Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (“BAA” or “Agreement”) is entered into between PicassoMD and Primary Care Provider, or PicassoMD and Specialist (collectively, “TheParties”). This BAA is effective on the date Primary Care Provider or Specialist electronically agrees to be legally bound by this BAA (“Effective Date”).

A.

Purpose. The purpose of this Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, 45 C.F.R. parts 142 and 160-164, as may be amended, including the Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”).

B.

Relationship. For purposes of this Agreement, “Primary Care Provider” means a primary care physician, or a group of primary care physicians, that are seeking medical advice for their patients from a specialist. “Specialist” means a physician, or group of physicians, that has expertise in a medical speciality and is prepared to advise primary care physicians. Primary Care Provider and Specialist have subscribed to receive the Services offered by PicassoMD. The terms of that subscription are set forth in in the PicassoMD Terms of Use. By electronically signing the PicassoMD Terms of Use, Primary Care Provider and Specialist have agreed to be bound by its terms. The PicassoMD Terms of Use provide that.in order to enable PicassoMD to provide the Services to Primary Care Provider and Specialist, PicassoMD has the right to extract, transmit, store or use information and data related to the Services, including medical notes, medical records, and patient information. Such medical notes and patient information are likely to constitute Protected Health Information (“PHI”), as that term is defined in the HIPAA Rules.

C.

Permitted Uses and Disclosures. The Parties may use or disclose PHI only as permitted or required by this BAA, or as otherwise required by law. The Parties may disclose PHI to, and permit the use of PHI by, their employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of the Services. Disclosure of PHI to and use of PHI by subcontractors, agents and other representatives is also subject to Section F below. When requesting PHI, The Parties will request only the minimum PHI necessary to perform the Services. The Parties will not use or disclose PHI in a manner that is inconsistent with the party’s obligations under the HIPAA Rules.

D.

Safeguards for the Protection of PHI. The Parties shall comply with Subpart C of 45CFR Part 164. The Parties shall maintain commercially appropriate security safeguards to ensure that PHI obtained from during the use of The Services, is not used or disclosed in violation of this BAA. The safeguards are designed to protect the confidentiality and integrity of PHI obtained from, accessed or created on behalf of The Parties. Security measures maintained by The Parties shall comply with the HIPAA Rules, and include those administrative, physical, and technical security safeguards necessary to protect PHI, including, without limitation, safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all PHI that The Parties create, receive, maintain, or transmit.

E.

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.

1.

PicassoMD has established and implemented, and Specialist and Primary Care Provider shall establish and implement, procedures and other reasonable efforts to mitigate, to the greatest extent possible, any harmful effects arising from any improper use or disclosure of PHI.

2.

The Parties shall comply with Section 13402 of the HITECH Act and implementing regulations, 45 CFR Part 164, Subpart D, as may be amended(collectively, the Breach Notification Rules). PicassoMD shall report any breach of unsecured PHI to The Party that provided the PHI to PicassoMD, PrimaryCare Provider and/or Specialist within two (2) business days of completing its assessment and concluding that a breach has occurred. The Party that received thePHI from PicassoMD, Specialist and/or Primary Care Provider, shall report any breach of unsecured PHI to PicassoMD, within two (2) business days of completing its assessment and concluding that a breach has occurred. The Party that caused, or is responsible for, such breach, PicassoMD, Primary Care Provider, and/or Specialist, shall provide all information regarding such breach, including an assessment of such breach, that is reasonably requested by another Party.

3.

If a breach is caused by Specialist or Primary Care Provider or its subcontractors or agents, PicassoMD may either: (i) require Specialist or Primary Care Provider to notify affected individuals in accordance with Breach Notification Rules; or (ii) notify the affected individuals directly, in which case Specialist or Primary Care Provider shall reimburse PicassoMD for all reasonable expenses associated with the notifications.

4.

If a breach is caused by PicassoMD or its subcontractors or agents, Specialist or Primary Care Provider may either: (i) require PicassoMD to notify affected individuals in accordance with Breach Notification Rules; or (ii) notify the affected individuals directly, in which case PicassoMD shall reimburse Specialist or Primary Care Provider for all reasonable expenses associated with the notifications.

F.

Subcontractors, Agents, and Representatives – Use and Disclosure of PHI. The Parties will enter into a written Business Associate Agreement with any subcontractor, agent, or other representative that creates, receives, uses, obtains, accesses, maintains, or transmitsPHI obtained created during the course of use of the Services. The BAA between Specialist, Primary Care Provider, or PicassoMD and its subcontractors, agents or other representatives shall contain the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to The Parties under this BAA. The Parties shall terminate any business associate relationship with a subcontractor, agent or representative if it knows of a pattern of activity or practice that constitutes a material breach or violation of the subcontractor's, agent’s or representative’s obligations, unless such material breach or violation has been cured to the reasonable satisfaction of The Parties.

Individual Rights

1.

Right of Access. (a) Specialist and Primary Care Provider shall provide an individual or PicassoMD access to PHI, at the request of PicassoMD and in the time and manner designated by PicassoMD as required under 45 C.F.R. §164.524. (b) PicassoMD shall provide an individual or Specialist or Primary Care Provider access to PHI, at the request of Specialist or Primary Care Provider and in the time and manner designated by Specialist or Primary Care Provider as required under 45 C.F.R. § 164.524.

2.

Right of Amendment. (a) Specialist or Primary Care Provider shall make any amendment(s) to PHI that PicassoMD directs or agrees to pursuant to 45 C.F.R. §164.526 in the time and manner designated by PicassoMD. (b) PicassoMD shall make any amendment(s) to PHI that Specialist or Primary Care Provider directs or agrees to pursuant to 45 C.F.R. § 164.526 in the time and manner designated by Specialist or Primary Care Provider.

a.

Specialist and Primary Care Provider shall document any disclosures of PHI that would be necessary to allow PicassoMD to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall forward a copy of such documentation to PicassoMD within ten(10) business days of PicassoMD’s request for such documentation. Specialist and Primary Care Provider shall provide to PicassoMD any further information requested by PicassoMD to enable PicassoMD to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. To the extent Specialist and Primary Care Provider makes any disclosures on behalf of PicassoMD through an electronic health record as defined in Section 13400 of the HITECHAct, Specialist and Primary Care Provider will document all such disclosures of PHI as required under the HITECH Act and it’s implementing regulations, and will provide an accounting of such disclosures directly to an individual upon his/her request. Specialist’s and Primary Care Provider’s obligation to document disclosures made through an electronic health record and provide an accounting of such disclosures directly to individuals upon request shall be effective as of the date by which business associates are required to comply with Section 13405© of the HITECH Act or such later date specified by the Secretary of HHS.

b.

PicassoMD shall document any disclosures of PHI that would be necessary to allow Specialist or Primary Care Provider to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall forward a copy of such documentation to Specialist or Primary Care Provider within ten (10) business days of Specialist’s or Primary Care Provider’s request for such documentation. PicassoMD shall provide to Specialist or Primary Care Provider any further information requested by Specialist or Primary Care Provider to enableSpecialist or Primary Care Provider to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. To the extent PicassoMD makes any disclosures on behalf of Specialist or Primary Care Provider through an electronic health record as defined in Section 13400 of theHITECH Act, PicassoMD will document all such disclosures ofPHI as required under the HITECH Act and it’s implementing regulations, and will provide an accounting of disclosures directly to an individual upon his/her request. PicassoMD’s obligation to document disclosures made through an electronic health record and provide an accounting of such disclosures directly to individuals upon request shall be effective as of the date by which business associates are required to comply with Section 13405(c) of theHITECH Act or such later date specified by the Secretary of HHS

3.

Right to Accounting of Disclosures

G.

Use and Disclosure for The Parts' Purposes.

1.

Use. Except as otherwise limited in this Agreement, The Parties may each use PHI for the proper management and administration of The Parties or to carry out each of their legal responsibilities

2.

Disclosure. Except as otherwise limited in this Agreement, The Parties may disclose PHI for the proper management and administration of their respective business provided the disclosures are required by law, or The Parties obtain reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies PicassoMD or Specialist or Primary Care Provider of any instances of which it is aware in which the confidentiality of the PHI has been breached.

H.

Use and Disclosure for The Parts' Purposes. Audit, Inspection and Enforcement by PicassoMD. With reasonable notice, PicassoMD may audit Specialist or Primary Care Provider to monitor compliance with this Agreement. Specialist or Primary Care Provider will promptly correct any violation of this Agreement found by PicassoMD and will certify in writing that the correction has been made. Specialist or Primary Care Provider will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by Specialist or Primary Care Provider on behalf of PicassoMD, available to the federal Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or to PicassoMD for purposes of monitoring compliance with theHIPAA Rules.

I.

Audit, Inspection and Enforcement by Specialist or Primary Care Provider. With reasonable notice, Specialist or Primary Care Provider may audit PicassoMD to monitor compliance with this Agreement. PicassoMD will promptly correct any violation of this Agreement found by Specialist or Primary Care Provider and will certify in writing that the correction has been made. PicassoMD will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by PicassoMD on behalf of Specialist or Primary Care Provider, available to the federal Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or to Specialist or Primary Care Provider for purposes of monitoring compliance with HIPAA and the HIPAA Rules.

K.

Audit, Inspection and Enforcement by Specialist or Primary Care Provider. With reasonable notice, Specialist or Primary Care Provider may audit PicassoMD to monitor compliance with this Agreement. PicassoMD will promptly correct any violation of this Agreement found by Specialist or Primary Care Provider and will certify in writing that the correction has been made. PicassoMD will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by PicassoMD on behalf of Specialist or Primary Care Provider, available to the federal Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or to Specialist or Primary Care Provider for purposes of monitoring compliance with HIPAA and the HIPAA Rules.

K.

Term and Termination.

1.

Term and Termination. This Agreement commences on the Effective Date. Unless terminated earlier pursuant to this Section K, this BAA will remain in effect for the duration of all services provided by PicassoMD to Primary Care Provider or Specialist and for so long as The Parties shall remain in possession of any PHI received or created during use of The Services, unless PicassoMD or Primary Care Provider or Specialist has agreed in accordance with Section K.2 that it is infeasible to return or destroy all PHI. PicassoMD may immediately terminate this Agreement if PicassoMD determines that Specialist or Primary Care Provider has breached a material term of this Agreement. Specialist or Primary Care Provider may immediately terminate this Agreement if Specialist or Primary Care Provider determines that PicassoMD has breached a material term of this Agreement. The Parties may also report the material breach to the Secretary of HHS or OCR.

2.

Effect of Termination. Upon termination of this BAA, The Parties will recover any PHI in the possession of their subcontractors, agents, or representatives. The Parties will destroy all such PHI plus all other PHI in its possession, and will retain no copies. If The Parties believe that it is not feasible to destroy the PHI as described above, PicassoMD shall notify Primary Care Provider or Specialist, and/or Specialist or Primary Care Provider shall notify PicassoMD, in writing. The Parties will ensure that any and all protections, requirements and restrictions contained in this BAA will be extended to any PHI retained after the termination of this BAA, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible.

L.

Miscellaneous.

1.

Survival. The respective rights and obligations of the Parties under Sections I (Audit and Inspection Rights), K.2 (Effect of Termination), and L (Miscellaneous) will survive termination of this BAA indefinitely.

2.

Amendments; Waiver. This BAA constitutes the entire agreement between the Parties with respect to the HIPAA Rules. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of Primary Care Provider, Specialist and/or PicassoMD. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

3.

Compliance with Privacy and Security Rules. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits The Parties to comply with the HIPAA Rules. To the extent the HIPAA Rules are revised, this BAA shall be deemed automatically amended to the extent necessary to comply with such revisions.

4.

No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any other person, other than the Primary Care Provider, Specialist and PicassoMD, and their successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

5.

Notices. Any notice to be given under this BAA shall be made via U.S. Mail, commercial courier or electronic mail. Any such notice shall be deemed given when received at the proper address.