This Business Associate Agreement ("BAA") is effective as of the Effective Date (as defined below) by and between an entity named in the signature block below ("Covered Entity") and airSlate Legal Forms, Inc. ("Business Associate") (each referred to as a"Party", and collectively, the "Parties").

The Parties desire to enter into this BAA in order to comply with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical Health Act, Public Law §111-5 and the regulations promulgated thereunder by the United States Department of Health and Human Services, including the Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160 and 164, each as amended by the final rule known as the Omnibus Rule (collectively, "HIPAA");

The Parties have entered into a service agreement (the "Underlying Agreement") pursuant to which Business Associate may use and/or disclose, protected health information ("PHI") in its performance of the services pursuant to the Underlying Agreement (the "Services"); and

This BAA sets forth the terms and conditions pursuant to which PHI must be handled between the Covered Entity and Business Associate, and with third parties, during the term of the Underlying Agreement and after its termination. 

In consideration of the mutual promises set forth in this BAA and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the Parties agree as follows.

All capitalized terms used but not otherwise defined in this BAA must have the same meaning as those terms in HIPAA.

• "Breach" when capitalized, must have the meaning set forth in 45 C.F.R. § 164.402 (including all of its subsections); with respect to all other uses of the word "breach" in this BAA, the word must have its ordinary contract meaning. 
• "Designated Record Set" must have the meaning set forth in 45 C.F.R. § 164.501 and must include, but not be limited to, medical records and billing records about Individuals.
• "Electronic Protected Health Information" or "EPHI" must have the same meaning as the term"electronic protected health information" in 45 C.F.R. § 160.103, limited to information that (i) is received by Business Associate from Covered Entity, or (ii) is accessed, created, received, transmitted, or maintained by Business Associate on behalf of Covered Entity.
• "Effective Date" means the date on which Business Associate was first engaged to provide services to Covered Entity under the Underlying Agreement.
• "Individual" must have the same meaning as the term"individual" in 45 C.F.R. § 160.103 and must include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
• "Protected Health Information" or"PHI" must have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to information that (i) is received by Business Associate from Covered Entity, or (ii) is accessed, created, received, transmitted, or maintained by Business Associate on behalf of Covered Entity. PHI includes EPHI.
• "Required by Law" must have the same meaning as the term "required by law" in 45 C.F.R. § 164.103.
• "Secretary" must mean the Secretary of the Department of Health and Human Services or their designee. 
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of Covered Entity's information in an information system controlled by Business Associate. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this BAA constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically. Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on the Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of PHI. 
• "Unsecured PHI" must have the same meaning as the term "Unsecured PHI" in 45 C.F.R. § 164.402.

2.1. Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BAA, or as Required By Law. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of the Privacy Rule, Business Associate must comply with the applicable requirements of Subpart E that apply to Covered Entity in the performance of such obligations. 

2.2. Safeguards. Business Associate must, where applicable, comply with the HIPAA Security Rule with respect to EPHI and agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI and that prevent the use or disclosure of such PHI other than as provided for by this BAA.

2.3. Minimum Necessary. Business Associate agrees to make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary to accomplish the intended permissible purpose of the use or disclosure.

2.4. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.

2.5. Subcontractors. Business Associate agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to materially the same or greater restrictions and conditions that apply through this BAA to Business Associate with respect to such information.

2.6. Additional Restrictions. If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of PHI, Business Associate must be bound by such additional restrictions and must not disclose PHI in violation of such additional restrictions in accordance with 45 C.F.R. § 164.522.

2.7. Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set for Covered Entity in a decrypted format, Business Associate, at the request of Covered Entity, must make access to such PHI available to Covered Entity in accordance with 45 C.F.R. § 164.524.

2.8. Amendment of PHI. To the extent Business Associate has access to PHI in a decrypted format, and at Covered Entity's reasonable expense, Business Associate agrees to make amendment(s) to PHI in a Designated Record Set as directed by the Covered Entity as reasonably necessary to satisfy Business Associate's obligations pursuant to 45 CFR § 164.526. Notwithstanding the foregoing, Subcontractor need not make amendments to PHI in a Designated Record Set unless the Covered Entity is unable to make such amendments to such PHI on its own.

2.9. Accounting of Disclosures. To the extent Business Associate has access to Covered Entity's PHI in a decrypted format, Business Associate agrees to document and provide to Covered Entity, within thirty (30) calendar days of the receipt of a written request from Covered Entity, an accounting of disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 

2.10. Forwarding Requests from an Individual. In the event that any Individual requests access to, amendment of, or accounting of PHI directly from Business Associate, Business Associate must forward such request to Covered Entity in accordance with applicable law.

2.11. Books and Records. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or received by Business Associate on behalf of, Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with HIPAA, in accordance with applicable law.

2.12. Reporting. Business Associate agrees to report to Covered Entity any Security Incident or other use or disclosure of the PHI not permitted by this BAA of which it becomes aware, in accordance with HIPAA, and within 30 calendar days. If Business Associate discovers that a Breach of Unsecured PHI has occurred, Business Associate must notify Covered Entity in accordance with the requirements of 45 C.F.R. §164.410. Notwithstanding the foregoing, such notice must include the identification of each Individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed in connection with such Breach, to the extent Business Associate has access to such information without decryption of data. In addition, Business Associate must provide any additional information reasonably requested by the Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the Individual under 45 C.F.R. §164.404(c) at the time of notification or promptly thereafter as information becomes available.

3.1. Uses and Disclosures. Except as otherwise expressly limited in this BAA, Business Associate may use and disclose PHI to perform the Services, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.

3.2. Management and Administration. Except as otherwise expressly limited in this BAA, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided, however, that any permitted Disclosure of PHI to a third party must be either Required By Law or subject to Business Associate obtaining reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.3. Disclosures Required By Law. Business Associate may use or disclose any PHI as Required By Law. 

3.4. Data Aggregation. Except as otherwise expressly limited in this BAA, Business Associate may use and disclose PHI to provide Data Aggregation Services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

3.5. De-Identification. Business Associate may use PHI to de-identify PHI and create de-identified information from PHI as described under 45 C.F.R. § 164.514, subject to any restrictions in HIPAA. Covered Entity and Business Associate understand and acknowledge that properly de-identified information is not "Protected Health Information" under the terms of this BAA, and Business Associate may subsequently use and disclose such de-identified data unless otherwise prohibited by applicable law.

3.6. Derivative Data. Unless expressly prohibited in this BAA, Parties agree that Business Associate may access, use, and disclose the Covered Entity Data to the extent permitted by law, including de-identified information, and agree that any result or product derived from permitted access and use under applicable law, including any derivatives of information, must be the property of Business Associate and all rights related to such product(s). In the event such license is necessary, Parties agree Business Associate is granted a non-exclusive, transferrable, assignable, fully-paid, and royalty-free license to the derivative information, result, and works of the information, and such license must survive termination of this BAA. "Covered Entity Data" means any tangible or intangible data which is provided by or on behalf of Covered Entity to Business Associate to perform the services under the Underlying Agreement.

The Parties agree and acknowledge that the indemnification obligations contained in the Underlying Agreement must govern each Party's performance under this BAA.

5.1. Notice of Privacy Practices. Covered Entity must notify Business Associate of any limitation(s) in any applicable notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. Covered Entity must provide such notice no later than fifteen (15) days prior to the effective date of the limitation.

5.2. Notification of Changes Regarding Individual Permission. Covered Entity must notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Covered Entity must provide such notice no later than fifteen (15) days prior to the effective date of the change. Covered Entity must obtain any consent or authorization that may be required by the HIPAA Privacy Rule, or applicable state law, prior to furnishing a Business Associate with PHI.

5.3. Notification of Restrictions to Use or Disclosure of PHI. Covered Entity must notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. Covered Entity must provide such notice no later than fifteen (15) days prior to the effective date of the restriction. Covered Entity must obtain any consent or authorization that may be required by the HIPAA Privacy Rule, or applicable state law, prior to furnishing a Business Associate with PHI.

5.4. Permissible Requests. Covered Entity must not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule, or HIPAA if done by Covered Entity, except as permitted pursuant to the provisions of Section 3 of this BAA.

6.1. Term. This BAA must be effective as of the Effective Date and must continue until terminated in accordance with Section 6.b hereof, or until the Underlying Agreement terminates, whichever occurs earlier.

6.2. Termination. Upon either Party's (the "Non-Breaching Party") knowledge of a material breach by the other Party (the"Breaching Party"), the Non-Breaching Party must provide thirty (30) days for the Breaching Party to cure the material breach, and if the Breaching Party does not cure the material breach within such time, the Non-Breaching Party may terminate this BAA and the Underlying Agreement, as appropriate. If the Breaching Party has violated a material term of this BAA, and cure is not possible, the Non-Breaching Party may immediately terminate this BAA. 

6.3. Effect of Termination. Upon termination of this BAA or the Underlying Agreement, for any reason, Business Associate must destroy all PHI received from Covered Entity or received by Business Associate on behalf of Covered Entity, except to the extent any such PHI is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities. Notwithstanding the foregoing, in the event that Business Associate determines that destroying the PHI is not feasible, Business Associate must provide to Covered Entity notification of the conditions that make destruction not feasible, and Business Associate must extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction not feasible, for so long as Business Associate maintains such PHI.

7.1. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended from time to time, and for which compliance is required.

7.2. Primacy. To the extent that any provisions of this BAA conflict with the provisions of the Underlying Agreement or any other agreement or understanding between the Parties, this BAA must control with respect to the subject matter of this BAA.

7.3. Amendment; Waiver. This BAA may not be modified, nor must any provision be waived or amended, except in writing duly signed by the Parties. A waiver with respect to one event must not be construed as continuing, or as a bar to, or waiver of any right or remedy as to subsequent events. 

7.4. Ambiguities. Any ambiguity in this BAA must be resolved to permit compliance with HIPAA. To the extent any provision of this BAA conflicts with any provision of any other agreement or understanding between the Parties, this BAA must control with respect to the subject matter of this BAA. 

7.5. Governing Law and Jurisdiction. This BAA is governed by and construed in accordance with the same internal laws as stated in the applicable Underlying Agreement.

7.6. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended or must be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies, or liabilities.

7.7. Counterparts; Facsimiles. This BAA may be executed in any number of counterparts, each of which must be deemed an original. Facsimile copies of this document must be deemed to be originals.

7.8. Independent Contractors. No provision of this BAA is intended to create, nor must be deemed or construed to create any employment, agency, or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this BAA. None of the Parties or any of their respective representatives must be construed to be the agent, employer, or representative of the other. The Parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency, and it is not the intention of either Covered Entity or Business Associate that the Business Associate constitutes an "agent" under such common law.

7.9. Notices. Any notices to be given under this BAA to a Party must be made via U.S. Mail or express courier to such Party's address set forth below, and/or via facsimile to the facsimile telephone numbers listed below. Each Party may change its address and that of its representative for notice by giving notice thereof in the manner provided above in this Section. 

For Business Associate to: 17 Station Street, Ste. 303, Brookline, Massachusetts, 02445, Email: legal@airslate.com, Attention: General Counsel.

For Covered Entity to: (to be filled out by the Covered Entity).

In witness whereof, the Parties have executed this BAA as of the Effective Date.