Terms of Service

Last Modified: September 22, 2025

TPC Acquisition, LLC dba Therapy Partner (“Company”) requires users of its websites and services, including any
entity executing an order form (“Customer”) that references these terms to accept and adhere to these terms and
conditions (the, “Agreement”). This Agreement governs the purchase and use of Company’s services and is accepted by
executing an order form that references this Agreement or by using or accessing Company’s services. Company may
update this Agreement from time to time and Customer will have 30 days to reject the updated terms by providing
written notice to Company. If Customer continues to use or receive the services following such period, the updated
Agreement will be deemed accepted.

1. Order Form.

Services will be ordered by Customer pursuant to executed order forms (each, an “Order Form”). Each Order Form will
include the specific services being ordered and the associated fees and any additional terms as applicable (herein
referred to collectively as the “Service”). Each additional Order Form will be numbered sequentially (e.g. Order
Form 1, 2, 3, etc.) and upon execution by both parties will be deemed an addendum hereto and will be subject to all
of the terms and conditions herein. Any one of Customer’s subsidiaries or affiliates may also order services under
this Agreement by entering into an Order Form signed by such subsidiary or affiliate and Company and agreeing to be
bound by the terms of this Agreement and such Order Form.

2. Software/Service.

2.1. Rights for Use. Company hereby grants to Customer during the term of this Agreement a non-exclusive,
non-transferrable (except as provided herein) right to access and use the Service which includes to utilize, with
incidental copies arising from the operation of the Customer’s browser, the Service and Customer Content solely as
expressly permitted by Company. Customer shall be responsible for each user’s use of the Service in accordance with
the terms of this Agreement.

In the event that Customer’s use of the Service requires Customer’s clients to access or use the website via a
client portal or any other means, Customer understand and agree that such clients must agree to Company’s Client
Terms of Service and Privacy Policy prior to being granted such access. Customer is responsible for informing such
clients of the Client Terms of Service and shall provide to such clients a copy of the same. The Client Terms of
Service can be viewed online at: https://www.therapyclient.com/account/terms. Customer shall provide its clients
with notice of and obtain their consent to the Client Terms of Service and Customer shall not, in any way, alter the
Client Terms of Service.

2.2. Accounts; Security. Access to or use of certain portions and features of the Service may require
Customer to create an account (“Account”). Customer represents that all information provided by it is current,
accurate, complete, and not misleading. Customer further warrants that it will maintain and update all information
provided by it to ensure accuracy on a prompt, timely basis. Customer is entirely responsible for maintaining the
confidentiality and security of its Account(s), including the password(s). Accounts are not transferrable. Customer
agrees to promptly notify Company if Customer becomes aware or suspects any unauthorized use of its accounts,
including any unauthorized access or attempted access. Customer is responsible for all activities that occur under
its Account(s). Further, Customer is the primary account holder and is responsible for all charges made by
additional users added to the Account(s). A user license is required for each person utilizing Customer’s master
account, or other data generated through the use of the Service. Any sharing of such data to reduce the number of
licenses required or sharing account information in any way is strictly prohibited.

2.3. Restrictions on Use. In accessing or using the Service, Customer will not: (a) resell, lease, encumber,
sublicense, distribute, publish, transmit, transfer, assign or provide such access or use to any third party in any
medium whatsoever; (b) devise specifications from, reverse engineer, reverse compile, disassemble, or create
derivative works based on the Service; (c) apply systems to extract or modify information in the Service using
technology or method such as those commonly referred to as “web scraping,” “data scraping,” or “screen scraping”;
(d) knowingly input or post through or to the Service any content that is illegal, threatening, harmful, lewd,
offensive, or defamatory or that infringes the intellectual property rights, privacy rights or rights of publicity
of others, (e) store data on the Service that is regulated by the HIPAA Privacy Rules or the PCI Data Standards in
any field that is not specifically designated for such use (f) input or transmit through or to the Service any
virus, worm, Trojan Horse, or other mechanism that could damage or impair the operation of the Service or grant
unauthorized access thereto; (g) use or access the Service for purposes of monitoring the availability, performance
or functionality of the Service or for any other benchmarking or competitive purposes; or (h) cause, assist, allow
or permit any third party (including an end-user) to do any of the foregoing; (i) use the Service to compete with
Company in any way; (j) permit any third party to use or access the Service other than Authorized Users who are
acting on your behalf; or (k) access the Service from an IP address outside of the United States or Canada.

2.4. Maintenance. Customer agrees that Company may install software updates, error corrections, and software
upgrades to the Service as Company deems necessary from time to time. All such updates, error corrections and
upgrades will be considered part of the Service for purposes of this Agreement.

2.5. Applicable Laws. Customer’s access to and use of the Service is subject to all applicable international,
federal, state and local laws and regulations. Customer may not use the Service or any information data or Customer
Content in violation of or to violate any law, rule or regulation. Ensuring Customer’s use of the Service is
compliant with applicable laws is the responsibility of Customer and obtaining all required authorizations
(including establishing all required terms and conditions) for payments processed via the Service.

2.6. Suspension of Service. Company has the right to immediately suspend the Service (a) in order to prevent
damage to or degradation of the Service or unauthorized or non-compliant use or (b) for operational reasons such as
repair, maintenance, or improvement or because of any emergency, or (c) if, following notice from Company, Customer
has failed to pay any amounts due and owing. In the case of (a) or (b) Company will give Customer prior notice if
reasonable and will ensure that the Service is restored as soon as possible after the event given rise to suspension
has been resolved to Company’s reasonable satisfaction.

3. Data Licenses.

3.1. Customer Content. As between Company and Customer, all title and intellectual property rights in and to
all electronic data or information submitted to and stored in the Service that is owned by Customer (“Customer
Content”) are owned by Customer. Customer acknowledges and agrees that in connection with the provision of the
Services, Company will store Customer Content in the United States, which may be accessed by Company personnel in
the United States and Canada. Customer further acknowledges that the Customer Content may be stored and maintained
for a period of time consistent with Company’s standard business processes for the Service. Following expiration or
termination of the Agreement or a Customer account, if applicable, Company may deactivate the applicable Customer
account(s) and delete any data therein. Customer grants Company the right to host, use, process, display and
transmit Customer Content to provide the Services pursuant to and in accordance with this Agreement, the Business
Associate Agreement attached as Exhibit A hereto and the applicable Order Form. Customer has sole responsibility for
the accuracy, quality, integrity, legality, reliability, and appropriateness of Customer Content, and for obtaining
all rights related to Customer Content required by Company to perform the Services.’

3.2. Aggregated Data. Customer agrees that, subject to Company’s confidentiality obligations in this
Agreement, Company may (a) capture data regarding the use of the Service by Customer and its end users, (b) collect
metrics and data included in the Customer Content, and (c) aggregate and analyze any metrics and data collected
pursuant to subsections (a) and/or (b) of this sentence (collectively, the “Aggregated Data”). Customer agrees that
Company may use, reproduce, distribute and prepare derivative works from the Customer Content, solely as
incorporated into Aggregated Data, provided that under no circumstances will Company use the Aggregated Data in a
way that identifies Customer or its users as the source of the data.

4. Third Party Services.

Except as expressly permitted in this Agreement or as otherwise agreed by Company in writing, Customer is prohibited
from linking to the Service, framing of all or any portion of the Service, and extracting data from the Service.
Company reserves the right to disable any unauthorized links or frames. Company will not be responsible and
expressly disclaims any liability for any third party services that Customer may use or connect to through the
Service. If Customer activates any APIs or links to enable data sharing through the Service or directs Company to do
so on its behalf, Customer thereby authorizes Company to send and receive Customer Content with any such activated
third-party service and represents and warrants to Company that Customer has all appropriate right and title to
grant such authorization. Customer will be solely responsible for any third-party fees related to the third-party
services and compliance with any applicable third-party service terms.

5. Intellectual Property.

5.1. Proprietary Rights. Company’s intellectual property, including without limitation the Service, its
trademarks and copyrights and excluding any Customer Content contained therein, and any modification thereof, are
and will remain the exclusive property of Company and its licensors. No licenses or rights are granted to Customer
except for the limited rights expressly granted in this Agreement.

5.2. Feedback. Customer agrees that advice, feedback, criticism, or comments provided to Company related to
the Service are given to Company and may be used by Company freely and without restriction and will not enable
Customer to claim any interest, ownership or royalty in Company’s intellectual property.

6. Payments and Taxes.

6.1. Payment. Fees are set forth in the applicable Order Form (“Fees”). Upon execution of any Order Form, a
one-time fee will be due and payable. Unless otherwise set forth in the applicable Order Form, Fees are due and
payable by Customer within 15 days of the bill date for such Fees. Fees owed by Customer to Company will be
automatically debited from the bank account or other electronic payment method for which Customer has provided
applicable account information and Customer hereby authorizes Company to perform all such debits. Any usage Fees, as
set forth in an applicable Service Order, will be billed monthly and in arrears. An administrative late charge of
$35.00 per month will be charged for any electronic transaction that is declined. Additionally, undisputed amounts
that are past due will be subject to a monthly charge of 1.5% per month or the maximum rate permitted by law,
whichever is less. Customer waives the right to contest billing discrepancies that are not reported within two
billing cycles. Customer agrees to pay all reasonable costs of collection in the event any amount is not paid when
due. Company will have the right to change Fees effective any time, which right will include without limitation the
right to charge a Fee for new features or functions of the Service or for features or functions that have previously
been offered at no charge. All Fees are payable in United States Dollars, and non-refundable.

6.2. Automatic Payment Terms. Customer authorizes Company to charge the credit card information provided, or
debit the bank account information provided, as applicable, beginning as of the Effective Date and monthly
thereafter, for all applicable fees due as defined in the Agreement. Customer understands that this authorization
will remain in effect until it is canceled in writing and agrees to notify Company in writing of any changes in
Customer’s account information or termination of this authorization at least 15 days prior to the next billing date.
If the payment date falls on a weekend or holiday, Customer understands that payments may be executed on the next
business day. For ACH debits to a checking/savings account, Customer understands that because these are electronic
transactions, these funds may be withdrawn from Customer’s account as of the payment date, and that it will have
limited time to report and dispute errors. In the case the ACH transaction is returned for Non Sufficient Funds
(“NSF”) Customer understands that Company may at its discretion attempt to process the charge again within 30 days,
and agrees to an additional $25.00 charge for each attempt returned NSF, which will be initiated as a separate
transaction from the authorized payment. Customer has certified that the business bank account information provided
is enabled for ACH transactions, and agrees to reimburse Company for all penalties and fees incurred as a result of
Customer’s bank rejecting ACH debits or credits as a result of the account not being properly configured for ACH
transactions. Both parties agree to be bound by NACHA Operating Rules as they pertain to these transactions.
Customer acknowledges that the origination of ACH transactions to its account must comply with the provisions of
U.S. law. Customer agrees not to dispute these scheduled transactions with its bank or credit card company provided
the transactions correspond to the terms indicated in this Agreement.

6.3. Taxes. Company Fees do not include any local, state, federal or foreign taxes, levies or duties of any
nature, including value-added, sales, use or withholding taxes (“Taxes”). Customer is responsible for paying all
Taxes for which Customer is responsible under this Section. Company may invoice taxes to Customer as required by
local law, and Customer will pay such taxes, unless Customer provides Company with a valid tax exemption certificate
authorized by the appropriate taxing authority.

7. Term and Termination.

7.1. Term. This Agreement will be effective as of the stated date in an initial Order Form (“Effective Date”)
and remain in effect until (a) all executed Order Forms have expired or been terminated or (b) terminated by either
party as permitted by this Agreement. Unless otherwise stated in the Order Form the initial term will be for one
year, thereafter, the Order Form will automatically renew for successive periods equal to the initial term, unless
cancelled by either party in accordance with this Agreement.

7.2. Termination. Either party may terminate this Agreement by providing 30 days’ written notice prior to the
end of the then current term. Either party may terminate this Agreement immediately for a breach by the other party
of any of its material terms, if the breaching party has failed to cure such breach (if curable) within 30 days of
receipt of written notice from the non-breaching party describing the breach. Either party may terminate this
Agreement without notice if the other party becomes insolvent, makes or has made an assignment for the benefit of
creditors, is the subject of proceedings in voluntary or involuntary bankruptcy instituted on behalf of or against
such party (except for involuntary bankruptcies which are dismissed within 60 days), or has a receiver or trustee
appointed for substantially all of its property.

7.3. Effects of Termination. Upon the expiration or termination of this Agreement for any reason, (a)
Customer will immediately cease using the Service, (b) upon request, each party will return or destroy all
Confidential Information of the other party, provided, that each party may retain one copy of the Confidential
Information of the other party as necessary to comply with applicable law or its records retention or archival
policies or practices (and such retained Confidential Information will remain subject the non-disclosure obligations
in this Agreement) and (c) any unpaid, undisputed amounts due through termination will become immediately due and
payable. If Customer requests Company to provide professional services for the export of any Customer Content,
Company will provide to Customer the applicable Customer Content export file via Company’s designated secure
delivery method as feasible, at Company’s then current professional services fee. Customer agrees that any such
Customer Content export files are provided by Company as-is and that Company is not responsible for any errors or
omissions in the export file or for any corruption of the Customer Content that may occur.

7.4. Survival. Any provisions of this Agreement that expressly, or by implication, are intended to survive
its termination or expiration will survive and continue to bind the parties, including without limitation provisions
relating to confidentiality, representations and warranties, indemnification, limitations on liability, intellectual
property, and Customer’s payment obligations under this Agreement.

8. Confidential Information.

8.1. Confidential Information. “Confidential Information” means any information disclosed by one party to the
other whether orally or in writing that is designated as confidential or that reasonably should be understood by the
receiving party to be confidential, notwithstanding the failure of the disclosing party to designate it as such.
Confidential Information may include information that is proprietary to a third party and is disclosed by one party
to another pursuant to this Agreement. The Service, all features and functions thereof and related pricing and
product plans will be the Confidential Information of Company.

8.2. Non-Disclosure. Each party agrees to maintain the confidentiality of the other party’s Confidential
Information with the same security and measures it uses to protect its own Confidential Information of a similar
nature (but in no event less than reasonable security and measures) and not to use such Confidential Information
except as necessary to perform its obligations or exercise its rights under this Agreement. The receiving party may
disclose Confidential Information of the disclosing party to those employees, officers, directors, agents,
affiliates, consultants, users, and suppliers who need to know such Confidential Information for the purpose of
carrying out the activities contemplated by this Agreement and who have agreed to confidentiality provisions that
are no less restrictive than the requirements herein. Such party will be responsible for any improper use or
disclosure of the disclosing party’s Confidential Information by any such parties. Except as expressly permitted by
this Section, the receiving party will not disclose or facilitate the disclosure of Confidential Information of the
disclosing party to any third party. The restrictions in this Section shall continue until such time as the
information is covered by an exclusion set forth below.

8.3. Exclusions. The receiving party will have no obligation under this Section with respect to information
provided by the disclosing party that: (a) is or becomes generally available to the public other than as a result of
a breach of this Agreement by the receiving party, (b) is or becomes available to the receiving party from a source
other than the disclosing party, provided that such source is not known to the receiving party to be bound by an
obligation of confidentiality to the disclosing party with respect to such information, (c) was in the receiving
party’s possession prior to disclosure by the disclosing party, or (d) is independently developed by the receiving
party without reference to the Confidential Information. Further either party may disclose Confidential Information
(i) as required by any court or other governmental body or as otherwise required by law, or (ii) as necessary for
the enforcement of this Agreement or its rights hereunder.

9. Representations and Warranties.

Customer represents, warrants and covenants that (i) the Agreement is a legal, valid and binding obligation,
enforceable against it in accordance with its terms, without violating any contract to which it is a party. To the
extent the Agreement is executed by a group administrator and/or entity (“Administrator”) on behalf of any Customer,
such Administrator represents and warrants that it has the authority to execute the Agreement on such Customer’s
behalf and to act on behalf of such Customer, and only within the scope of such agency, with respect hereto.

10. Disclaimers.

COMPANY DOES NOT WARRANT THAT THE SERVICE WILL BE PERFORMED ERROR-FREE OR UNINTERRUPTED, THAT COMPANY WILL CORRECT
ALL ERRORS OR THAT THE SERVICE WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS. COMPANY IS NOT RESPONSIBLE FOR ANY
ISSUES RELATED TO THE PERFORMANCE, OPERATIONS OR SECURITY OF THE SERVICE THAT ARISE FROM CUSTOMER CONTENT OR THIRD
PARTY APPLICATIONS OR SERVICES PROVIDED BY THIRD PARTIES. COMPANY EXPRESSLY DISCLAIMS (TO THE GREATEST EXTENT
PERMISSIBLE UNDER APPLICABLE LAW) ALL OTHER WARRANTIES EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, RELATING TO THE
SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, TITLE, OR FITNESS
FOR A PARTICULAR PURPOSE.

11. Limitation of Liability.

IN NO EVENT WILL COMPANY OR ITS AFFILIATES BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE,
OR EXEMPLARY DAMAGES, OF ANY KIND OR NATURE ARISING OUT OF THIS AGREEMENT OR THE SERVICE, INCLUDING WITHOUT
LIMITATION, ANY COST TO COVER PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES (WHICH THE PARTIES AGREE WILL NOT BE
CONSIDERED DIRECT DAMAGES), OR ANY LOSS OF REVENUE, PROFITS, SALES, DATA, DATA USE, GOOD WILL, OR REPUTATION.
COMPANY’S MAXIMUM LIABILITY ARISING OUT OF OR RELATING TO THE SERVICE OR THIS AGREEMENT WILL BE LIMITED TO THE
AMOUNT OF FEES CUSTOMER HAS PAID TO COMPANY IN THE 2 MONTHS PRIOR TO THE EVENT(S) GIVING RISE TO SUCH LIABILITY. THE
LIMITATIONS SET FORTH IN THIS SECTION APPLY REGARDLESS OF THE LEGAL THEORY ON WHICH A CLAIM IS BROUGHT, EVEN IF
COMPANY HAS BEEN NOTIFIED OF THE POSSIBILITY OF DAMAGE OR IF SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN AND
NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED IN THIS AGREEMENT.

12. Indemnification.

Customer agrees to defend and indemnify Company and its affiliates from and against any legal action, demand, suit,
or proceeding brought against Company or its affiliates by a third party arising out of or related to the Customer
Content or Customer’s use of the Service.

13. Publicity.

Customer hereby consents to Company identifying Customer as a customer by name and logo in Company’s promotional
materials, subject to Customer’s right to revoke such consent in writing at any time. Upon such revocation, Company
will have 30 days to process Customer’s request.

14. Assignment.

Customer may not assign or transfer this Agreement or any of its rights or obligations hereunder in whole or in part
without the prior written consent of Company. Subject to the foregoing, this Agreement will inure to the benefit of,
be binding upon, and be enforceable against, each of the parties hereto and their respective successors and assigns.

15. Notices.

Any notice required under this Agreement will be provided to the other party in writing. If Customer wishes to
provide notice to Company, Customer will send notice via email to [email protected]. Company will send notices
to one or more contact(s) on file for Customer. Notices from Company, other than for a breach of this Agreement may
be provided within the Service.

16. Attorney’s Fees.

In the event any proceeding or lawsuit is brought in connection with this Agreement, the prevailing party in such
proceeding will be entitled to receive its reasonable costs, expert witness and attorneys’ fees.

17. Relationship of the Parties.

This Agreement does not create any joint venture, partnership, agency, or employment relationship between the
parties.

18. No Third Party Beneficiaries.

This Agreement is being entered into for the sole benefit of the parties hereto, and nothing herein, express or
implied, is intended to or will confer upon any other person or entity any legal or equitable right, benefit or
remedy of any nature whatsoever.

19. Equitable Remedies.

Each party acknowledges and agrees that (a) a breach or threatened breach by such party may give rise to irreparable
harm to the other party for which monetary damages may not be an adequate remedy; and (b) if a breach or threatened
breach by such party occurs, the other party will in addition to any and all other rights and remedies that may be
available to such other party at law, at equity or otherwise in respect of such breach, be entitled to seek
equitable relief that may be available from a court of competent jurisdiction, without any requirement to post a
bond or other security.

20. Force Majeure.

Neither party will be liable under this Agreement for any failure or delay in the performance of its obligations
(except for the payment of money) on account of strikes, shortages, riots, insurrections, fires, flood, storm,
explosions, acts of God, war, governmental action, labor conditions, earthquakes, material shortages, or any other
cause that is beyond the reasonable control of such party.

21. Limitation of Claims.

No legal proceedings, regardless of form, arising under or relating to this Agreement may be brought by Customer
more than six months after it first have actual knowledge of the facts giving rise to the cause of action.

22. FCPA Compliance.

Customer will comply with the United Stated Foreign Corrupt Practices Act (as amended) and any analogous law or
regulations existing in any other country or region in the Territory, in connection with its performance under this
Agreement. Customer shall not make any payment, either directly or indirectly, of money or other assets, including
but not limited to compensation derived from this Agreement, to government or political party officials, candidates
for government or political office, or representatives of other businesses or persons acting on behalf of the
foregoing, that would violate any applicable law, rule or regulation.

23. Export Compliance.

Customer must comply with United States, foreign and international laws and regulations, including without
limitation, the United States Export Administration Regulations and the United States Office of Foreign Asset
Control regulations, and other anti-boycott and import regulations. Such export laws govern use of the Service
including technical data and any Service deliverables provided under this Agreement and Customer agrees to comply
with all such laws and regulations (including “deemed export” and “deemed re-export” regulations). Customer is
responsible for ensuring that no data, information, software programs and/or materials resulting from the Service
(or direct product thereof) will be exported directly or indirectly in violation of these laws. Customer will
indemnify Company for any violation by Customer of any applicable export controls or economic sanctions laws and
regulations.

24. Governing Law, Jurisdiction and Venue.

This Agreement will be governed by and construed in all respects in accordance with the laws of the state of
Colorado, without regard to its conflicts of laws principles. Each party hereby consents to the exclusive venue and
jurisdiction of the federal courts of Colorado.

25. Privacy, Acceptable Use.

By using the Service, in addition to these terms and conditions the Customer must acknowledge and agree to the terms
of:

 

26. Severability, Waiver and Amendment.

If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable or invalid, such
provision will be changed and interpreted as to best accomplish the objectives of the original provision to the
fullest extent permitted by law, and the remaining provisions will remain in full force and effect. No waiver of any
term or right in this Agreement will be effective unless made in writing and signed by an authorized representative
of the waiving party. Any waiver or failure to enforce any provision of this Agreement will not be deemed a waiver
of future enforcement of that or any other provision. Except to the extent otherwise expressly provided in this
Agreement, this Agreement may only be amended in writing signed by both parties hereto.

27. Counterparts, Entire Agreement and Order of Precedence.

This Agreement or any Order Form may be executed in one or more counterparts, each of which will be deemed an
original, but all of which together will constitute one and the same instrument. This Agreement, together with any
Order Form(s) states the entire agreement of the parties regarding the subject matter of this Agreement, and
supersedes all prior proposals, agreements or other communications between the parties, oral or written, regarding
such subject matter. If an ambiguity or conflict exists among the documents the order of precedence will be: (a) the
terms and conditions of an Order Form; and (b) the terms and conditions of this Agreement. Any preprinted terms on
any purchase order are hereby expressly rejected by Company and will be of no force or effect.

< id="exhibita" class="center-columns-10">

Exhibit A

HIPAA BUSINESS ASSOCIATE AGREEMENT

This HIPAA Business Associate Agreement (“BAA”) amends and is made part of that certain Master Services Agreement
(“Service Agreement”), by and between Customer (“Entity”) and TPC Acquisition, LLC dba Therapy Partner
(“Associate”).

Entity and Associate agree that the parties incorporate this BAA into the Service Agreement in order to comply with
the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health
Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations set forth
at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”). To the extent Associate is acting as a Business Associate
of Entity pursuant to the Service Agreement, the provisions of this BAA shall apply, and Associate shall be subject
to the penalty provisions of HIPAA as specified in 45 CFR Part 160.

Definitions. Capitalized terms not otherwise defined in this BAA shall have the meaning set forth in the
HIPAA Rules. References to “PHI” mean Protected Health Information maintained, created, received or transmitted by
Associate from Entity or on Entity’s behalf.

Uses or Disclosures. Associate will neither use nor disclose PHI except as permitted or required by this BAA
or as Required By Law. To the extent Associate is to carry out an obligation of Entity under the HIPAA Rules,
Associate shall comply with the requirements of the HIPAA Rules that apply to Entity in the performance of such
obligation. Associate is permitted to use and disclose PHI: (a) to perform any and all obligations of Associate as
described in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done
by Entity directly; (b) otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA
Rules, if done by Entity directly and provided that Entity gives its prior written consent; (c) to perform Data
Aggregation services relating to the health care operations of Entity; (d) to report violations of the law to
federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1); (e) as necessary for Associate’s proper
management and administration and to carry out Associate’s legal responsibilities (collectively “Associate’s
Operations”), provided that Associate may only disclose PHI for Associate’s Operations if the disclosure is Required
By Law or Associate obtains reasonable assurance, evidenced by a written contract, from the recipient that the
recipient will: (1) hold such PHI in confidence and use or further disclose it only for the purpose for which
Associate disclosed it to the recipient or as Required By Law; and (2) notify Associate of any instance of which the
recipient becomes aware in which the confidentiality of such PHI was breached; (f) to de-identify PHI in accordance
with 45 C.F.R. § 164.514(b), provided that such de-identified information may be used and disclosed only consistent
with applicable law. In the event Entity notifies Associate of a restriction request that would restrict a use or
disclosure otherwise permitted by this BAA, Associate shall comply with the terms of the restriction request.

Safeguards. Associate will use appropriate administrative, technical and physical safeguards to prevent the
use or disclosure of PHI other than as permitted by this BAA. Associate will also comply with the provisions of 45
CFR Part 164, Subpart C of the HIPAA Rules with respect to electronic PHI to prevent any use or disclosure of such
information other than as provided by this BAA.

Subcontractors. In accordance with 45 CFR §§ 164.308(b)(2) and 164.502(e)(1)(ii), Associate will ensure that
all of its subcontractors that create, receive, maintain or transmit PHI on behalf of Associate agree by written
contract to comply with the same restrictions and conditions that apply to Associate with respect to such PHI.

Minimum Necessary. Associate represents that the PHI requested, used or disclosed by Associate shall be the
minimum amount necessary to carry out the purposes of the Service Agreement. Associate will limit its uses and
disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set; and (ii)
in all other cases subject to the requirements of 45 CFR § 164.502(b), to the minimum amount of PHI necessary to
accomplish the intended purpose of the use, disclosure or request.

Obligations of Entity. Entity shall notify Associate of (i) any limitations in its notice of privacy
practices, (ii) any changes in, or revocation of, permission by an individual to use or disclose PHI, and (iii) any
confidential communication request or restriction on the use or disclosure of PHI that Entity has agreed to or with
which Entity is required to comply, to the extent any of the foregoing affect Associate’s use or disclosure of PHI.

Access and Amendment. In accordance with 45 CFR § 164.524, Associate shall permit Entity or, at Entity’s
request, an individual (or the individual’s designee) to inspect and obtain copies of any PHI about the individual
that is in Associate’s custody or control and that is maintained in a Designated Record Set. If the requested PHI is
maintained electronically, Associate must provide a copy of the PHI in the electronic form and format requested by
the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by
Entity and the individual. Associate will, upon receipt of notice from Entity, promptly amend or permit Entity
access to amend PHI so that Entity may meet its amendment obligations under 45 CFR § 164.526. If a request for
access or amendment is of PHI is received by Associate from any entity other than Entity, Associate will promptly
inform Entity of such request.

Accounting. Except for disclosures excluded from the accounting obligation by the HIPAA Rules and regulations
issued pursuant to HITECH, Associate will record for each disclosure that Associate makes of PHI the information
necessary for Entity to make an accounting of disclosures pursuant to the HIPAA Rules. In the event the U.S.
Department of Health and Human Services (“HHS”) finalizes regulations requiring Covered Entities to provide access
reports, Associate shall also record such information with respect to electronic PHI held by Associate as would be
required under the regulations for Covered Entities beginning on the effective date of such regulations. Associate
will make information required to be recorded pursuant to this Section available to Entity promptly upon Entity’s
request for the period requested, but for no longer than required by the HIPAA Rules (except Associate need not have
any information for disclosures occurring before the effective date of this BAA).

Inspection of Books and Records. Associate will make its internal practices, books, and records, relating to
its use and disclosure of PHI, available upon request HHS to determine compliance with the HIPAA Rules.

Reporting. To the extent Associate becomes aware or discovers any use or disclosure of PHI not permitted by
this BAA, any Security Incident involving electronic PHI or any Breach of Unsecured Protected Health Information
involving PHI, Associate shall promptly report such use, disclosure, Security Incident or Breach to Entity.
Associate shall mitigate, to the extent practicable, any harmful effect known to it of a Security Incident, Breach
or use or disclosure of PHI by Associate not permitted by this BAA. Notwithstanding the foregoing, the parties
acknowledge and agree that this section constitutes notice by Associate to Entity of the ongoing existence and
occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to
Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other
broadcast attacks on Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any
combination of the above, so long as no such incident results in unauthorized access, use or disclosure of
electronic PHI. All reports of Breaches shall be made in compliance with 45 CFR § 164.410.

Term and Termination. This BAA shall be effective as of the effective date of the Service Agreement and shall
remain in effect until termination of the Service Agreement. Either party may terminate this BAA and the Service
Agreement effective immediately if it determines that the other party has breached a material provision of this BAA
and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the
non-breaching party determines that cure is not possible, such party may terminate this BAA and the Service
Agreement effective immediately upon written notice to other party.

Upon termination of this BAA for any reason, Associate will, if feasible, return to Entity or destroy all PHI
maintained by Associate in any form or medium, including all copies of such PHI. Further, Associate shall recover
any PHI in the possession of its agents and subcontractors and return to Entity or securely destroy all such PHI. In
the event that Associate determines that returning or destroying any PHI is infeasible, Associate may maintain such
PHI but shall continue to abide by the terms and conditions of this BAA with respect to such PHI and shall limit its
further use or disclosure of such PHI to those purposes that make return or destruction of the PHI infeasible. Upon
termination of this BAA for any reason, all of Associate’s obligations under this BAA shall survive termination and
remain in effect (a) until Associate has completed the return or destruction of PHI as required by this Section and
(b) to the extent Associate retains any PHI pursuant to this Section.

Third Parties. Notwithstanding anything in this BAA or the Service Agreement to the contrary, Associate will
not be liable for any in violation of HIPAA, this BAA, or the Service Agreement, or use or disclosure of PHI in
violation thereof, that is caused by any entity or individual other than Associate, including but not limited to
third party vendors selected by Entity to provide services to Entity related to the services provided under the
Service Agreement.

General Provisions. In the event that any final regulation or amendment to final regulations is promulgated
by HHS or other government regulatory authority with respect to PHI, the parties shall negotiate in good faith to
amend this BAA to remain in compliance with such regulations. Any ambiguity in this BAA shall be resolved to permit
Entity and Associate to comply with the HIPAA Rules. Nothing in this BAA shall be construed to create any rights or
remedies in any third parties or any agency relationship between the parties. A reference in this BAA to a section
in the HIPAA Rules means the section as in effect or as amended. The terms and conditions of this BAA override and
control any conflicting term or condition of the Service Agreement and replace and supersede any prior business
associate agreements in place between the parties. All non-conflicting terms and conditions of the Service Agreement
remain in full force and effect.