This Business Associate Agreement (BAA) between Sindi Inc. and you (“Covered Entity”) is entered into for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “Privacy and Security Rules”). Use of Sindi’s tools and services by Covered Entity indicate Covered Entities acceptance of the terms and conditions of this BAA, and delivery of such tools and performance of such services to Covered Entity by Sindi indicate acceptance of the same by Sindi.

Sindi may Use and Disclose PHI for the purposes of performing patient insurance eligibility, benefit verification, prior authorization services, patient eligibility for financial support services, to perform the other services accessed in this site or portal, and as otherwise permitted under this BAA or required by law. Sindi shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so Used or Disclosed by Covered Entity. Without limiting the generality of the foregoing, Sindi is permitted to (i) Use PHI for the proper management and administration of Sindi; and (ii) Use and Disclose PHI to carry out the legal responsibilities of Sindi, provided that with respect to any such disclosure either: (a) the disclosure is required by law; or (b) Sindi obtains reasonable assurances from the person to whom the PHI is to be disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as required by law and for the purpose(s) for which it was disclosed by Sindi to such person, and that such person will notify Sindi of any instances of which it is aware in which the confidentiality of the PHI has been breached.

Sindi may also use PHI: (i) report to Covered Entity, in writing, any material use and/or disclosure of PHI by Sindi that is not permitted or required by this agreement of which Sindi becomes aware; or (ii) to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this BAA.

To the extent that Sindi creates, receives, maintains or transmits electronic protected health information (ePHI) as that term is defined by the security rule, on behalf of Covered Entity, Sindi may use PHI and ePHI to report to Covered Entity any security incident of which Sindi becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that contains or has access to the ePHI of Covered Entity. Sindi is not required to report “pings” on Sindi’s firewall, broadcast attacks, unsuccessful login attempts, or similar unsuccessful security incidents provided that they do not result in the unpermitted access, use, or disclosure of ePHI or PHI.

Sindi will require any subcontractors and agents utilized in providing the services which use and/or Disclose the PHI to agree, in writing, to adhere to substantially similar restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Sindi pursuant to this BAA

Sindi shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Sindi’s operations, to protect the confidentiality of PHI and to prevent the Use or Disclosure of PHI in any manner inconsistent with the terms of this BAA, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Sindi’s obligation to have written policies and procedures in place to document its administrative, technical and physical safeguards.

Sindi shall process Covered Entity’s requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524.

Sindi shall process Covered Entity’s requests for amendment of the PHI in Sindi’s possession, solely upon Covered Entity’s request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity’s possession.

The Parties agree that Sindi shall track and keep a record of all Disclosures of PHI, and that Sindi shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. §164.528, to individuals who request an accounting. In each case Sindi shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Sindi receives a request for an accounting directly from an individual, Sindi shall forward such request to Covered Entity in writing.

If Sindi will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable requirements in the performance of that service.

Sindi may de-identify PHI for lawful purposes, so long as such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time. Additionally Sindi may provide data aggregation services relating to the health care operations of Covered Entity.

If Sindi receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the “Secretary”), requiring Sindi to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Sindi on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Sindi’s compliance with HIPAA, then Sindi shall make its internal practices, books and records available to the Secretary or the Secretary’s authorized representative.

Covered Entity shall provide, and Sindi shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.

In the event of a “Breach” of any “Unsecured” PHI that Sindi accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Sindi shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date on which the Breach is discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Sindi’s response to the Breach.

With regard to the Use and/or Disclosure of the PHI by Sindi, Covered Entity hereby agrees:

that the Uses and Disclosures of the PHI by Sindi pursuant to this BAA are, at the time of execution and throughout the term of this BAA will be, consistent with the form of notice of privacy practices (the “Notice”) that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520.

Unless otherwise terminated as provided below, this BAA shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Sindi to provide services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.

If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party’s obligations under this BAA, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Sindi under the engagement.

Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the nonbreaching Party shall terminate the portion of the arrangement for Services affected by the breach.

Upon the event of termination of this BAA, Sindi agrees, where feasible, to return or destroy the PHI, which Sindi still maintains in any form. Prior to doing so, Sindi further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Sindi’s opinion, itis not feasible for Sindi or any subcontractors to return or destroy portions of the PHI, Sindi shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.

Nothing in this BAA shall be construed to create any third party beneficiary rights in any person.

This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Electronic copies thereof shall be deemed to be originals.

If any controversy, dispute or claim arises between the Parties with respect to this BAA, the Parties shall make good faith efforts to resolve such matters informally.

Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other Party has been advised of the possibility of such loss or damages.

All notices, requests, approvals, demands and other communications required or permitted to be given under this BAA shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received. The addresses of the parties shall be as follows; or as otherwise designated by any party through notice to the other party:

If to Sindi:

Notices to Sindi may also be sent via e-mail to [info@sindireferrals.com].

The provisions of this BAA shall prevail over any provisions in any other agreements between Sindi and Covered Entity that may conflict or appear inconsistent with any provision of this BAA. This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.