HEALTHVIEWX BUSINESS ASSOCIATE AGREEMENT & TERMS OF PLAN

1. Business Associate Agreement (BAA)

I. Definitions 1. Catch-all definition:

a. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach; Data Aggregation; Designated Record Set; Disclosure; Health Care Operations; Individual; Minimum Necessary; Notice of Privacy Practices; Protected Health Information ("PHI"); Required By Law; Secretary; Security Incident; Subcontractor; Unsecured Protected Health Information; and Use.

2. Specific definitions:

a. Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the Parties to this Agreement, shall mean the vendor named at the top of the first page of this Agreement.

b. Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, in reference to the Parties to this Agreement

a. HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

II. Obligations and Activities of Business Associate Business Associate agrees to:

(a) Not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (the HIPAA "Security Rule"), with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for by this Agreement;

(c) Report, to Covered Entity, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of Unsecured Protected Health Information ("Breach") as required at 45 CFR 164.410, and any Security Incident ("Incident") of which Business Associate becomes aware;

(c) Report, to Covered Entity, any Use or Disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of Unsecured Protected Health Information ("Breach") as required at 45 CFR 164.410, and any Security Incident ("Incident") of which Business Associate becomes aware;

• Business Associate shall make such report to Covered Entity no later than ten (10) days after Business Associate becomes aware of the Breach or Incident, and provide all information Covered Entity may require to meet its obligation pursuant to 45 CFR 164.404;
• Unless the Covered Entity instructs otherwise, the Covered Entity shall be responsible for Breach notifications to the patient, NHS, and the media, with respect to Breaches or Incidents of Business Associate. Business Associate shall not contact patients about Breaches or Incidents without the Covered Entity's permission. Business Associate shall be responsible for all costs or damages incurred by Covered Entity related to Business Associate's (or Business Associate's Subcontractors') Breach or Incident.

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information;

(e) Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524;

(f) Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526;

(g) Maintain and make available to Covered Entity the information required to provide an accounting of Disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528;

(h) To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s); and

(i) Make Business Associate's internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

III Permitted Uses and Disclosures by Business Associate

(a) Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as directed by Covered Entity or as specified in any service agreements or vendor contracts between the Parties, provided that such Use or Disclosure would not violate the HIPAA Rules if done by Covered Entity, or the Minimum Necessary policies and procedures of the Covered Entity, as required by 45 CFR 164.504(e)(2)(i).

(b) Business Associate may use or disclose PHI as Required By Law.

(c) Business Associate agrees to make Uses and Disclosures of, and requests for, PHI consistent with Covered Entity's Minimum Necessary policies and procedures.

(d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, including that:

• Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HIPAA Rules;
• Business Associate will not engage in any communications which might be deemed to be "marketing" under the HIPAA Rules.

(e) Business Associate may use PHI for the proper management and administration of Business Associate or carry out the legal responsibilities of Business Associate.

(f) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided Law requires the Disclosures, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person. The person notifies the Business Associate of any instances in which he is aware the confidentiality of the information has been breached.

(g) Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity to the extent permitted by Covered Entity.

(h) Business Associates may use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c) only after receiving specific permission from the Covered Entity to do so.

IV. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

(a) Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520 to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.

(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.

(c) Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.

V. Term and Termination

(a) Term. The Term of this Agreement shall be effective upon acceptance by Business Associate and, subject to (b), (c) and (d) below, shall terminate at such time as all services or contracts have been completed, unless terminated for cause as authorized in paragraph (b) of this Section, whichever is earlier.

(b) Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, at the Covered Entity's option, if Covered Entity determines Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within thirty (30) days.

(c) Upon termination of this Agreement for any reason, with respect to PHI received from Covered Entity, or PHI created, maintained, or received by Business Associate on behalf of Covered Entity, Business Associate shall:

• Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
• Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that Business Associate still maintains in any form;
• Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
• Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in this Agreement; and
• Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities.

(d) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

VI. Miscellaneous

(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

(c) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

(d) Governing Law and Forum Selection: Any dispute, controversy, action, or claim arising out of or relating to this Agreement, or the breach, termination, interpretation, or validity thereof, shall only be brought in a competent forum in the State of Texas. Additionally, the parties to this Agreement waive any objections to jurisdiction and venue as to the State of Texas. The governing law of this Agreement shall be Texas law or United States of America law, as appropriate, without regard to its conflicts of law principles.

VII. Disposition of Prior Business Associate Arrangements

The Agreement is intended to permanently amend, clarify and/or replace, as applicable, any prior Business Associate materials as may have existed between the Parties. The Parties should retain all prior materials for no less than six (6) years to comply with administrative retention obligations under HIPAA Rules.

2. Terms of Plan 1. Establishing an Account

You must establish an Account with HealthViewX to use the Service. You agree to provide accurate, current, and complete information about You and the individual who establishes the Account (“Registration Data”) as prompted by the Registration Form.

2. Responsibility for Use of Account

You, as the Account Owner, are responsible for all activities conducted through your Account, including activities of the Team Members and Users, and you are responsible for all activities conducted through your user name and are responsible for Users to whom you grant access to your Account, including your clients or patients and those you authorize to access your Account on behalf of yourself, or clients or patients. In the event that fraud, violation of law, regulation or rule, or conduct that violates these Terms of Service occurs (whether by you or someone else) that is in any way connected with your Account, we may suspend or terminate your use of the Service and your Account.

3. Freemium Plan validity

There is no time limit for usage of HealthViewX’s Freemium plan. However, the plan will remain valid and active up until 30 of your patients have been on-boarded onto your account. Following this event, the Freemium plan will be terminated, and you will have the option of switching to a Premium subscription account. The latter will commence once a Master Subscription Agreement (MSA) has been perused and countersigned.

4. Fees and Billing

The Freemium plan is offered at no cost, and does not require credit card information. Prior to switching to a Premium subscription account, our Business Development team will share pricing and other legal documentation with you.

5. Personal data Integrity

In providing you our Service, HealthViewX will not sell any Personal Information contained in User Data. HealthViewX will not retain, use or disclose the Personal Information You provide to us about Your patients and clients except for the specific purpose of performing our obligations under these Terms of Service, including providing and improving the Service under these Terms of Service, nor will HealthViewX retain, use or disclose Personal Information about your patients and clients outside of our direct business or contractual relationship with You or the legal entity under which You practice or are employed.

6. HealthViewX’s Intellectual Property Rights and Limited License Granted to You

HealthViewX owns Intellectual Property Rights in and to the Service, except User Data, including the HealthViewX Software, the Websites, and the Servers, and in and to our trademarks, service marks, trade names, logos, domain names, taglines etc. You understand that such Intellectual Property Rights are apart from any rights You may have in User Data you upload or submit to the Service, as discussed above. You acknowledge and agree that HealthViewX and its licensors own all right, title, and interest in and to the Service, including all Intellectual Property Rights therein, other than with respect to User Data.

HealthViewX hereby grants You a non-exclusive, non-transferable, non-sublicensable, limited, revocable license to access and use the Service specifically as set forth in these Terms. You agree that you will not (i) allow any person or entity not authorized by HealthViewX to use or access the Software, (ii) attempt to copy any ideas, features, functions or graphics contained in the Service; (iii) use the HealthViewX Software in the operation of a service bureau, an application service provider or for any other purpose intended to benefit a party other than You, (iv) alter or modify the HealthViewX Software, (v) sell, assign, sublicense, rent, lease or otherwise transfer the HealthViewX Software or any rights in connection therewith, or (vi) attempt to translate, disassemble, decompile, reverse assemble, reverse engineer all or any part of the Service or otherwise attempt to derive the source code for the Software.

You shall not: (i) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the HealthViewX mobile application in any way; (ii) modify or make derivative works based upon the Website or HealthViewX mobile application; (iii) create Internet “links” to the Website or “frame” or “mirror” the HealthViewX mobile application on any other server or wireless or Internet-based device; (iv) reverse engineer or access the HealthViewX mobile application in order to (a) design or build a competitive product or service, (b) design or build a product using similar ideas, features, functions or graphics of the Website or HealthViewX mobile application, or (c) copy any ideas, features, functions or graphics of the Website or HealthViewX mobile application; or (v) launch an automated program or script, including, but not limited to, web spiders, web crawlers, web robots, web ants, web indexers, bots, viruses or worms, or any program which may make multiple server requests per second, or unduly burdens or hinders the operation and/or performance of the Website or HealthViewX mobile application.

7. Prohibited Conduct While Using the Service

You agree that You will not, and will cause Team Members and Users to not:

• Post, display or transmit information or data, User Data, or Transaction Data, including the unauthorized use of any payment method, that violates any law, regulation or rule, or the rights of any third party including without limitation Intellectual Property Rights;
• Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;
• Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personally identifiable information about other users without their consent;
• Engage in malicious, disruptive or other conduct that impedes or interferes with other Users’ normal use of the Service; or
• Attempt to gain unauthorized access to any other User’s Account, password or User Data, or allow more than one person to use an Account.

8. Violation of Terms of Service

Any violation by You, Your Team Members or Users of these Terms of Service, and indication of a conflict of interest or competition may result in immediate suspension or termination of your Account.

9. Suspension and Termination of Accounts

ou may terminate this Agreement by intimating us and closing your Account at any time for any reason. Upon termination, HealthViewX shall have no further obligation or liability to You under this Agreement or otherwise. In addition, HealthViewX may suspend or terminate Your Account, without notice, for breach if You violate this Agreement, or any terms under this Agreement.

10. Termination of Licenses Upon Termination of Account

Upon termination of Your Account, all licenses granted by HealthViewX to use the Website, Software, and the Service will automatically terminate, and all User Data in Your Account will be retained no more than thirty (30) days after termination or expiration of Your Account or this Agreement, and deleted on expiration of such thirty (30) day time frame. You are responsible for exporting all account data and ensuring the secure preservation of PHI for your clients pursuant to federal and state law, and ethical requirements.

11. Verification for HealthViewX

By accepting these Terms in connection with an Account, the person acknowledging agreement or assenting to these Terms represents that they are at least 18 years of age, or the legal age of majority where in the place of residence if that jurisdiction has an older age of majority, and has the legal authority to contractually agree to these Terms of Service on behalf of the Account Owner. You are responsible for the security of any account verification information, such as usernames and passwords, including without limitation your Users’ usernames and password.