HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made as of TODAYS DATE 2022, between Signature Diagnostics, Inc., a Delaware Corporation, DBA SDxLabs, (hereinafter “Covered Entity”) having its principal office at 1501 Preble Avenue, Pittsburgh, PA 15233, and YOUR COMPANY, a company located at YOUR ADDRESS (“Business Associate”). This Agreement is effective on the effective date of the underlying Agreement or Contract between the Parties (the “Effective Date”).

Unless the context clearly requires a distinction between the Agreement or the Contract and this Agreement, all references herein to “the Agreement”, “this Agreement”, “the Contract” or “this Contract” includes this Agreement.

The Parties have entered and/or in the future may enter, into one or more service agreements (the “Service Agreement(s)”) the performance of which require Business Associate to receive from, create, transmit or receive on behalf of Covered Entity protected health information (as defined below) that is subject to 45 C.F.R. Parts 160 and 164 (the “HIPAA Regulations”). The purpose of this Agreement is to amend and supplement each Service Agreement to set forth the obligations of the Parties with respect to such protected health information.

1. DEFINITIONS

   
   

   1. Catch-all definition: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms are given when defined in the HIPAA Regulations.

      
      

   2. “Breach” shall mean the same as it means at 45 C.F.R. 164.402.

      
      

   3. “Business Associate” (“BA”) shall mean the pharmacies or entities from whom SDxLabs collects samples to be processed, tested, and resulted.

      
      

   4. “Covered Entity” shall mean Signature Diagnostics, Inc., DBA SDxLabs.

      
      

   5. “Days” shall mean calendar days.

      
      

   6. “Designated Record Set” shall mean the same as it means at 45 C.F.R. 164.501, and includes electronic Designated Record Sets.

      
      

   7. “Discovery of a Breach” shall mean that Business Associate, or an employee, officer or agent of Business Associate (other than the individual that caused the Breach), has acquired actual knowledge of a Breach or by the exercise of reasonable diligence shall have acquired knowledge of a Breach.

      
      

   8. “Electronic Protected Health Information” or “EPHI” shall mean the same as it means at 45 C.F.R. 160.103.

      
      

   9. “Privacy Rule” shall mean Subparts A and E of 45 C.F.R. Part 164.

      
      

   10. “Protected Health Information” or “PHI” shall have the meaning set forth at 45 C.F.R. 160.103. When used in this Agreement, PHI shall refer only to PHI that is created, received, maintained,

       transmitted, used or disclosed for or on behalf of Covered Entity by Business Associate or a Subcontractor.

       
       

   11. “Security Incident” shall mean the same as it means at 45 C.F.R. 164.304.

       
       

   12. “Security Measures” shall mean the same as it means at 45 C.F.R. 164.304.

       
       

   13. “Security Rule” shall mean Subparts A and C of Part 164 of Title 45 of the Code of Federal Regulations.

       
       

   14. “Services” shall mean all functions and activities necessary to perform the Services Agreement(s) and related arrangements, whether oral or in writing, between Covered Entity and Business Associate.

       
       

   15. “Subcontractor” shall mean the same as it means at 45 C.F.R. 160.103.

       
       

   16. “Unsecured PHI” shall mean the same as it means at 45 C.F.R. 164.402.

       
       

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

   
   

   1. Business Associate agrees to not use or disclose PHI of Covered Entity other than as permitted or required by this Agreement or as required by law.

      
      

   2. Business Associate agrees to use appropriate safeguards and to comply with the Security Rule with respect to EPHI to prevent use or disclosure of the PHI other than as provided for by this Agreement.

      
      

   3. In the event that Business Associate transmits EPHI on behalf of Covered Entity via electronic mail over the Internet, Business Associate agrees to the extent deemed reasonable and appropriate by Business Associate that such EPHI shall be secured by an encryption technology that renders EPHI unusable, unreadable, or indecipherable to unauthorized individuals in accordance with the guidance of a standards developing organization that is accredited by the American National Standards Institute; unless otherwise required by the Secretary to meet an alternative standard.

      
      

   4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate, or a Subcontractor of Business Associate, in violation of the requirements of this Agreement.

      
      

   5. Business Associate agrees to report to Covered Entity:

      
      

      1. Within ten (10) Days, any use or disclosure of PHI by the Business Associate not provided for by this Agreement of which it becomes aware.

         
         

      2. Within ten (10) Days, any Security Incident of which it becomes aware that results in an unauthorized access, use modification, destruction or disclosure of EPHI or interference with information systems for EPHI.

      3. Within ten (10) Days of receipt of a written request from Covered Entity, any Security Incident of which it becomes aware that was an unsuccessful attempt to obtain unauthorized access, use modification, destruction or disclosure of EPHI or interference with information systems for EPHI.

         
         

      4. If Business Associate makes a Discovery of a Breach of Covered Entity’s Unsecured PHI that is created, received, maintained, transmitted, used or disclosed by Business Associate in any manner arising out of this Agreement, Business Associate shall timely notify Covered Entity as provided in subsection (f) of this Section 2.

         
         

   6. Following Discovery of a Breach of Covered Entity’s Unsecured PHI, Business Associate without unreasonable delay, but in no case later than thirty (30) Days, shall provide written notice to Covered Entity setting forth the information described in subsection (g) of this Section 2. In the event that Business Associate discovered what may be considered a “Breach”, Business Associate shall use business care and prudence to satisfy itself based upon reasonable diligence that the acquisition, access, use, or disclosure of PHI was not unintentional or inadvertent and that Business Associate cannot affirmatively demonstrate that there is a low probability that the security or privacy of the PHI has been compromised.

      
      

      1. Notwithstanding any other provision of this Agreement, Business Associate agrees within thirty (30) Days of receipt of documentation from Covered Entity to reimburse Covered Entity for any and all reasonable expenses (e.g., cost of mailing, media, credit monitoring, etc.) incurred by Covered Entity in carrying out the obligations of Covered Entity under the HIPAA Regulations to notify individuals affected by a Breach of Business Associate. In the alternative and upon agreement of the Parties, Business Associate may directly undertake such obligations and expenses in lieu of the herein provide reimbursement.

         
         

   7. Business Associate’s written notification shall provide the following information:

      
      

      1. To the extent possible, the names of each individual whose Unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used or disclosed during the Breach;

         
         

      2. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;

         
         

      3. A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

         
         

      4. Any steps individuals should take to protect themselves from potential harm resulting from the Breach;

         
         

      5. A brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches; and

         
         

      6. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address.

   8. If Business Associate has been requested orally or in writing by law enforcement officials that notification of affected individuals may impede a criminal investigation, Business Associate shall so inform Covered Entity.

      
      

   9. Reporting a Security Incident or a use or disclosure of PHI not provided for in this Agreement shall not discharge Business Associate’s obligations under this Agreement to report a Breach unless such reporting fully and completely satisfies all of the Breach reporting requirements of this Agreement.

      
      

   10. In accordance with 45 C.F.R 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. With respect to EPHI, Business Associate will ensure that any Subcontractor of Business Associate that creates, receives, maintains, or transmits EPHI on behalf of Business Associate agrees to use appropriate safeguards and comply with the Security Rule with respect to EPHI to prevent use or disclosure of the PHI other than as provided for by this Agreement.

       
       

   11. When Business Associate maintains PHI in a Designated Record Set, including but not limited to an electronic Designated Record Set, Business Associate agrees to provide access to and copies of PHI maintained in any Designated Record Set to Covered Entity or, when requested in writing by Covered Entity, to an Individual in order for Covered Entity to meet the requirements of 45

       C.F.R. 164.524. Business Associate shall provide access to and copies of PHI in a reasonable time, not to exceed fifteen (15) Days [unless Business Associate and Covered Entity reasonably agree otherwise in writing]; and, in a reasonable manner.

       
       

   12. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI receiving from, or created, transmitted or received by Business Associate on behalf of Covered Entity, available to the Secretary, in the time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Regulations. Upon receipt of a request from the Secretary, Business Associate shall notify Covered Entity in writing unless such notification would be contrary to law.

       
       

   13. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity determines is required to enable Covered Entity to comply with 45 C.F.R. 164.526. Except for good cause shown in writing to Covered Entity, Business Associate shall act upon Covered Entity’s request for an amendment within fifteen (15) Days of receipt of Covered Entity’s request.

       
       

   14. Business Associate agrees to identify, track and document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528.

       
       

   15. Business Associate agrees to provide to Covered Entity or to an Individual, in writing and not later than thirty (30) Days after receiving a request under this subsection (o), information collected in accordance with the foregoing subsection (n) of this Section 2 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.

   16. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation(s).

       
       

   17. Business Associate shall only request, use and disclose the minimum amount of PHI necessary to reasonably accomplish the purpose of the request, use or disclosure in accordance with 45

       C.F.R. 164.502(b). Further, Business Associate will restrict PHI to those employees of Business Associate or other workforce members under the control of Business Associate who are actively and directly participating in providing goods and/or services under the Agreement of the Parties and who need to know such information in order to fulfill such responsibilities.

       
       

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

   
   

   1. General Use and Disclosure Provisions.

      
      

      1. Business Associate provides Services to Covered Entity pursuant to a Services Agreement and other arrangements. In accordance with the Service Agreement, the arrangements, and through their course of dealings and verbal understandings, Covered Entity and Business Associate have become knowledgeable about how and when Business Associate may create, receive, maintain, transmit, use or disclose PHI on behalf of Covered Entity when providing Services. Covered Entity Expressly authorizes Business Associate to make any and all uses and disclosures deemed reasonable and necessary to provide the Services, including but not limited to patient data for testing purposes, and information for reimbursement. Except as otherwise provided in this Agreement, Business Associate shall use or disclose PHI only in a manner permitted by the HIPAA Regulations if done by Covered Entity.

         
         

   2. Specific Use and Disclosure Provisions

      
      

      1. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

         
         

      2. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law, or for the purpose for which it was disclosed to the person, and the person notified the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

         
         

      3. When specifically requested in writing by Covered Entity, Business Associate may use PHI to: (i) provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. 164.504(e)(2)(i)(B); or, (ii) create de-identified health information in accordance with 45

         C.F.R. 164.514.

         
         

      4. Business Associate may disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1).

4. INDEMNIFICATION

   
   

   Business Associate shall indemnify and hold Covered Entity, and its employees, officers, directors, independent contractors, agents and representatives, harmless from and against all claims, liabilities, judgments, fines, assessments, penalties, awards or other expenses, of any kind or nature whatsoever, including, without limitation, attorneys’ fees, expert witness fees, and costs of investigation, litigation or dispute resolution, relating to or arising out of any breach of the Agreement by Business Associate. The obligations set forth in this Section 4 shall survive termination of this Agreement, regardless of the reasons for termination.

   
   

5. OBLIGATIONS OF COVERED ENTITY

   
   

   1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

      
      

   2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

      
      

   3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

      
      

   4. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity.

      
      

6. TERMS AND TERMINATION

   
   

   1. Term. The term of this Agreement shall commence as of the Effective Date of the Agreement, and shall terminate upon the sooner the occurrence of an event provided in subsection (b), (c), or (d) of this Section 6; except that, any provision of this Agreement that is necessary to fulfill an obligation under subsection (e) shall survive termination for any other reason.

      
      

   2. Termination by the Covered Entity. Covered Entity may immediately terminate this Agreement and the Agreement, any amendments thereto, or related arrangements or understandings, if the Covered Entity makes the determination that Business Associate has breached a material term of this Agreement. In the alternative, Covered Entity may choose to: (i) provide Business Associate with thirty (30) Days written notice of the existence of an alleged material breach, and

      (ii) afford Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms cannot be achieved within thirty (30) Days, Business Associate must cure said breach to the satisfaction of the Covered Entity. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this Agreement and the Agreement.

   3. Termination by Business Associate. If Business Associate makes the determination that a condition material to the performance of this Agreement has changed under the Agreement or this Agreement, or that the Covered Entity has breached a material term of this Agreement, Business Associate may provide thirty (30) Days’ notice of its intention to terminate this Agreement and the Agreement. Business Associate agrees, however, to cooperate with Covered Entity to find a mutually satisfactory resolution to the matter prior to terminating and further agrees that, notwithstanding this provision, it shall not terminate this Agreement so long as the Agreement is in effect.

      
      

   4. Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement.

      
      

   5. Effect of Termination. Upon any termination pursuant to this Section 6, Business Associate agrees to return or destroy all Protected Health Information, if it is feasible to do so. Prior to doing so, Business Associate further agrees to recover any Protected Health Information in the possession of its Subcontractors. If it is not feasible for Business Associate to return or destroy said Protected Health Information, Business Associate will notify the Covered Entity in writing. Said notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reason for such determination, which reasons must be agreed to by Covered Entity. Business associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible. If it is infeasible for Business Associate to obtain Protected Health Information from a Subcontractor, Business Associate must provide a written explanation to the Covered Entity and require the Subcontractor to agree to extend any and all protections, limitations and restriction contained in this Agreement to the Subcontractor’s use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.

      
      

7. MISCELLANEOUS

   
   

   1. Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations means the section then in effect, or as amended.

      
      

   2. Notices. All required notices shall be in writing and shall be hand delivered or given by certified or registered mail to the representatives at the addresses set forth below.

      
      

   3. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time for Covered Entity and Business Associate to comply with the requirement of the HIPAA Regulations.

      
      

   4. Survival. As applicable, the respective rights and obligations of Business Associate under section 6(e) of this Agreement shall survive the termination of this Agreement indefinitely.

   5. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Regulations.

      
      

   6. No Third Parties. This Agreement shall inure to the benefit of, and be binding upon, the Parties and their respective successors and assigns. There are no third parties to this Agreement and nothing herein is intended for the benefit of a third person.

      
      

   7. Coordination of Documents. In the event of a conflict between a provision of this Agreement and a provision of a Services Agreement, the provision of this Agreement shall control. This Agreement supersedes and replaces in its entirety any prior Business Associate Agreement between the Parties.

      
      

   8. Choice of Law. This Agreement shall be governed and construed by applicable federal law and by the laws of the Commonwealth of Pennsylvania without regard to laws relating to choice of law or conflicts of law.

      
      

   9. Waiver of Breach. The Parties hereto agree that the waiver by either party of a breach by the other party of any of the provisions contained in this Agreement shall not operate as or be construed to be a waiver of any other breach of this Agreement by either party.

      
      

   10. Assignment. This Agreement applies to the Services being provided by Business Associate and may not be assigned without the written consent of the Covered Entity. An agreement with a Subcontractor that complies with the requirements of this Agreement shall not be an assignment for the purpose of this Agreement.

IN WITNESS WHEREOF, intending to be legally bound hereby, Covered Entity and Business Associate have executed this Agreement as of the date and year first above mentioned.