Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into between Go MD USA, a healthcare services organization with offices at 3385 Airways Blvd, Suite 201, Memphis, TN 38116 ("Business Associate"), and the healthcare provider entity executing this Agreement ("Covered Entity"), collectively the "Parties."

This Agreement is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA").

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. "Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103.

2. Permitted Uses and Disclosures by Business Associate

Business Associate may use or disclose PHI only as necessary to perform the services set forth in the underlying services agreement between the Parties, or as required by law. Business Associate may use PHI for the proper management and administration of its business, to provide data aggregation services, and to carry out its legal responsibilities.

Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific uses and disclosures permitted under this Agreement.

3. Obligations of Business Associate

Business Associate agrees to: (a) not use or disclose PHI other than as permitted or required by this Agreement or as required by law; (b) implement and maintain appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, in accordance with the HIPAA Security Rule; (c) report to Covered Entity any use or disclosure of PHI not permitted under this Agreement, any security incident, and any breach of unsecured PHI, without unreasonable delay and no later than thirty (30) days following discovery; (d) ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate; (e) make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524; (f) make PHI available for amendment and incorporate amendments as directed by Covered Entity in accordance with 45 C.F.R. § 164.526; (g) maintain and make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528; (h) to the extent Business Associate carries out a Covered Entity's obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation; and (i) make Business Associate's internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

4. Obligations of Covered Entity

Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI, any changes in or revocation of permission by an individual to use or disclose PHI, and any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

5. Term and Termination

This Agreement shall be effective as of the date first written above and shall remain in effect until the underlying services agreement between the Parties terminates, unless terminated earlier as provided herein.

Either Party may terminate this Agreement immediately upon written notice if it determines that the other Party has materially breached this Agreement and has not cured the breach within thirty (30) days of written notice of such breach.

Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from, or created or received on behalf of, Covered Entity, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6. Breach Notification

In the event of a breach of unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and no later than sixty (60) days following discovery. The notification shall include, to the extent possible, the identification of each individual whose PHI was breached, a description of the breach, the types of PHI involved, steps individuals should take to protect themselves, and what Business Associate is doing to investigate, mitigate, and prevent further breaches.

7. Miscellaneous

Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with HIPAA and other applicable laws.

Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.

Survival

The obligations of Business Associate under this Agreement shall survive the termination of this Agreement.

No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the Parties any rights, remedies, obligations, or liabilities whatsoever.

Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee, without regard to its conflict of laws principles, except to the extent preempted by federal law.

8. Contact

For all matters relating to this Business Associate Agreement, contact: