Business Associate Agreement

Entity may be a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);

RevolutionEHR performs Services for or on behalf of Entity, and in performing said Services, RevolutionEHR creates, receives, maintains, or transmits individually identifiable health information;

The Parties intend to protect the privacy and provide for the security of the individually identifiable health information Disclosed by Entity to RevolutionEHR, or accessed, received, created, or transmitted by RevolutionEHR, when providing Services. Such individually identifiable health information or Protected Health Information (“PHI”) will be protected in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (“the HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and

Covered Entities are required under HIPAA to enter into a Business Associate Agreements (“BAAs”) that meet certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA. Accordingly, to the extent required by HIPAA, RevolutionEHR agrees to comply with this BAA.

“Breach” shall have the meaning given such term under 45 C.F.R. § 164.402.

“Designated Record Set” shall have the meaning given such term under 45 C.F.R. §
164.501.

“Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.

“Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic
media, as set forth in 45 C.F.R. § 160.103.

“Protected Health Information” and “PHI” mean any information, whether oral or
recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.

“Security Incident” shall have the meaning given to such term under 45 C.F.R. §
164.304.

“Services” shall mean the services for or functions on behalf of Covered Entity
performed by Business Associate pursuant to any service agreement(s) between Covered Entity and Business Associates which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or
functions performed by Business Associate that constitute a Business Associate
relationship, as set forth in 45 C.F.R. § 160.103.

“Subcontractor” shall have the meaning given to such term under 45 C.F.R. § 160.103.

“Unsecured PHI” shall have the meaning given to such term under 45 C.F.R. § 164.402.

“Use” or “Uses” mean, with respect to PHI, the sharing, employment, application,
utilization, examination or analysis of such PHI within Business Associate’s internal
operations, as set forth in 45 C.F.R. § 160.103.

“Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.

Permitted Uses and Disclosures of Protected Health Information. Business Associate
shall not Use or Disclose PHI other than for the purposes of performing the Services, as permitted or required by this BAA, or as Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so Used or Disclosed by Covered Entity. Without limiting the
generality of the foregoing, Business Associate is permitted to (1) Use PHI for the proper management and administration of Business Associate; (ii) Use and Disclose PHI to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) Use PHI for Data Aggregation purposes in connection with the Health Care Operations of Covered Entity; and (iv) Use PHI for purposes of de-identification of the PHI.

Adequate Safeguards of PHI. Business Associate shall implement and maintain
appropriate safeguards and shall comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 to prevent Use or Disclosure of PHI other than as provided for by this BAA.

Reporting Security Incidents and Non-Permitted Uses or Disclosures of PHI. Business
Associate shall report to Covered Entity in writing any Use or Disclosure by Business
Associate or its Subcontractors that is not specifically permitted by this BAA and each
Security Incident, including Breaches of Unsecured PHI, within three (3) calendar days
of becoming aware. Notwithstanding the foregoing, Business Associate and Covered
Entity acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Covered Entity without unreasonable delay but no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity shall be in accordance with 45 C.F.R. §164.410(c).

Use of Subcontractors. Business Associate shall require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such Subcontractors substantially the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to PHI.

Access to Protected Health Information. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying, or to an individual to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within ten (10) business days of a request by Covered Entity.

Amendment of Protected Health Information. To the extent that Business Associate
maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. §164.526 within ten (10) business days of a request by Covered Entity.

Accounting. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within twenty (20) days of receipt of a request from Covered Entity or an individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c).

Delegated Responsibilities. To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business
Associate must comply with the requirements of Subpart E that apply to the Covered
Entity in the performance of such obligations.

Availability of Internal Practices, Books, and Records to Government. Business
Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Covered Entity’s PHI available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.

Covered Entity’s Obligations. Covered Entity shall notify Business Associate of any
limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. §
164.520, to the extent that such limitation may affect Business Associate’s Use or
Disclosure of PHI. Covered Entity shall notify Business Associate of any changes in, or
revocation of, the permission by an individual to Use or Disclose his or her PHI, to the
extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
Covered Entity shall notify Business Associate of any restriction on the Use or
Disclosure of PHI that covered entity has agreed to or is required to abide by under 45
C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI. Covered Entity agrees to obtain any consent or authorization that may be required under HIPAA or any other applicable law and/or regulation prior to furnishing Business Associate with PHI. Covered Entity shall not request Business
Associate to make any Use or Disclosure of PHI that would not be permitted under
HIPAA if made by Covered Entity. Covered Entity agrees to fulfill its obligations under
this BAA in a timely manner.

Term. The term of this BAA shall be effective as of the Effective Date and shall
terminate as of the date that all of the PHI provided by Covered Entity to Business
Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information.

Termination for Cause. Upon Covered Entity’s knowledge of a material breach or violation of this BAA by Business Associate, Covered Entity shall either:

A. Notify Business Associate of the breach in writing, and provide an opportunity for Business Associate to cure the breach or end the violation within thirty (30) business days of such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Covered Entity, Covered Entity may immediately terminate this BAA upon written notice to Business Associate; or

B. Upon thirty (30) business days written notice to Business Associate,
immediately terminate this BAA if Covered Entity determines that such breach cannot be cured.

Disposition of Protected Health Information Upon Termination or Expiration

A. Upon termination or expiration of this BAA, Business Associate shall
either return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI.

B. If return or destruction is not feasible, Business Associate shall continue to
extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.

Relationship to Underlying Agreement Provisions. In the event that a provision of this
BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA
shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement, subject to Section 5.2 below.

Notices . Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail
(billing@revolutionehr.com) or facsimile (877-738-3479) with confirmation sent by
United States first class registered or certified mail, postage prepaid, return receipt
requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, if addressed to RevolutionEHR to 6 Boulder Creek Circle Madison, WI 53717 and if to Covered Entity, to the address it provides to Provider. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.

No Third Party Beneficiaries. Nothing expressed or implied in this BAA or the
Underlying Agreement is intended to confer, nor will it confer, upon any person any
rights, remedies, obligations or liabilities other than those explicitly detailed in this BAA or in the Underlying Agreement.

Relationship of Parties. Notwithstanding anything to the contrary in any Underlying
Agreement, Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.

Amendment. To the extent applicable, amendments or modification to HIPAA or the
HITECH Act may require amendments to certain provisions of this BAA. Amendments
shall only be effective if executed in writing and signed by a duly authorized
representative of each party.

Interpretation . To the extent that the terms of this BAA are not clear in satisfying the
parties’ intention to comply with the applicable requirements of HIPAA, the HIPAA
Regulations, and the HITECH Act, these BAA terms shall be construed so as to allow for compliance by both parties with the applicable requirements of HIPAA, the HIPAA
Regulations, and the HITECH Act.