and the Underlying Agreement; or (c) if termination is infeasible, report the breach to the Secretary.

5.3 Effect of Termination – Return or Destruction of PHI. Upon termination of this Agreement for any reason, Business Associate shall, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity, including any PHI maintained by any Subcontractor. Business Associate shall retain no copies of such PHI.

5.4 Infeasibility. If return or destruction of PHI is not feasible, Business Associate shall: (a) provide Covered Entity with a written explanation of the conditions that make return or destruction infeasible; (b) extend the protections of this Agreement to the retained PHI; and (c) limit further uses and disclosures of the retained PHI to those purposes that make return or destruction infeasible, for so long as Business Associate retains the PHI.

6. General Provisions

6.1 Regulatory Amendment. The parties agree to amend this Agreement from time to time as necessary for the parties to comply with the requirements of the HIPAA Rules and other applicable law.

6.2 Survival. Sections 5.3, 5.4, and any other provisions that by their nature are intended to survive termination of this Agreement shall survive.

6.3 Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Rules. In the event of any inconsistency between this Agreement and the Underlying Agreement with respect to PHI, this Agreement controls.

6.4 No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer, nor shall it be deemed to confer, any rights or remedies on any person other than the parties.

6.5 Notices. All notices required or permitted under this Agreement shall be in writing. Notices to Business Associate shall be sent to legal@panelroute.com with a copy by U.S. mail to OralOnly LLC, 5500 Sunrise Highway, Unit 50, Suite #1074, Massapequa, NY 11758. Notices to Covered Entity shall be sent to the email address on file for Covered Entity's account.

6.6 Governing Law. Except to the extent preempted by federal law, this Agreement shall be governed by the laws of the State of Delaware, without regard to its conflict of laws principles.

6.7 Entire Agreement. This Agreement, together with the Underlying Agreement, constitutes the entire agreement between the parties with respect to the subject matter and supersedes all prior agreements or understandings on the subject.

6.8 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

7. Electronic Acceptance

7.1 Clickthrough Acceptance. Covered Entity accepts this Agreement by (a) entering Covered Entity's legal name, address, and authorized signatory information into the account registration form, and (b) checking the box indicating agreement to this Business Associate Agreement. Such electronic acceptance constitutes a binding signature under the federal Electronic Signatures in Global and National Commerce Act (E-SIGN), the Uniform Electronic Transactions Act (UETA), and applicable state law, and has the same legal effect as a handwritten signature.

7.2 Authority of Signatory. The individual accepting this Agreement on behalf of Covered Entity represents and warrants that he or she is authorized to bind Covered Entity to this Agreement and that all information provided during registration is true, accurate, and complete.

7.3 Record of Acceptance. Business Associate will maintain a record of Covered Entity's acceptance, including the legal entity name, address, authorized signatory's name and title, IP address, and date and time of acceptance. A copy of this record is available to Covered Entity upon written request.

7.4 Counterpart Execution by Business Associate. Business Associate has executed this Agreement by making it available for electronic acceptance through the PanelRoute Diagnostics platform; no further signature by Business Associate is required.

[End of Business Associate Agreement]