EXPANDMD COGNITIVE TESTING FREE TRIAL & BAA

GENERAL CONDITIONS

1) COGNITIVE TESTING FREE TRIAL: Company shall provide up to five instances of the cognitive assessment
service described in the Fee Schedule at no charge to Client. The use of this free trial in no way constitutes any obligation
for Client to use any other services described in ExpandMD Service Agreement, nor any further cognitive testing services.
At Client’s sole discretion, Client may order additional services listed in the Fee Schedule at any point before, during, or
after the Cognitive Testing Free Trial at the rate specified in the ExpandMD Service Agreement. After the conclusion of
the Cognitive Testing Free Trial, Client may continue to order cognitive testing at the rate specified in the Fee Schedule.
2) PROVIDER QUALIFICATIONS: By entering into this Agreement, Client represents and warrants to ExpandMDos
(i) that Client is a properly licensed healthcare provider, and (ii) that Client shall consider the results of use of the
Licensed Product only in conjunction with other medical information needed to evaluate and manage patient care and
treatment as appropriate.
3) ENTIRE AGREEMENT AND MODIFICATION. This contract constitutes the entire agreement between the parties.
No modification or amendment of this contract shall be effective unless in writing and signed by both parties. This
contract replaces all prior agreements between the parties.
4) GOVERNING LAW. This contract shall be construed in accordance with the laws of the State of Florida.

BUSINESS ASSOCIATE AGREEMENT

This Privacy Agreement is effective upon signing this Agreement and is entered into by and between ExpandMD OS and
Provider.
1. Term. This Agreement shall remain in effect for the duration of this Agreement and shall apply to all of the Services
and/or Supplies delivered by ExpandMD OS pursuant to this Agreement.
2. HIPAA Assurances. In the event ExpandMD OS creates, receives, maintains, or otherwise is exposed to personally
identifiable or aggregate patient or other medical information defined as Protected Health Information (“PHI”) in the
Health Insurance Portability and Accountability Act of 1996 or its relevant regulations (“HIPAA”) and otherwise meets
the definition of Provider as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), ExpandMD OS shall:
(a) Recognize that HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009)
and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.3 10, 164.3 12, and 164.316), apply to
ExpandMD OS in the same manner that such sections apply to the Provider;
(b) Not use or further disclose the PHI, except as permitted by law;
(c) Not use or further disclose the PHI in a manner that had Provider done so, would violate the requirements of
HIPAA;
(d) Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for
electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of
the PHI other than as provided for by this Agreement;
(e) Comply with each applicable requirement of 45 C.F.R. Part 162 if the Provider conducts Standard Transactions
for or on behalf of the Provider;
(f) Report promptly to Provider any security incident or other use or disclosure of PHI not provided for by this
Agreement of which ExpandMD OS becomes aware;

(g) Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other
format) are explained the ExpandMD OS obligations under this paragraph and agree to the same restrictions and
conditions;
(h) Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations;
(i) Account for PHI disclosures for up to the past six (6) years as requested by Provider, which shall include: (i)
dates of disclosure, (ii) names of the entities or persons who received the PHI, (iii) a brief description of the PHI
disclosed, and (iv) a brief statement of the purpose and basis of such disclosure;
(j) Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S.
Secretary of Health and Human Services for purposes of determining Customer’s compliance with HIPAA; and
ii Page
(k) Incorporate any amendments or corrections to PHI when notified by Provider or enter into a Provider
Agreement or other necessary Agreements to comply with HIPAA.

3. Termination Upon Breach of Provisions. Notwithstanding any other provision of this Agreement, Provider may
immediately terminate this Agreement if it determines that ExpandMD OS breaches any term in this Agreement.
Alternatively, ExpandMD OS may give written notice to Provider in the event of a breach and give Provider five (5)
business days to cure such breach. Provider shall also have the option to immediately stop all further disclosures of PHI
to ExpandMD OS if Provider reasonably determines that Provider has breached its obligations under this Agreement. If
termination of this Agreement and the Agreement is not feasible, ExpandMD OS hereby acknowledges that the Provider
shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services,
notwithstanding any other provision of this Agreement or Agreement to the contrary.
4. Return or Destruction of Protected Health Information upon Termination. Upon the termination of this
Agreement, unless otherwise directed by Provider, ExpandMD OS shall either return or destroy all PHI received from
the Provider or created or received by ExpandMD OS on behalf of the Provider in which ExpandMD OS maintains in
any form. ExpandMD OS shall not retain any copies of such PHI. Notwithstanding the foregoing, if ExpandMD OS
determines that returning or destroying the Protected Health Information is infeasible upon termination of this
Agreement, ExpandMD OS shall provide to Provider notification of the condition that makes return or destruction
infeasible.
To the extent that it is not feasible for ExpandMD OS to return or destroy such PHI, the terms and provisions of this
Agreement shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by
law for so long as ExpandMD OS maintains such Protected Health Information.
5. No Third-Party Beneficiaries. The parties agree that the terms of this Agreement shall apply only to themselves and
are not for the benefit of any third-party beneficiaries.
6. De-Identified Data. Notwithstanding the provisions of this Agreement, Provider and its subcontractors may disclose
non-personally identifiable information provided that the disclosed information does not include a key or other
mechanism that would enable the information to be identified.
7. Amendment. Provider and ExpandMD OS agree to amend this Agreement to the extent necessary to allow either party
to comply with the Privacy Standards, the Standards for Electronic Transactions, the Security Standards, or other relevant
state or federal laws or regulations created or amended to protect the privacy of patient information. All such amendments
shall be made in a writing signed by both parties.
8. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits ExpandMD OS
to comply with the then most current version of HWAA and the HIPAA privacy regulations.
9. Definitions. Capitalized terms used in this Agreement shall have the meanings assigned to them as outlined in HIPAA
and its related regulations.
10. Survival. The obligations imposed by this Agreement shall survive any expiration or termination of this Agreement.