Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into between the User (as defined in the Privacy Policy and Terms and Conditions of Use) and Witty Health Inc. (“Witty”) as of the date that the User  electronically agrees to the terms of the Privacy Policy and Terms and Conditions of Use governing the Services.

Witty is a “Business Associate” and Users are a “Covered Entity” under this Agreement in instances when Users upload protected health information to Witty. Subcontractors that register as Users or agree to the terms of Witty’s Privacy Policy and Terms and Conditions of Use and receive, maintain, or transmit protected health information on behalf of Witty are “Business Associates” of Witty and are also subject to terms of this Agreement.

Business Associate acknowledges and agrees that it is considered a "business associate" as defined by HIPAA and by regulations promulgated thereunder. As a business associate of Covered Entity, Business Associate shall comply with the following terms of this Agreement, as required pursuant to 45 C.F.R. § 164.504.

Business Associate agrees that it shall use and disclose Protected Health Information received from Covered Entity for the purposes of providing the Service services, as otherwise permitted under this Agreement, or as Required by Law. Business Associate is authorized to use Protected Health Information to deidentify the information in accordance with 45 C.F.R. § 164.514(a)-(c). Business Associate agrees to follow guidance issued by the Secretary regarding what constitutes "minimum necessary" with respect to the use or disclosure of PHI and EPHI. Until such time that such guidance is issued, Business Associate shall limit its use or disclosure of PHI and EPHI, to the extent practicable, to the limited data set (as defined in 45 C.F.R. 164.514(e)(2)), or to the minimum necessary to accomplish the intended purpose of such use, disclosure or request, respectively.

Business Associate shall not disclose any PHI to any Subsequent Business Associate, unless and until Business Associate and the Subsequent Business Associate have entered into an agreement containing the same terms and conditions as set forth in this Agreement.

In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

Consistent with the requirements of 45 C.F.R. 164.502(j)(1), Business Associate may disclose Protected Health Information to report violations of law to appropriate Federal and State authorities.

Business Associate shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of Protected Health Information not authorized by this Agreement. Specifically, Business Associate agrees to comply with the requirements of 45 C.F.R. 164.308, 164.310,164.312 and 164.316 to the same extent such requirements apply to Covered Entity.

Business Associate shall report to Covered Entity any illegal, unauthorized, or improper use or disclosure of Protected Health Information, Security Incident or any Breach (collectively, "Known Misuse") by it or a Subsequent Business Associate without unreasonable delay and within ten (10) business days of obtaining knowledge of such Known Misuse. Additionally, if the Known Misuse is a Breach of Unsecured Protected Health Information, Business Associate shall comply with the requirements of 45 C.F.R. 164.410. Business Associate shall take, or, in the event that the acts or omissions of a Subsequent Business Associate gave rise to the Known Misuse, shall require a Subsequent Business Associate to take, commercially reasonable actions to mitigate the negative impact of any Known Misuse and adopt additional or improve existing safeguards to prevent recurrence.

Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary, or their designees, for purposes of determining and facilitating Business Associate's and Covered Entity's compliance with the Privacy Standards and Security Standards.

Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.524 to provide Individuals with access to their Protected Health Information.

Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to access Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.

Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.526 to provide Individuals the right to amend their Protected Health Information.

Within twenty (20) days of a request by Covered Entity, Business Associate shall provide Covered Entity with an accounting of all disclosures of Protected Health Information, other than disclosures excepted from the Privacy Standards accounting requirement under 45 C.F.R. 164.528(a)(1)(i)-(ix), made by Business Associate or by a Subsequent Business Associate in the previous six (6) years in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.528 to provide Individuals with an accounting of disclosures of their Protected Health Information.

The accounting shall include, with respect to each disclosure: the date of the disclosure; the name (and address, if known) of the entity or person receiving the Protected Health Information; a description of the Protected Health Information disclosed; a statement of the purpose of the disclosure; and any other information the Secretary may require under 45 C.F.R. 164.528 (collectively, "Disclosure Information").

Notwithstanding anything in this Agreement to the contrary, for repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity, Business Associate may record: (a) the Disclosure Information for the first of these repetitive disclosures; (b) the frequency, periodicity or number of these repetitive disclosures made during the accounting period; and the date of the last of these repetitive disclosures.

Business Associate shall notify Covered Entity within ten (10) days of receiving a request from an Individual for an accounting of disclosures of Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.

In accordance with the HITECH Act, the parties acknowledge that the Secretary shall promulgate regulations regarding the right of Individuals to receive an accounting of disclosures made for treatment, payment and healthcare operations during the previous three (3) years if such disclosures are made through the use of an electronic health record. The parties agree to comply with such regulations promulgated by the Secretary as of the effective date of those regulations.

If Business Associate receives a court order, subpoena, or governmental request for documents or other information containing Protected Health Information, Business Associate will use reasonable efforts to notify Covered Entity of the receipt of the request within ten (10) business days to provide Covered Entity an opportunity to respond. Business Associate may comply with such order, subpoena, or request as Required by Law or permitted by law.

Except as permitted by the HITECH Act or regulations promulgated by the Secretary in accordance with the HITECH Act, and as of the effective date of such regulations, Business Associate shall not directly or indirectly receive remuneration in exchange for PHI unless Covered Entity notifies Business Associate that it obtained a valid authorization from the Individual specifying that the Individual's PHI may be exchanged for remuneration by the entity receiving such Individual's PHI.

Covered Entity shall notify Business Associate of limitation(s) in its notice of privacy practices, to the extent such limitation affects Business Associate's permitted Uses or Disclosures.

Covered Entity shall notify Business Associate of changes in, revocation of, permission by an Individual to use or disclose PHI, to the extent such changes affect Business Associate's permitted Uses or Disclosures.

Covered Entity shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Business Associate's permitted Uses or Disclosures.

Covered Entity represents and warrants that any and all consents, authorizations, or other permissions necessary under the Privacy Standards or other applicable law (including state law) to transmit information through the Service and/or under this Agreement have been properly secured.

Covered Entity represents and warrants that it has obtained any and all authorizations from Individual for any use or disclosure of PHI for marketing, unless the marketing communication is made without any form of remuneration (i) to describe medical services or products provided by either party; (ii) for treatment of the Individual; or (iii) for case management or care coordination for the Individual or to direct or recommend alternate treatments, therapies, providers or settings.

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164.

The Term of this Agreement shall commence on, and this Agreement shall be effective as of the date which Covered Entity electronically registers for the Service and shall continue in effect for as long as Covered Entity is registered for the Service.

In the event either party determines that the other has engaged in a pattern of activity or practice that constitutes a material breach of a term of this Agreement and such violation continues for thirty (30) days after written notice of such breach has been provided, the party claiming a breach shall have the right to terminate Covered Entity's participation on the Service or, if termination is not feasible, to report the breach to the Secretary.

Upon termination of this Agreement, the parties hereby acknowledge that the return or destruction of PHI received by the Business Associate from Covered Entity is not feasible, and that, therefore, Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this Agreement shall continue to apply to any such information retained following cancellation, termination, expiration, or other conclusion of Covered Entity's participation on the Service; and (ii) Business Associate shall limit Uses and Disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.

All reasonable fees incurred to cause the return, destruction, or storage of Protected Health Information under this Section shall be borne by the Covered Entity.

A reference in this Agreement to a section in HIPAA, the HITECH Act, the Privacy Standards, or the Security Standards means the section as in effect or as amended at the time.

The respective rights and obligations of the parties under Section 4.3 of this Agreement shall survive the termination of this Agreement.

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Standards and Security Standards. Except to the extent specified by this Agreement, all of the terms and conditions governing Covered Entity's participation on the Service shall be and remain in full force and effect. In the event of any inconsistency or conflict between this Agreement and the terms and conditions governing Covered Entity's participation on the Service, the terms and provisions and conditions of this Agreement shall govern and control.

The parties shall work together through reasonable negotiations to amend this Agreement as necessary to comply with any changes in law, including, but not limited to, the promulgation of amendments to the Privacy Standards or Security Standards required by the HITECH Act or any other future laws, applicable to or affecting the rights, duties, and obligations of the parties under this Agreement or the terms and conditions governing Covered Entity's participation on the Service.

None of the provisions of this Agreement are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this Agreement and the terms and conditions governing Covered Entity's participation on the Service.

In addition to notice provisions set forth in the Privacy Policy and Terms and Conditions of Use, we may notify you via postings on https://oncopower.org/ and https://www.oncopower.com/. You may contact us at support@oncopower.org or via mail or courier at the address below.

FOR WITTY, INC:

Witty Health

ATTN: Legal Department

5850 San Felipe Suite 500

Houston, TX 77057

FOR COVERED ENTITY:

The notice address for Covered Entity will be the address provided by that entity on the online registration page for the Witty Service.

Any proceedings to resolve or litigate any dispute or controversy between the Parties in any forum shall be conducted solely on an individual basis.  Neither Party will seek to have any dispute or controversy heard as a class action, private attorney general action, or in any other proceeding in which either party acts or proposes to act in a representative capacity. No arbitration or proceeding will be combined with another without the prior written consent of all Parties to all affected arbitrations or proceedings. If this class action waiver is found to be illegal or unenforceable, then it will not apply, and the dispute or controversy will proceed under the rules for arbitration stated below.

. If any dispute or controversy is not resolved by informal negotiation, then the dispute or controversy will be decided exclusively by binding arbitration governed by the Federal Arbitration Act (“FAA”). Each Party is giving up the right to litigate (or participate in as a party or class member) all disputes or controversies in court before a judge or jury. Instead, all disputes or controversies will be resolved before a neutral arbitrator, whose decision will be final except for a limited right of appeal under the FAA. Any court with jurisdiction over the parties may enforce the arbitrator’s award.

Any arbitration will be conducted by the American Arbitration Association (the “AAA”) under its Commercial Arbitration Rules. For more information, see www.adr.org or call 1-800-778-7879 FREE. No award of punitive damages will be made in any such arbitration. Each Party will bear its own fees and costs in connection with any such arbitration, but the costs incurred through AAA, including the fees and expenses of the arbitrator, will be shared equally by the parties unless the arbitration award provides otherwise. All arbitration proceedings will be held only in the city of Houston, Texas in the United States. The decision of the arbitrator or arbitrators is final, and binding and any award may be confirmed and enforced in any court of competent jurisdiction.  To the extent the terms of this Agreement conflicts with the AAA’s Commercial Arbitration Rules, the terms of this Agreement shall control.

This Agreement shall be governed by and construed in accordance with the laws of the State of Texas (excepting any conflict of laws provisions which would serve to defeat application of Texas law). Each of the parties hereto submits to the exclusive jurisdiction of the state and/or federal courts located within the State of Texas for any suit, hearing or other legal proceeding of every nature, kind and description whatsoever in the event that any dispute or controversy arising hereunder is prohibited from being adjudicated under the above arbitration provisions.

This Agreement is effective upon the User’s acceptance of Privacy Policy and Terms and Conditions of Use during the online registration process.

Version: August 1, 2019