BAA Compliance

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is by and between BrainCheck, Inc. (“Business

Associate”) and the other party (“Covered Entity”) that signed the applicable Order Form (the

“Order”), and is effective as of the effective date of the Order (the “Effective Date”). Covered

Entity and Business Associate are sometimes individually referred to as a “Party” and

collectively as the “Parties”.

RECITALS

Covered Entity is a “covered entity” as defined in the Health Insurance Portability and Accountability Act

of 1996 and the regulations promulgated thereunder (“HIPAA”), and as described in the Health

Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American

Recovery and Reinvestment Act of 2009 (“ARRA”); and

Business Associate provides a SaaS-based platform for conducting certain cognitive assessments, care

planning and other related remote processing services (collectively, the “Services”) for Covered Entity

under the terms of an order form and general terms and conditions, the performance of which involves the

creation, receipt, maintenance, or transmission of certain Protected Health Information, as defined in 45

CFR 160.103 and limited to the protected health information (“PHI”) created or received by Business

Associate from or on behalf of Covered Entity; and

HIPAA requires that Covered Entity enter into written agreements with its business associates in order to

regulate the use and disclosure of certain PHI of Covered Entity’s patients; and

Covered Entity and Business Associate agree to enter into this Agreement under the terms and conditions

set forth herein to meet the applicable requirements for such business relationships under HIPAA.

BY CLICKING “I AGREE”, USING, OR ACCESSING ANY OF THE SERVICES, OR

OTHERWISE SIGNIFYING YOUR ACCEPTANCE OF THIS AGREEMENT, YOU

REPRESENT AND WARRANT THAT (A) YOU ARE AUTHORIZED TO ENTER THIS

AGREEMENT FOR AND ON BEHALF OF YOURSELF (AND YOUR ORGANIZATION), AND

ARE DOING SO, (B) YOU (AND YOUR ORGANIZATION) CAN LEGALLY ENTER INTO

THIS AGREEMENT AND (C) YOU HAVE READ AND UNDERSTAND AND AGREE THAT

YOU (AND YOUR ORGANIZATION) SHALL BE BOUND BY THE TERMS OF THIS

AGREEMENT.

1. Obligations of Business Associate

1.1. Permitted Uses and Disclosures of PHI. Business Associate shall use and disclose any PHI it may

receive from Covered Entity only to perform the Services and carry out the obligations of Business

Associate under this Agreement, subject to, and in accordance with, applicable federal and state laws,

including but not limited to HIPAA. Business Associate will only use or disclose the minimum necessary

PHI and will abide by Covered Entity’s policies and procedures relating to minimum use. Business

Associate may not use or disclose PHI in a manner that would violate HIPAA if done by a Covered

Entity, except as specifically set forth herein. Business Associate may also use or disclose PHI for the

proper management and administration of the Business Associate, for data aggregation services related to

the healthcare operations of Covered Entity, or to carry out its legal responsibilities, but only to the extent

any such disclosure is required by law or if (i) the Business Associate obtains reasonable assurances from

the person or entity to whom the information is disclosed that it will be held confidentially and used or

further disclosed only as required by law or for the purpose for which it was disclosed, and (ii) the person

or entity agrees to notify the Business Associate of any instances of which it is aware in which the

confidentiality of the information has been breached. To the extent Business Associate is to carry out any

obligation of Covered Entity under Subpart E of 45 CFR Part 164, Business Associate shall comply with

the requirements of Subpart E that apply to Covered Entity in the performance of such obligation.

Business Associate shall not use or further disclose PHI other than permitted or required by this

Agreement or as otherwise required by law.

Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to

the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in

accordance with Section 13405(b) of the HITECH Act and any related implementing regulations adopted

by the U.S. Department of Health and Human Services (including any replacing agency, “HHS”), for

each use or disclosure of PHI.

1.2 Safeguards. Business Associate shall implement and use appropriate administrative, physical and

technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected

health information, to reasonably and appropriately protect the confidentiality, integrity, and availability

of the PHI and prevent the use or disclosure of PHI other than as set forth in this Agreement or as

permitted or required by law.

1.3 Reporting Disclosures of PHI. In the event Business Associate, its agents, employees or

contractors use or disclose PHI in violation of this Agreement, Business Associate shall report such use or

disclosure to Covered Entity promptly after Business Associate becomes aware of such violation,

including the circumstances surrounding the use or disclosure and a description of the PHI inappropriately

used or disclosed. Business Associate shall report to Covered Entity any security incident of which it

becomes aware. Business Associate agrees to notify Covered Entity in the event of any breach of

unsecured PHI held by or under the control of Business Associate, including the identity of the affected

individual(s) and all other relevant information, within three (3) business days of becoming aware of such

breach. Unless the context of the relationship specifically requires otherwise, the Parties disclaim any

agency relationship between Covered Entity and Business Associate.

1.4 Mitigation of Harmful Effects. Business Associate shall establish procedures for mitigating

harmful effects of any improper use or disclosure of PHI that Business Associate reports to Covered

Entity.

1.5 Third Party Agreements. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2),

Business Associate shall require all of its subcontractors and agents that create, receive, maintain,

transmit, use or have access to PHI under this Agreement to agree in writing to adhere to the same

restrictions, conditions and requirements applicable to the use or disclosure of such PHI as required

herein.

1.6 Access to Information. Within ten (10) business days of a request by Covered Entity for access to

PHI about an individual contained in a Designated Record Set (as defined in 45 C.F.R. 164.501) in

Business Associate’s possession, Business Associate shall make available to Covered Entity such PHI for

so long as such information is maintained in the Designated Record Set by Business Associate. In the

event any individual requests access to his or her own PHI directly from Business Associate, Business

Associate shall forward such request to Covered Entity upon receipt of same. Business Associate shall

reasonably cooperate with Covered Entity to provide an individual, at Covered Entity’s written direction,

with access to such individual’s PHI in Business Associate’s possession within ten (10) business days of

Business Associate’s receipt of written instructions from Covered Entity. Any denials of access to PHI

requested shall be the responsibility of Covered Entity.

1.7 Amendment of PHI. Business Associate agrees to make PHI in a Designated Record Set available

for amendment and to incorporate any appropriate amendments at the direction of and in the time and

manner designated by Covered Entity. Business Associate further agrees to forward to Covered Entity

any request for amendment of PHI made directly by an individual to Business Associate upon receipt of

such request, and take no action on such request until directed by Covered Entity.

1.8 Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and

information related to such disclosures that were made after the Effective Date as would be required for

Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in

accordance with 45 CFR 164.528 and to provide Covered Entity with an accounting of such disclosures in

the time and manner designated by Covered Entity. Business Associate further agrees to forward to

Covered Entity any request for an accounting of disclosures of PHI made directly by an individual to

Business Associate upon receipt of such request. To the extent Business Associate maintains PHI in an

electronic health record, Business Associate agrees to account for all disclosures of such PHI upon the

request of an individual for a period of at least three (3) years prior to such request (but no earlier than the

Effective Date), as required by HITECH. Any such accounting shall be directly to the individual if

requested by Covered Entity.

1.9 Access to Books and Records. Business Associate agrees to make its internal practices, books,

and records relating to the use and disclosure of PHI available to HHS for purposes of determining

compliance with the requirements of HIPAA.

1.10 Obligations under ARRA. Business Associate acknowledges that it is subject to the security and

data breach provisions of HIPAA and agrees to abide thereby. Business Associate also agrees to abide by

all of the privacy provisions set forth in Title XIII, Subtitle D of ARRA, including without limitation

restrictions on marketing and sales of PHI and requirements relating to limited data sets and minimum

necessary disclosures.

1.11 HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant

changes to HIPAA. The privacy subtitle of the HITECH Act sets forth provisions that significantly

change the requirements for business associates and the agreements between business associates and

covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and

guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS

regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to

modify this Agreement as reasonably necessary to comply with the HITECH Act and its regulations as

they become effective but, in the event that the Parties are unable to reach agreement on such a

modification, either Party will have the right to terminate this Agreement upon thirty (30) days’ prior

written notice to the other Party.

1.12 Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on

Business Associate with respect to any PHI or other data shared with it under this Agreement, including

any and all forms thereof.

2. Obligations of Covered Entity

2.1 Changes to or Restrictions on Use or Disclosure of PHI. Covered Entity will promptly provide

Business Associate with any changes to, or revocation of, permission to use or disclose PHI if such

changes affect Business Associate’s permitted or required uses or disclosures. Covered Entity will further

notify Business Associate of any restriction to the use or disclosure of PHI agreed to by Covered Entity in

accordance with the provisions of 45 CFR 164.522, and any restriction requested by an individual with

which Covered Entity is required to comply in accordance with the provisions of HITECH.

2.2 Requested Uses or Disclosures of PHI. Covered Entity shall not request Business Associate to use

or disclose PHI in any manner inconsistent with state or federal law.

3. Term and Termination

3.1 Term. This Agreement shall be deemed effective on the Effective Date and shall continue in

effect until all obligations of the Parties have been met, unless otherwise terminated under the terms and

conditions set forth herein.

3.2 Termination for Cause.

(a) Upon Covered Entity’s knowledge of a material breach of this Agreement by Business

Associate, its agents or subcontractors, this Agreement and any underlying Order and services agreement

may be immediately terminated by Covered Entity, as provided under 45 CFR 164.504(e)(2)(iii). At its

option, Covered Entity may choose to (i) provide Business Associate with written notice of the existence

of a material breach of this Agreement; and (ii) permit Business Associate to cure the material breach

upon mutually agreeable terms. In the event Business Associate is afforded an opportunity and fails to

cure the breach in accordance with such mutually agreeable terms, this Agreement and any underlying

services agreement may be immediately terminated at the option of Covered Entity. In the event Covered

Entity violates its obligations under HIPAA in a manner related to this Agreement, Business Associate

shall provide Covered Entity with notice of such breach. If Covered Entity does not cure such breach

within a reasonable period of time, Business Associate may terminate this Agreement and any underlying

Order and services agreement.

3.3 Effect of Termination and Obligations of Business Associate Upon Termination. Upon

termination of this Agreement, Business Associate shall return or destroy all PHI created or received by

Business Associate, its agents and subcontractors to the extent feasible, without retaining any copies of

such PHI. If Business Associate determines that return or destruction of the PHI is not reasonably

feasible, Business Associate agrees to extend the protections of PHI under this Agreement and limit

further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible

until any such PHI has been returned or destroyed.

3.4 Survival. The obligations under Sections 1, 3.3., 4.1, 4.2, 4.7 and 4.8, and this Section 3.4 shall

survive the termination of this Agreement for any reason.

4. Miscellaneous Provisions

4.1 Definitions and Interpretation; Indemnification. All words used herein but not defined herein

shall have the meanings set out in HIPAA, and this Agreement shall be interpreted in such a fashion as to

cause the Parties to be in compliance with HIPAA.

4.2 Indemnification. Notwithstanding any other provision of the Agreement, Covered Entity and

Business Associate agree to indemnify, defend and hold harmless each other and each other’s respective

employees, directors, officers, subcontractors, agents or other members of its workforce, against all third

party actions, suits, claims, demands and prosecutions (“Claims”) arising (a) from or in connection with

any breach of this Agreement, any applicable law or of any warranty hereunder or (b) from any

negligence or wrongful acts or omissions, including failure to perform its obligations under HIPAA, by

the indemnifying Party or any of its subcontractors and agents except to the extent that any such Claim is

caused by or the result of: (a) any negligence or willful act or omission of an indemnified Party; or (b) an

indemnified Party’s failure to adhere to the breach of terms of this Agreement.

(b) Each Party shall promptly notify the other Party in writing of any Claim for which such

Party believes it is entitled to be indemnified pursuant to Section 4.2(a). The Party seeking

indemnification (the “Indemnified Party”) shall cooperate with the other Party (the “Indemnifying

Party”) at the Indemnifying Party’s sole cost and expense. The Indemnifying Party shall immediately

take control of the defense and investigation of such claim and shall employ qualified counsel to handle

and defend the same, at the Indemnifying Party’s sole cost and expense. The Indemnifying Party may not

settle any Claim that requires the Indemnified Party to admit responsibility or to pay any part of the

settlement without the Indemnified Party’s prior written consent, which consent will not be unreasonably

withheld. The Indemnified Party’s failure to perform any obligations under this Section 4.2(a) will not

relieve the Indemnifying Party of its obligations under this Section 4 except to the extent that the

Indemnifying Party can demonstrate that it has been materially prejudiced as a result of such failure. The

Indemnified Party may participate in and observe the proceedings at its own cost and expense with

counsel of its own choosing.

Agreement for any reason.

4.3 Assignment. Business Associate shall have the right to assign its rights or obligations under this

Agreement without the prior written consent of Covered Entity, and any such attempted assignment shall

be void except that Business Associate may assign this Agreement without consent in connection with a

merger, acquisition or sale of all or substantially all of that Party’s assets; provided that (a) Business

Associate notifies Covered Entity within five (5) business days of the closing of such merger, acquisition

or sale and (b) the assignee in the transaction agrees in writing to be bound by the terms of this

Agreement.

4.4 Amendment. This Agreement shall not be modified or amended except by a written document

executed by each of the Parties to this Agreement, and such written modification or amendment shall be

attached hereto.

4.5 Waiver of Provisions. Any waiver of any terms and conditions of this Agreement must be in

writing, and signed by both Business Associate and Covered Entity. The waiver of any of the terms and

conditions of this Agreement shall not be construed as a waiver of any other terms and conditions of the

Agreement.

4.6 Parties In Interest; No Third-Party Beneficiaries. Except as otherwise provided in this Agreement,

the terms and conditions of this Agreement shall inure to the benefit of and be binding upon the respective

heirs, legal representatives, successors and permitted assigns of the Parties to this Agreement. Neither this

Agreement nor any other agreement contemplated in this Agreement shall be deemed to confer upon any

person not a party to this Agreement any rights or remedies contained in this Agreement.

4.7 Governing Law. This Agreement, the rights and obligations of the Parties hereto, and the entire

relationship between the Parties relating hereto shall be governed by and construed and enforced in

accordance with HIPAA and the laws of the state of Texas, without regard to its conflict of law principles.

4.8 Notice. Whenever this Agreement requires or permits any notice, request, or demand from one

Party to another, the notice, request, or demand must be in writing to be effective and shall be deemed to

be delivered and received (i) if personally delivered or if delivered by national courier service, when

actually received by the Party to whom notice is sent or (ii) if delivered by mail , when actually received

by the Party to whom notice is sent at the address of such Party set forth below (or at such other address

as such Party may designate by written notice to all other Parties in accordance herewith):

If to Covered Entity: In accordance with the contact information in the Order

If to Business Associate: BrainCheck, Inc.

3000 E Cesar Chavez Street

Suite 300

Austin TX, 78702

Email: support@braincheck.com

Att: Director of Operations

4.9 Authorization. The Parties executing this Agreement hereby warrant that they have the authority

to execute this Agreement and that their execution of this Agreement does not violate any bylaws, rules,

or regulations applicable to them.

4.10 Counterparts. This Agreement may be executed in multiple counterparts, each of which shall be

deemed an original, and all of which together shall constitute one and the same instrument.

***********************************