BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (this “BAA”) by and between you (“Customer”) and ROAM HQ, INC. (“Roam”), is entered into as of the last date signed below (“Effective Date”), for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act and regulations promulgated thereunder (collectively, “HIPAA”).

WITNESSETH

Whereas, Customer is a “covered entity” or “business associate” as such terms are defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information (as defined under HIPAA); and

Whereas, Roam and Customer have entered or may enter into an enterprise software as a service agreement and/or other agreement(s) with Customer (collectively, “Service Agreement”), pursuant to which Roam may receive, create or otherwise process Protected Health Information for or on behalf of Customer; and

Whereas, by providing services pursuant to the Service Agreement and receiving, creating or otherwise processing Protected Health Information for or on behalf of Customer, Roam shall be Customer’s “business associate” or “subcontractor” as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Roam assesses, develops or receives from or on behalf of Customer.

Now Therefore, in consideration of the mutual covenants, promises, and agreements contained herein, the parties hereto agree as follows:

1. DEFINITIONS.

For the purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.

“Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, transmitted or otherwise processed by Roam for or on behalf of Customer that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.

“Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.

“Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.

2. OBLIGATIONS OF ROAM.

General Compliance with Law

Roam represents and warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Service Agreement; (ii) shall not use or disclose PHI other than as permitted or required by this BAA or Required by Law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Customer; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes.

Use and Disclosure of Protected Health Information

Subject to the restrictions set forth throughout this BAA, Roam may use PHI received from or on behalf of Customer if necessary for (i) the proper management and administration of Roam; or (ii) to carry out the legal responsibilities of Roam.

Subject to the restrictions set forth in throughout this BAA, Roam may disclose PHI for the proper management and administration of Roam, provided that: (i) disclosures are Required by Law, or (ii) Roam obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies Roam of any instances of which it is aware in which the confidentiality of the information has been breached.

Assumption of Customer Obligations

To the extent that Roam is to carry out any of Customer’s obligations that are Covered Entity obligations under HIPAA, Roam shall comply with the HIPAA requirements that apply to Customer in the performance of any such obligation.

Safeguards

Roam shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of its operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA. Roam shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA.

Availability of Books and Records

Roam shall permit the Secretary and other regulatory authorities to audit Roam’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that Customer and/or Roam is in compliance with the requirements of HIPAA.

Individuals’ Rights to Their PHI

Access to Information

To the extent Roam maintains PHI in a Designated Record Set, in order to allow Customer to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Roam, within ten (10) business days upon receipt of written request by Customer, shall make available to Customer such PHI. In the event that any Individual requests access to PHI directly from Roam, Roam shall forward such request to Customer within seven (7) business days. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Roam will make no such determinations. Except as Required by Law, only Customer will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Customer pursuant to 45 CFR Section 164.524, and conveyed to Roam by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials.

Amendment of Information

To the extent Roam maintains PHI in a Designated Record Set, in order to allow Customer to respond to a request by an Individual for an amendment to PHI, Roam shall, within ten (10) business days upon receipt of a written request by Customer, make available to Customer such PHI. In the event that any Individual requests amendment of PHI directly from Roam, Roam shall forward such request to Customer within seven (7) business days. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Roam will make no such determinations. Any denial of amendment to PHI determined by Customer pursuant to 45 CFR Section 164.526, and conveyed to Roam by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials. Within ten (10) business days of receipt of a request from Customer to amend an Individual’s PHI in the Designated Record Set, Roam shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.

Accounting of Disclosures

In order to allow Customer to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Roam shall, within ten (10) business days of a written request by Customer for an accounting of disclosures of PHI about an Individual, make available to Customer such PHI. At a minimum, Roam shall provide Customer with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure. In the event that any Individual requests an accounting of disclosures of PHI directly from Roam, Roam shall forward such request to Customer within seven (7) business days. Customer will be responsible for preparing and delivering an accounting to Individual. Roam shall implement an appropriate record keeping process to enable it to comply with the requirements of this BAA.

Disclosure to Subcontractors and Agents

Notwithstanding anything to the contrary in the Service Agreement, Roam, subject to the restrictions set forth in this provision, may use subcontractors and agents to fulfill its obligations under this BAA, including vendors. Roam shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Roam for or on behalf of Customer, pursuant to which such subcontractor and agent agrees to be bound by comparable restrictions, terms, and conditions that apply to Roam under this BAA with respect to such PHI.

Reporting Obligations

In the event of a Breach of any Unsecured PHI that Roam accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Customer, Roam shall report such Breach to Customer as soon as practicable, but in no event later than seventy-two (72) hours after the date the Breach is discovered. Each notice of a Breach shall include, to the extent such information is available: (i) the identification of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Roam’s response to the Breach

In the event of any successful Security Incident, Roam shall report such Security Incident in writing to Customer within ten (10) business days of the date on which Roam becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents occur within the normal course of business and thus shall not be further reported pursuant to this BAA. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings,” unsuccessful log-on attempts, broadcast attacks on Roam’s firewall, denials of service or any combination thereof if such incidents are detected and neutralized by Roam’s anti-virus and other defensive software and not allowed past Roam’s firewall.

In the event of any use or disclosure of PHI that is improper under this BAA that does not constitute a Breach or Security Incident, Roam shall report such use or disclosure to Customer within twenty (20) business days after the date on which Roam becomes aware of such use or disclosure.

Roam will identify and respond internally to any suspected or known Breach of any Unsecured PHI, Security Incident or other improper use or disclosure of PHI, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide documentation of any successful Security Incident and Breach of any Unsecured PHI to Customer upon request.

3. OBLIGATIONS OF CUSTOMER.

Permissible Requests

Customer shall not request Roam to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Customer. Customer may request Roam to disclose PHI directly to another party only for the purposes allowed by HIPAA.

Notifications

Customer shall notify Roam of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Roam’s use or disclosure of PHI.

Customer shall notify Roam of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Roam’s use or disclosure of PHI.

Customer shall notify Roam of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Roam’s use or disclosure of PHI.

4. TERM AND TERMINATION.

General Term and Termination

This BAA shall become effective on the Effective Date and shall terminate upon the termination or expiration of the Service Agreement and when all PHI provided by either party to the other, or created or received by Roam on behalf of Customer is, in accordance with this Section 4, destroyed, returned to Customer or protections are extended.

Material Breach

Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Service Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Service Agreement affected by the breach.

Return or Destruction of PHI

Upon termination of this BAA for any reason, Roam shall: (i) if feasible as determined by Roam, return or destroy all PHI received from, or created or received by Roam for or on behalf of Customer that Roam or any of its subcontractors and agents still maintain in any form, and Roam shall retain no copies of such information; or (ii) if Roam determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Roam’s obligations under this Section 4 shall survive the termination of this BAA.

5. MISCELLANEOUS.

Amendment

If any of the provisions of HIPAA are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall amend this BAA to the extent necessary to comply with such amendments or interpretations.

Interpretation

Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA.

Conflicting Terms

In the event that any terms of this BAA conflict with any terms of the Service Agreement, the terms of this BAA shall govern and control.

Limitation of Liability

Notwithstanding anything herein or in the Service Agreement to the contrary, Roam’s total liability under this BAA for any and all claims regardless of the theory of liability shall be limited to $500,000.00 per incident.

Notices

Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given when personally delivered to a party or a party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. Notices shall be deemed given upon receipt. Notices shall be addressed to the appropriate party as follows:

If to Customer:

[CUSTOMER]
[ADDRESS]
Attn: [CONTACT]

If to Roam:

Roam, HQ, Inc.
40 Monroe Place
Brooklyn, NY 11201
Attn: Privacy Officer, privacy@ro.am

Severability

The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

In Witness Whereof, each of the undersigned has duly executed this Business Associate Agreement on behalf of the party and on the date set forth below.