Business Associate Agreement

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into as of the date the user accepts this agreement online (by checking the acceptance box during account registration) by and between the Covered Entity identified during account registration, being either an individual therapist or health-care organization, organized under the laws of its applicable jurisdiction (“Covered Entity”), and Mentalyc, Inc., a Delaware corporation organized under the laws of Delaware (“Business Associate”). In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties.”

BACKGROUND

I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

II. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”);

III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;

IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;

V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 C.F.R. Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and

VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA, and other applicable laws.

AGREEMENT

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions

For purposes of this BAA, the Parties give the following meaning to each term below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.

B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. §164.402.

C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 C.F.R. Part 164.

D. “Data Aggregation” has the meaning given in the Privacy Rule;

E. “Designated Record Set” has the meaning given in the Privacy Rule, including 45 C.F.R. §164.501.

F. “De-Identify” means to alter the PHI such that the resulting information meets 45 C.F.R. §§164.514(a) and (b).

G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 C.F.R. §160.103.

H. “Health Care Operations” has the meaning given in 45 C.F.R. §164.501.

I. “HHS” means the U.S. Department of Health and Human Services.

J. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

K. “Individual” has the meaning in 45 C.F.R. §§164.501 and 160.103 and includes a personal representative under 45 C.F.R. §164.502(g).

L. “Privacy Rule” means 45 C.F.R. Part 160 and Part 164, Subparts A and E.

M. “Protected Health Information” or “PHI” has the meaning given in 45 C.F.R. §§164.501 and 160.103, limited to information created or received by Business Associate from or on behalf of Covered Entity.

N. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

O. “Security Rule” means 45 C.F.R. Part 160 & Part 164, Subparts A and C.

P. “Unsecured Protected Health Information” or “Unsecured PHI” means PHI not rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies or methodologies specified by the HHS Secretary (42 U.S.C. §17932(h)).

2. Use and Disclosure of PHI

A. Services. Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities permitted or required by this BAA or as required by law.

B. Management/Administration. Covered Entity authorizes Business Associate to use PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for such purposes if (i) required by law; or (ii) the recipient provides reasonable written assurances to keep PHI confidential and to report any breach.

C. HIPAA Compliance & Minimum Necessary. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law, and will apply the Minimum Necessary standard for each use or disclosure.

D. Availability to Covered Entity. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or its agents/subcontractors have in their possession.

E. Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate authorities, consistent with 45 C.F.R. §164.502(j)(1).

3. Safeguards Against Misuse of PHI

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity, and take reasonable steps (including workforce training) to ensure compliance.

4. Reporting Disclosures of PHI and Security Incidents

Business Associate will report to Covered Entity in writing within five (5) business days any use or disclosure of PHI not provided for by this BAA of which it becomes aware and will report any Security Incident affecting Covered Entity’s Electronic PHI of which it becomes aware. Unsuccessful Security Incidents (e.g., pings, blocked firewall events, failed logins) need not be reported unless they result in unauthorized access, use, or disclosure of PHI.

5. Reporting Breaches of Unsecured PHI

Business Associate will notify Covered Entity without unreasonable delay and in no case later than thirty (30) calendar days after discovery of any Breach of Unsecured PHI, including the information required by 45 C.F.R. §164.410. Business Associate will reimburse Covered Entity for reasonable costs it incurs to comply with Subpart D of 45 C.F.R. Part 164 to the extent such costs result from Business Associate’s Breach.

6. Mitigation of Disclosures of PHI

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect known to Business Associate of any improper use or disclosure of PHI by Business Associate or its agents/subcontractors.

7. Agreements with Agents or Subcontractors

Business Associate will ensure that agents/subcontractors with access to PHI agree in writing to restrictions and conditions at least as protective as this BAA and implement appropriate safeguards.

8. Access to PHI by Individuals

A. Upon request, Business Associate will furnish Covered Entity with copies of PHI in a Designated Record Set to enable Covered Entity to respond to an Individual’s access request under 45 C.F.R. §164.524.

B. If an Individual requests access directly from Business Associate, Business Associate will, within ten (10) business days, forward the request to Covered Entity. Covered Entity is responsible for responding.

9. Amendment of PHI

A. Upon request and instruction from Covered Entity, Business Associate will amend PHI in a Designated Record Set as directed by Covered Entity under 45 C.F.R. §164.526 (completed within 15 business days of request).

B. If an Individual requests amendment directly from Business Associate, Business Associate will, within ten (10) business days, forward the request to Covered Entity. Covered Entity is responsible for responding.

10. Accounting of Disclosures

A. Business Associate will document disclosures of PHI as required by 45 C.F.R. §164.528(a) and make available information needed by Covered Entity to respond. At minimum, Business Associate will provide: (i) date of disclosure; (ii) name (and, if known, address) of recipient; (iii) brief description of PHI disclosed; and (iv) brief statement of the purpose including the basis for disclosure.

B. Business Associate will furnish such information to Covered Entity within ten (10) business days after request.

C. If an Individual submits the initial accounting request directly to Business Associate, Business Associate will, within ten (10) business days, forward it to Covered Entity.

11. Availability of Books and Records

Business Associate will make available its internal practices, books, agreements, records, and policies/procedures relating to the use and disclosure of PHI to the Secretary of HHS for purposes of determining the Parties’ compliance with HIPAA and this BAA.

12. Responsibilities of Covered Entity

A. Notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices (45 C.F.R. §164.520) that may affect Business Associate’s use or disclosure of PHI.

B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate’s use/disclosure.

C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to (45 C.F.R. §164.522) to the extent it may affect Business Associate’s use/disclosure.

D. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

13. Data Ownership

As between the Parties, Covered Entity retains all right, title, and interest in and to PHI and any Customer Data shared under the Agreement. Business Associate’s data stewardship does not confer ownership on Business Associate. Business Associate will not sell PHI.

14. Term and Termination

A. This BAA becomes effective on the Effective Date and continues until all obligations under the Agreement and this BAA have been met.

B. Covered Entity may terminate this BAA (and related agreements) for material breach by Business Associate not cured to Covered Entity’s reasonable satisfaction within 30 days after written notice. Covered Entity may report to HHS if termination is not feasible.

C. If Business Associate determines Covered Entity has materially breached this BAA, Business Associate may provide written notice and 30 days to cure; failure to cure is grounds for immediate termination, and Business Associate may report the breach to HHS.

D. Upon termination of the Agreement or this BAA, Business Associate will return or destroy all PHI and not retain copies, including PHI held by agents/subcontractors. If return or destruction is infeasible, Business Associate will notify Covered Entity in writing of the conditions making it infeasible; upon mutual agreement, Business Associate will extend this BAA’s protections to such PHI and limit uses/disclosures to those that make return or destruction infeasible. This §15.D survives termination.

15. Effect of BAA

A. This BAA is part of and subject to the Agreement; to the extent of conflict, this BAA governs with respect to PHI.

B. Except as expressly stated in this BAA or as provided by law, this BAA does not create third-party rights.

16. Regulatory References

A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

17. Notices

All notices, requests, demands, or other communications under this BAA must be provided by electronic mail to the contacts designated below (or as otherwise designated in writing). Notices are deemed given upon transmission confirmation.

If to Covered Entity:

Attn: __________  |  T: __________  |  E: __________

If to Business Associate:

Attn: Legal  |  E: support@mentalyc.com

18. Amendments and Waiver

This BAA may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing or as a bar to any right or remedy as to subsequent events.

19. HITECH Act Compliance

Each Party agrees to comply with applicable provisions of the HITECH Act and any HHS regulations issued with respect to it. The Parties agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with changes; if unable to agree, either Party may terminate on 30 days’ prior written notice.

20. Limitation of Liability

Subject to applicable law, the aggregate liability of Business Associate arising out of or related to this BAA shall not exceed $10,000. This cap applies to all claims in the aggregate, regardless of theory; failure of essential purpose does not expand liability. This clause does not limit Covered Entity’s obligations to pay fees under any separate service agreement.

21. Governing Law

This BAA is governed by the laws of the State of Delaware, without regard to conflict-of-laws rules.