This Business Associate Agreement Addendum (“Agreement“) is entered into as of the date of the service order (the “Service Order”) to which it is attached and incorporated (the “Effective Date”) by and between Experity (“Business Associate”) and Client (“Covered Entity”) to comply with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (“Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (“Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, as they may be amended from time to time, at 45 C.F.R. part 164, subpart D (“Breach Notification Rule”), as well as related state laws and/or regulations (collectively, the “HIPAA Rules”). This Agreement is governed by the Agreement. Business Associate and Covered Entity may also each be referred to herein as a “Party” and collectively as the “Parties”.

1. DEFINITIONS.

1.1. Unless otherwise provided, all capitalized terms in this Agreement will have the same meaning as provided under the HIPAA Rules.

1.2. Protected Health Information or PHI. Protected Health Information (“PHI”), as defined by the Privacy Rule, for this Agreement means PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement.

1.3. Services. “Services” means the software, hosting, patient engagement, analytics, communication tools, and related services provided by Business Associate to Covered Entity and its patients as described in the applicable Service Order.

2. PERMISSIBLE USES AND DISCLOSURES BY BUSINESS ASSOCIATE

2.1. General Rule. Business Associate may use and disclose PHI only as permitted or required by this Agreement or as required by Applicable Law.

2.2. Provision of Services. Business Associate may use and disclose PHI as reasonably necessary to provide the Services described in the applicable Service Order, including software, clinical workflow, communication, patient engagement, analytics, and administrative services to Covered Entity and its patients.

2.3. Operations, Improvement, and Development. Business Associate may use PHI to develop, test, improve, maintain, and enhance the Services and related technologies, including for purposes of quality improvement, care coordination, analytics, training algorithms, and operational efficiency.

2.4. Management and Administration. Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided that disclosures are made only as permitted under 45 C.F.R. § 164.504(e)(4).

2.5. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).

2.6. De-identified Information. Business Associate may de-identify PHI in accordance with the HIPAA Rules and may use and disclose such de-identified information without restriction.

2.7. Limited Data Sets. Business Associate may create and use Limited Data Sets in accordance with the HIPAA Rules, subject to a compliant Data Use Agreement where required.

2.8. Patient Engagement and Communications. Business Associate may use and disclose PHI to provide patient engagement, communication, and digital health services on behalf of Covered Entity, including messaging, reminders, intake workflows, portals, and telehealth interactions.

2.9. Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate authorities consistent with 45 C.F.R. § 164.502(j).

3. OBLIGATIONS OF BUSINESS ASSOCIATE.

3.1. Compliance with Laws. Business Associate agrees to comply with the provisions of the HIPAA Rules that are applicable to Business Associate.

3.2. Use and Disclosure of PHI. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or by Applicable Law.

3.3. Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed in violation of this Agreement or Applicable Law. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity and shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Agreement.

3.4. Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such information. Business Associate shall ensure that any such agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or Covered Entity.

3.5. Minimum Necessary. Business Associate agrees to make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purposes, consistent with Business Associate’s policies and procedures. Business Associate may apply the minimum necessary standard in a manner consistent with the technical and operational requirements of developing, testing, improving, and maintaining the Services.

3.6. Individual Rights. Business Associate agrees as follows:

3.6.1. Individual Right to Copy or Inspection. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for access directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Business Associate will not release PHI until it has received a determination from Covered Entity and documented such determination, except as required by Applicable Law.

3.6.2. Amendment of an Individual’s PHI or Record. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for an amendment of his or her PHI or record directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity, and Business Associate will incorporate any such amendment upon written request from Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and except as required by Applicable Law Business Associate will make no such determinations.

3.6.3. Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for Accounting of Disclosures. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule). Such accounting is further limited to disclosures that were made in the three (3) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) to the extent that the purpose of such accounting is to permit Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI through an Electronic Health Record, as the term is defined in section 13400 of HITECH, made to carry out Treatment, Payment and Health Care Operations as provided in 45 C.F.R. §164.506. Notwithstanding the above, any such accounting shall be provided only for as long as Business Associate maintains the PHI. If an Individual requests an Accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its Disclosure record to Covered Entity within fifteen (15) business days of Business Associate’s receipt of the Individual’s request. Covered Entity will be responsible for preparing and delivering the accounting to the Individual. Except as required by law, Business Associate will not provide an Accounting of Disclosures directly to any Individual.

3.7. Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary or his or her agents or authorized designees for the purpose of determining Covered Entity’s compliance with the HIPAA Rules.

3.8. Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has received notice from Covered Entity pursuant to Section 5.1. herein of such revocation, expiration, or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HIPAA Rules expressly applies.

3.9. Security Incident. Business Associate agrees to report to Covered Entity any Security Incident of which Business Associate becomes aware. The parties agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted Unsuccessful Security Incidents. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

3.10. Use of Disclosure of PHI Not Provided for by this Agreement. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware.

3.11. Breaches of Unsecured PHI. Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as required at 45 C.F.R. § 164.410 of which it becomes aware, within fifteen (15) business days of the date Business Associate learns of the incident giving rise to the breach.

4. OBLIGATIONS OF COVERED ENTITY.

4.1. Changes in Authorization. Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall provide Business Associate with its notice of privacy practices for PHI as identified in 45 CFR § 164.520, and Covered Entity shall notify Business Associate, in writing and in a timely manner, of any limitation(s) in its notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Rules as such breach relates to PHI as defined herein within five (5) business days of such breach. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4.2. Minimum Necessary. Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the Services and its rights and obligations under this Agreement, and only in compliance with the HIPAA Rules.

5. TERM AND TERMINATION.

5.1. Term. The Term of this Agreement shall be effective as of the date last executed below and shall continue until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or this Agreement is terminated pursuant to this Section 6.

5.2. Termination for Breach. Either Party may terminate this Agreement upon written notice to the other Party if the non-breaching Party determines that the other Party or its subcontractors or agents has breached a material term of this Agreement, provided that the non-breaching Party will first provide the other Party with written notice of the breach of this Agreement and afford the other Party the opportunity to cure the breach within forty-five (45) days of the date of such notice. If the other Party or any of its subcontractors or agents fails to timely cure the breach, the non-breaching Party may terminate this Agreement.

5.3. Termination due to Termination of Services Agreement. The Parties agree, in the event Parties cease to have a services agreement in place between the Parties this Agreement shall be terminated other than the obligation to either return or destroy all PHI, which obligation shall survive termination of this Agreement.

5.4. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form and to retain no copies. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and Business Associate shall limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

6. MISCELLANEOUS.

6.1. Survival. Except as set forth in specific Sections of this Agreement, the respective rights and obligations of the Parties under this Agreement shall survive the termination of this Agreement and shall continue for so long as Business Associate, or its Subcontractors maintain PHI.

6.2. Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this Agreement from time to time as necessary to comply with the HIPAA Requirements.

6.3. Choice of Law, Venue, and Waiver of Jury Trial. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Illinois without regard to applicable conflict of laws or principles. Venue for any action concerning this Agreement shall be in the state or federal court having jurisdiction over Winnebago County, Illinois. THE PARTIES KNOWING, UNCONDITIONALLY, AND ABSOLUTELY WAIVE THE RIGHT TO A JURY TRIAL WITH RESPECT TO ANY CLAIMS ARISING FROM THIS AGREEMENT.

6.4. Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. Neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Notwithstanding any provisions to the contrary, however, Business Associate retains the right to assign or delegate any of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates or successor companies.

6.5. No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.

6.6. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. The provisions of this Agreement shall prevail over the provisions of any other prior agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules, unless otherwise explicitly set forth in such agreement.

6.7. Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.

6.8. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought. Signatures to this Agreement transmitted by facsimile transmission, by electronic mail in portable document format (“.pdf”) form, or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, will have the same force and effect as physical execution and delivery of the paper document bearing the original signature.

6.9. Notices. Any notices pertaining to this Agreement shall be given in accordance with the notice provision set forth in the Service Order.