HIPAA BUSINESS ASSOCIATE ADDENDUM

Preamble: Your organization will be accepting the Medical Insights Diagnostic Centers, Inc. Cloud Platform HIPAA Business Associate Addendum, please verify that the Contact Information is correct and that the person listed is a qualified representative from your organization. That person needs to read and accept our terms and conditions to initiate the Medical Insights Diagnostic Centers, Inc. Cloud Platform HIPAA Business Associate Addendum.

Effective Date: Coincides with the start of subscription.

HIPAA Business Associate Addendum

This HIPAA Business Associate Addendum (“BAA”) is entered into between Medical Insights Diagnostic Centers, Inc (“Medical Insights Diagnostic Centers, Inc. dba Nuage Diagnostics aka NuageDx) and the customer agreeing to the terms below (“Customer”), and supplements, amends and is incorporated into the Services Agreement(s) (defined below) solely with respect to Covered Services (defined below). This BAA will be effective when Customer clicks to accept this Agreement (the “BAA Effective Date”).

Customer must have an existing Services Agreement in place for this BAA to be valid and effective. Together with the Services Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).

You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not sign or click to accept the terms of this BAA.

1. Definitions. Any capitalized terms used but not otherwise defined in this BAA will have the meaning given to them in either (a) HIPAA and the HITECH Act or (b) the Services Agreement(s).

“Business Associate” has the definition given to it under HIPAA.

“Breach” has the definition given to it under HIPAA. A Breach will not include an acquisition, access, use, or disclosure of PHI with respect to which Medical Insights Diagnostic Centers, Inc. has determined in accordance with 45 C.F.R. § 164.402 that there is a low probability that the PHI has been compromised.

“Covered Entity” has the definition given to it under HIPAA.

“Covered Services” means the Medical Insights Diagnostic Centers, Inc. and Google products and services specifically identified at https://cloud.google.com/security/compliance/hipaa/ as being covered by the Google Cloud Platform BAA (BAA from Google) . and Nuage Terms and Conditions Of Service.

(b) Medical Insights Diagnostic Centers, Inc. may use and disclose PHI for the proper management and administration of Medical Insights Diagnostic Centers, Inc.’s business and to carry out the legal responsibilities of Medical Insights Diagnostic Centers, Inc., provided that any disclosure of PHI for such purposes may only occur if: (1) Required by Law; or (2) Medical Insights Diagnostic Centers, Inc. obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Medical Insights Diagnostic Centers, Inc. will be notified of any Security Breach. BAA from Google.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended.

“HIPAA Implementation Guide” means the informational guide that Google makes available describing how the Covered Services may be configured by Customer in connection with Customer’s HIPAA compliance efforts. The HIPAA Implementation Guide for the Covered Services is available for review at the following URL: https://cloud.google.com/security/compliance/hipaa/.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.

“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Customer Data to which Medical Insights Diagnostic Centers, Inc. has access through the Covered Services in connection with Customer’s permitted use of Covered Services.

“Security Breach” means any Breach of Unsecured PHI or Security Incident of which Medical Insights Diagnostic Centers, Inc. becomes aware.

“Security Incident” has the definition given to it under HIPAA.

“Services Agreement(s)” means the written agreement(s) entered into between Medical Insights Diagnostic Centers, Inc. and Customer for provision of the Covered Services, which agreement(s) may be in the form of online terms of service. “Unsecured PHI” has the definition given to it under HIPAA.

2. Applicability. This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Medical Insights Diagnostic Centers, Inc., as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer. Customer acknowledges that this BAA does not apply to, or govern, any other Medical Insights Diagnostic Centers, Inc. product, service, or feature that is not a Covered Service.

3. Use and Disclosure of PHI.

(a) Except as otherwise stated in this BAA, Medical Insights Diagnostic Centers, Inc. may use and disclose PHI only as permitted or required by the Services Agreements and/or this BAA or as Required by Law.

(b) Medical Insights Diagnostic Centers, Inc. may use and disclose PHI for the proper management and administration of Medical Insights Diagnostic Centers, Inc.’s business and to carry out the legal responsibilities of Medical Insights Diagnostic Centers, Inc., provided that any disclosure of PHI for such purposes may only occur if: (1) Required by Law; or (2) Medical Insights Diagnostic Centers, Inc. obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Medical Insights Diagnostic Centers, Inc. will be notified of any Security Breach. Google BAA covering Medical Insights Diagnostic Centers, Inc.

(c) Medical Insights Diagnostic Centers, Inc. has no obligations under this BAA with respect to any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services (including Customer’s use of its offline or on premise storage tools or third-party applications) and this BAA will not apply to any PHI created, received, maintained or transmitted outside of the Covered Services.

4. Customer Obligations.

(a) Customer may only use the Covered Services to create, receive, maintain, or transmit PHI. Customer is solely responsible for managing whether Customer’s End Users are authorized to share, disclose, create, and/or use PHI within the Covered Services.

(b) Customer will not request that Medical Insights Diagnostic Centers, Inc. or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).

(c) For End Users that use the Covered Services in connection with PHI, Customer will use controls available within the Services, including those detailed in the HIPAA Implementation Guide, to ensure its use of PHI is limited to the Covered Services. Customer acknowledges and agrees that the HIPAA Implementation Guide is provided by Google solely as an informational guide with respect to Customer’s configuration options, and that Customer is solely responsible for ensuring that its and its End Users’ use of the Covered Services complies with HIPAA and HITECH.

(d) Customer will take appropriate measures to limit its use of PHI to the Covered Services and will limit its use within the Covered Services to the minimum extent necessary for Customer to carry out its authorized use of such PHI.

(e) Customer warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and/or other applicable law for the disclosure of PHI to Medical Insights Diagnostic Centers, Inc.. If there are any changes in, or revocation of, the permission given by an Individual for use or disclosure of PHI, Customer is responsible for managing its use of the Covered Services accordingly to update and/or delete such PHI in the Covered Services.

5. Appropriate Safeguards. Medical Insights Diagnostic Centers, Inc. and Customer will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services.

6. Reporting.

(a) Subject to Section 6(d), Medical Insights Diagnostic Centers, Inc. will promptly notify Customer following Medical Insights Diagnostic Centers, Inc.’s Discovery of a Security Breach in accordance with HIPAA and in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures Medical Insights Diagnostic Centers, Inc. deems necessary to determine the scope of the Security Breach and to restore the reasonable integrity of Medical Insights Diagnostic Centers, Inc.’s systems.

(b) To the extent practicable, Medical Insights Diagnostic Centers, Inc. will use commercially reasonable efforts to mitigate any further harmful effects of a Security Breach caused by Medical Insights Diagnostic Centers, Inc.

(c) Medical Insights Diagnostic Centers, Inc. will send any applicable Security Breach notifications to the notification email address provided by Customer in the Services Agreement or via direct communication with the Customer.

(d) Notwithstanding Section 6(a), this Section 6(d) will be deemed as notice to Customer that Google periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information, or interference with the general operation of Google’s information systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident as that term is defined under HIPAA, Medical Insights Diagnostic Centers, Inc. will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(d).

7. Subcontractors. Medical Insights Diagnostic Centers, Inc. will take appropriate measures to ensure that any Subcontractors used by Medical Insights Diagnostic Centers, Inc. to perform its obligations under the Services Agreements that require access to PHI on behalf of Medical Insights Diagnostic Centers, Inc. are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Medical Insights Diagnostic Centers, Inc. uses Subcontractors in its performance of obligations hereunder, Medical Insights Diagnostic Centers, Inc. will remain responsible for their performance as if performed by Medical Insights Diagnostic Centers, Inc.

8. Access and Amendment. Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services. Medical Insights Diagnostic Centers, Inc. will provide Customer with access to Customer’s PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment but will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Customer is responsible for managing its use of the Covered Services to appropriately respond to such Individual requests.

9. Accounting of Disclosures. Medical Insights Diagnostic Centers, Inc. will document disclosures of PHI by Medical Insights Diagnostic Centers, Inc. and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.

10. Access to Records. To the extent required by law, and subject to applicable attorney client privileges, Medical Insights Diagnostic Centers, Inc. will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Medical Insights Diagnostic Centers, Inc. on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA

11. Expiration and Termination.

(a) This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b) below, or (ii) the expiration or termination of all Services Agreements under which Customer has access to a Covered Service.

(b) If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice to the breaching party unless the breach is cured within the 10-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

(c) If this BAA is terminated earlier than the Services Agreements, Customer may continue to use the Services in accordance with the Services Agreements, but must delete any PHI it maintains in the Covered Services and cease to further create, receive, maintain, or transmit such PHI to Medical Insights Diagnostic Centers, Inc.

12. Return/Destruction of Information. On termination of the Services Agreements, Medical Insights Diagnostic Centers, Inc. will return or destroy all PHI received from Customer, or created or received by Medical Insights Diagnostic Centers, Inc. on behalf of Customer; provided, however, that if such return or destruction is not feasible, Medical Insights Diagnostic Centers, Inc. will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

13. Miscellaneous.

(a) Survival. Sections 12 (Return/Destruction of Information) and 13 (Miscellaneous) will survive termination or expiration of this BAA.

(b) Counterparts. The parties may execute this BAA in counterparts, including facsimile, PDF or other electronic copies, which taken together will constitute one instrument.

(c) Effects of Addendum. To the extent this BAA conflicts with the remainder of the Services Agreement(s), this BAA will govern. This BAA is subject to the “Governing Law” section in the Services Agreement(s). Except as expressly modified or amended under this BAA, the terms of the Services Agreement(s)