Business Associate Agreement

THIS AGREEMENT TAKES EFFECT WHEN YOU CLICK THE “I AGREE” BUTTON BELOW (“EFFECTIVE DATE”). BY CLICKING ON THE “I AGREE” BUTTON BELOW YOU

(A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT;

(B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT FOR AN ENTITY, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ENTITY; AND (C) ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS.

This Business Associate Agreement (the “Agreement”) is a binding contract between the individual or entity that is the Designs for Health account holder (the “Covered Entity”) and Designs for Health,

Inc. (the “Business Associate”). Covered Entity and Business Associate are entering into this Agreement because the Designs for Health account holder represented to Designs for Health, Inc. that it was a Covered Entity under HIPAA (defined below).

This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information ("PHI") as required under the Health Insurance Portability and Accountability Act of 1996, as amended, and Information Technology for Economic and Clinical Health (HITECH) Act privacy and security provisions of the Stimulus Act, as amended, and their implementing regulations (collectively, "HIPAA"). Unless the context clearly indicates otherwise, the terms in this BAA shall have the same meaning as those terms defined under HIPAA Rules. Reference in this BAA to the Privacy Rule means the Privacy Rule, as set forth in the regulations at 45 C.F.R. Parts 160 and Subparts A and E of 164 ("Privacy Rule") and to the Security Rule means the Security Rule, as set forth in the regulations at 45 C.F.R. Part 160 and Subparts A and C of Part 164 (“Security Rule”).

1.  OBLIGATIONS OF BUSINESS ASSOCIATE.

1.1. Business Associate agrees not to use or disclose PHI, other than in connection with providingservices to Covered Entity, as permitted or required by this BAA, and as Required By Law. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this BAA.

1.2. With respect to electronic PHI (“ePHI”), Business Associate agrees to implement appropriate and reasonable Administrative, Physical, and Technical Safeguards for the privacy and security of PHI to ensure the Integrity, Confidentiality and Availability and to prevent non-permitted uses and disclosures of PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.

1.3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that isknown to Business Associate as a result of a use or disclosure of PHI by Business Associate, its agents or Subcontractors, in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

1.4. The Business Associate agrees to report to Covered Entity any use or disclosure of PHI notprovided for by this BAA, including any security incidents or other incidents that constitute a Breach of Unsecured PHI of which it becomes aware promptly, within ten (10) days of discovery. Such notice shall include the identification of each Individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the Individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.

1.5. Business Associate agrees to require that any Subcontractors that create, receive, maintain, ortransmit PHI on behalf of the Business Associate to agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. If Business Associate becomes aware of a pattern of activity or practice of a Subcontractor that constitutes a material breach of their written business associate agreement, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract.

1.6. Business Associate agrees to notify Covered Entity upon the receipt of a request from anIndividual (or their authorized personal representative) for access to, amendment to, an accounting of disclosures of, a copy or electronic copy of, or a restriction on the use or disclosure of PHI.

1.7. To the extent that Business Associate maintains PHI in a Designated Record Set on behalf of

Covered Entity, Business Associate agrees to make available such PHI to the Covered Entity, or to an Individual upon written request as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

1.8. To the extent that Business Associate maintains PHI in a Designated Record Set on behalf ofCovered Entity, Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526.

1.9. Business Associate agrees to maintain and make available the information required to providean accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

1.10. Business Associate agrees to make its internal practices, books, and records relating to theuse and disclosure of PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary of Health and Human Services for the purpose of the Secretary determining compliance with HIPAA.

1.11. To the extent that Business Associate is to carry out one or more of Covered Entity’sobligation(s) under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation(s).

2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

2.1. Business Associate agrees to use or disclose PHI only as permitted or required for the purposeof performing services and obligations to Covered Entity, provided such use or disclosure of PHI would not violate HIPAA if done by Covered Entity, including the minimum necessary requirements under HIPAA, or violate the terms of this BAA.

2.2. Specific Use and Disclosure Provisions

(a) Except as otherwise limited in this BAA, Business Associate may use PHI for the propermanagement and administration of the Business Associate or to carry out its legal responsibilities, and may disclose PHI for these purposes provided that disclosures are either Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the Confidentiality of the information has been breached.

(b) Business Associate may use PHI: (a) to provide data aggregation services relating to the healthcare operations of Covered Entity; or (b) to create de-identified health information in accordance with 45 C.F.R. §164.514.

(c) Business Associate may use PHI to report violations of law to appropriate Federal and Stateauthorities, consistent with 45 C.F.R. §164.502(j)(1).

3. OBLIGATIONS OF COVERED ENTITY.

3.1. Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy

Practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI, and any further changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.

3.2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permissionby an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

3.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHIthat Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

3.4. Covered Entity shall not request Business Associate to use or disclose PHI in any manner thatwould not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under this BAA.

4. TERM AND TERMINATION

4.1. This BAA shall be in effect as of the Effective Date and shall terminate on the earlier of the datethat: (a) Either party terminates for cause; or (b) All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections shall be extended in accordance with this Section. Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) calendar days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA upon written notice to the other party.

4.2. Upon termination of this BAA for any reason, Business Associate, with respect to PHI receivedfrom Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

(a) Retain only that PHI that is necessary for Business Associate to continue its proper managementand administration or to carry out its legal responsibilities.

(b) Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that theBusiness Associate still maintains in any form. If it is not feasible to return or destroy PHI, the protections under this BAA shall continue to be extended by Business Associate; provided, however, that Business Associate may use and disclose Patient Information retained by Business Associate after termination of this Agreement only for those purposes that make return or destruction of such Patient Information infeasible.

(c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 withrespect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI.

(d) Not use or disclose the PHI retained by Business Associate other than for the purposes forwhich such PHI was retained and subject to the same conditions set out at Section 2.2(a) above which applied prior to termination, and return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed for such purposes.

4.3. The obligations of Business Associate under this Section shall survive the termination of this BAA.

5. MISCELLANEOUS.

5.1. The parties agree to take such action as is necessary to amend this BAA to comply with therequirements of HIPAA and any other applicable law.

5.2. This BAA will be binding on the successors and assigns of the Covered Entity and the BusinessAssociate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.