This Business Associate Agreement (“Agreement’) is entered intoby and between Zenstack Private Limited and the CLIENT entity (ies), subsidiary(ies) and/or affiliate(s), which shall be collectively referred to as “CLIENT”.

A. HIPAA and HITECH Dominance.

Inthe event of a conflict or inconsistency between the terms of any otheragreement between the parties and this Agreement, this Agreement controls.  This Agreement is required by the HealthInsurance Portability and Accountability Act of 1996,  the Health Information Technology forEconomic and Clinical Health Act (found in Title XIII of the American Recoveryand Reinvestment Act of 2009) , and their associatedregulations ("HIPAA" and “HITECH”).  The parties acknowledge and agree that,beginning with the effective dates under HIPAA and HITECH, Business Associatewill comply with its obligations under this Agreement and with all obligationsof a business associate under HIPAA, HITECH and any implementing regulations,as they exist at the time this Agreement is executed and as they are amendedfrom time to time, for so long as this Agreement is in place. All CapitalizedTerms used in this Agreement shall have the same definition as defined by HIPAand HITECH. 

B. Business Associate.  

Business Associate is directly subject to andmust independently comply with the business associate provisions of HIPAA andHITECH notwithstanding the provisions contained in this Agreement.  This Agreement applies to all services andrelationships between CLIENT and Business Associate. 

C. Protected Health Information.  

Any Protected Health Information("PHI") as defined by HIPAA that was collected, created or receivedfrom or on behalf of CLIENT is PHI.  Forpurposes of these obligations PHI means all PHI in Business Associate'spossession or under its control (e.g., agents) and all PHI collected, createdor received by Business Associate or its agents on or after the effective dateof this Agreement. 

D. Employees, Subcontractors, Agents andDisciplinary Action.

1.     Acts /Omissions.  Business Associate will beresponsible for all actions and/or omissions by its employees,Subcontractors and/or agents and is liable to third parties and CLIENT for anyviolation of patients' privacy or security by any person granted access orreceive data through Business Associate.

2.     Employees.  BusinessAssociate agrees to instruct its employees and temporary agency employeesregarding the confidentiality, privacy and security of PHI. Business Associateshall not disclose to its employees or permit them to access, view, obtaincopy, review or use any PHI that is not necessary to their services to CLIENT.  Business Associate agrees to maintain strictperformance standards, including disciplinary actions, with respect to wrongfulaccess to, copying, viewing, misuse or disclosure of PHI.

3.     Agents andSubcontractors. If applicable, BusinessAssociate shall ensure that any of its agent(s) and Subcontractor(s) (if agentsor Subcontractors are permitted) that create, receive, maintain, or transmitPHI agree in writing to the same restrictions, conditions and requirements thatapply to Business Associate with respect to such PHI, and in accordance with 45CFR 164.502(e)(1)(ii) and 164.308(b)(2). Business Associate agrees to make alist of such agents and Subcontractors available to CLIENT upon request.

4.     Administrativeand Disciplinary Action.  BusinessAssociate will take appropriate administrative and disciplinary action withrespect to the applicable employees, Subcontractors or agents if a privacyand/or security violation is substantiated.

5.     Notificationof Changes.  Business Associate mustpromptly notify the CLIENT Security Officer, or other specified department, ifany of its employees or agents who have access to CLIENT Information Systems, aCLIENT’s Network connection, or applications and no longer need or are eligiblefor access and/or connection due to leaving the Contractor, changing their jobduties or for any other reason.

6.     Monitoring.  Business Associate will monitor theappropriateness of its employees and agents activities within CLIENTInformation Systems and/or the CLIENT Network by methods including any reportsor tools provided by CLIENT.  

E. Permissible Uses and Disclosures of PHI.

1.     Using andDisclosing PHI.  Business Associate may use ordisclose PHI only as permitted by this Agreement or as required by law. BusinessAssociate may use PHI only to directly perform services pursuant to anyunderlying agreement(s) for products or services with CLIENT.

2.     BusinessAssociate's Internal Management Uses of PHI. Business Associate may use PHIfor internal management and administration of Contractor, but only inconnection with the direct performance by Business Associate through itsemployees of services for CLIENT pursuant to this Agreement.

3.     MinimumNecessary.  Business Associate is permittedto access and use only the minimum necessary PHI to the extent required toperform its duties under this Agreement. Business Associate agrees not to use or store PHI or identifyinginformation (e.g., name, date of birth, etc.) if the information can be removedand is not essential to the services to be provided.

4.     HandlingPHI.  Business Associate furtheragrees to return or destroy any PHI that is erroneously shared or delivered to BusinessAssociate.

5.     DataAggregation.  Business Associate is permittedto use PHI for data aggregation for the health care operations of CLIENT, uponwritten request of CLIENT.

6.     De-Identified– Business Associate Use for Own Purposes. Business Associate agrees not to use data that identifies CLIENT or PHIfor its own purposes or for the benefit of its other customers, includingde-identified PHI (as defined by HIPAA) without CLIENT’s prior written consent. 

F. AdditionalObligations of Business Associate.

1.     DesignatedRecord Set.  Business Associate shallmake available PHI in a designated record set to CLIENT within 5 calendar daysof any such request as necessary to satisfy CLIENT’s obligations under 45 CFR164.524.

2.     Safeguards.  Business Associate agrees to implementappropriate administrative, physical and technical safeguards to protect theconfidentiality, integrity and availability of all PHI.  Business Associate agrees to implementappropriate electronic security practices for CLIENT PHI, which is transmitted,stored, received, or used in electronic form, in compliance with Subpart C of45 CFR Part 164, to prevent use or disclosure of PHI other than as permitted bythis Agreement.

3.     BusinessAssociate will report to CLIENT any Use or Disclosure, or suspected Use orDisclosure, of PHI not provided for by this Agreement within 24 hours ofbecoming aware of same, including Breaches of Unsecured PHI, and any SecurityIncident of which it becomes aware.  The content of said reports shallcomply with 45 CFR 164.410(c).

4.     Notice ofLegal Contact.  Business Associateshall  notify CLIENT in writing within 5calendar days of a disclosure request and shall only disclose CLIENT PHI with CLIENT’s express written consentsuch disclosure is required by law.

5.     Pattern of Activity.  If BusinessAssociate becomes aware of a pattern of activity or practice by CLIENT thatconstitutes a material breach or violation of CLIENT’s obligations under thisAgreement, Business Associate will notify CLIENT of the same.

6.     Business Associateshall maintain and make available the information required to provide anAccounting of Disclosures to CLIENT as necessary for CLIENT to satisfy itsobligations under 45 CFR 164.528 within 5 calendar days of any such requestfrom CLIENT.

7.     Notice of PatientContact.  Business Associate shall notifythe privacy officer of CLIENT within 5 calendar days if an Individual contacts BusinessAssociate in connection with the Individual's PHI.

8.     Assistance. BusinessAssociate shall, at any time during this Agreement, make CLIENT PHI in itspossession or under its control available to CLIENT within 5 calendar days of aCLIENT request.

9.     Electronic Health Records Related to Treatment, Payment, orOperations.  In the case of a directrequest for an accounting from an individual to Business Associate related totreatment, payment or operations disclosures through electronic health records,Business Associate shall provide such accounting to the individual inaccordance with the applicable effective date of Section 13405(c) of HITECH. BusinessAssociate shall document such disclosures and provide CLIENT notice of thedisclosure.

10.  Amendments.  Business Associate will make available PHIfor amendment and incorporate any amendments to PHI in accordance with 45 CFR164.526.

11.  To the extent BusinessAssociate is to carry out one or more of CLIENT’s obligations under Subpart Eof 45 CFR Part 164, Business Associate will comply with the requirements ofSubpart E that apply to CLIENT in the performance of such obligations.   

G.  Breach Investigation and Notification.

1.      Upon receipt of areport an actual or suspected Breach or Security Incident from Business Associate,CLIENT shall determine whether a Risk Assessment should be conducted, and ifso, which entity (CLIENT or the Business Associate) is the appropriate party toconduct the Risk Assessment under the circumstances. Business Associate shallcomply with all requests and directives of CLIENT in this regard.

2.      If a RiskAssessment is conducted and it is determined that a Breach has occurred, CLIENTshall determine the appropriate party to notify the affected Individuals, theDepartment of Health and Human Services, and if necessary, the media.  If it is determined that the BusinessAssociate is the appropriate party to prepare and issue the notice, then BusinessAssociate shall do so at its sole cost and within the time period specified byHIPAA.  Business Associate shall provide CLIENTwith a draft copy of the Breach Notification letter for its review and approvalat least 10 days in advance of the deadline. No Breach Notification letter shall be issued without CLIENT’s writtenapproval of same.  In the event that CLIENThas reasonable cause to anticipate that Business Associate is not sufficientlyperforming its obligations under this paragraph, then CLIENT may, in its solediscretion, take over these obligations and invoice Business Associate for itscosts associated with performing these obligations. 

H.Security,Reporting, Mitigation andTermination.

1.     Suspensionand Termination. Business Associatewill immediately suspend or terminate its employee’s, agent’s or Subcontractor’saccess to CLIENT’s Information Systems and/or connection to a CLIENT Network inthe event of a suspected or actual violation, and will not reinstate accessand/or connection privileges until CLIENT has agreed in writing to thereinstatement of these privileges.

2.     ImmediateTermination of Right to Access / Network Connection.  Business Associate acknowledges that CLIENThas, at its sole discretion, the right to immediately terminate any of the BusinessAssociate's employees, agents or Subcontractors’ right to access any aspect of CLIENT'sInformation System and/or Network connection in the event of Business Associate’simproper use of CLIENT’s Information System and/or Network connection, BusinessAssociate’s failure to maintain the confidentiality of CLIENT or patientinformation, failure to maintain patient privacy or failure to safeguard andprotect the security of the Information Systems and/or Network connection, or CLIENT’spatient or business information. 

I. Notices.  

All notices and reports required under this Agreement shall beprovided in writing, and Business Associate shall retain proof of transmission,to the following persons on behalf of CLIENT: Privacy Officer / Security Officer: 

J. Amendment.  

The parties agree to take such action as is necessary to amendthis Agreement from time to time as is necessary for compliance with therequirements of HIPAA and/or HITECH and any other applicable law. 

K. Access for Audit.  

Business Associate shall make its internalpractices, books and records relating to the use and disclosure of any PHIavailable to CLIENT, the Secretary of the Department of Health and HumanServices, and to other authorized government investigators for purposes ofdetermining Business Associate's and CLIENT's compliance with HIPAA.   Business Associate agrees that CLIENT hasthe right to audit, investigate, monitor, access, review and report on BusinessAssociate's use of any CLIENT PHI, with or without advance notice or knowledgefrom CLIENT. 

L. Assignment.  

No party may assign or transfer any or all of its rights and/orobligations under this Agreement or any part of it, nor any benefit or interestin or under it, to any third party without the prior written consent of theother party, which shall not be unreasonably withheld.  BusinessAssociate may not assign any rights, nor may it delegate its duties, under thisAgreement without the express written consent of CLIENT. 

M.  Laws.  

Business Associate also will comply with all federal and statesecurity and privacy laws applicable to Business Associate and more protectiveof individual privacy than are the HIPAA and / or HITECH. 

N. Injunctive Relief.  

Business Associate acknowledges and stipulates that its, includingits agents and/or subcontractors, unauthorized use or disclosure of PHI whileperforming services pursuant to this Agreement may cause irreparable harm to CLIENT,and in such event, CLIENT will be entitled, if it so elects, to institute anytype of proceeding in any court of competent jurisdiction in equity, to seekinjunctive relief. 

O. Terminationof Relationship for Failure to Comply.

1.     ImmediateTermination and Cure. CLIENTmay immediately terminate its relationship with Business Associate upon writtennotice to Business Associate without damages or liability to Business Associateif CLIENT determines that Business Associate has violated a materialrequirement related to HIPAA and/or HITECH. CLIENT, at its option and within its sole discretion, has the right totake reasonable steps to cure the breach and/or may (a) allow BusinessAssociate to take steps to cure the breach, and (b) in the event of such acure, elect to keep the relationship in force.

2.     PHIObligations upon Termination or Expiration. Unless BusinessAssociate is required by law to maintain PHI, Business Associate shall return(and not retain any copies of) all PHI in its possession or under its controlwithin 30 days after the termination/expiration of this Agreement.  If Business Associate is unable to returnPHI, then Business Associate shall notify CLIENT of the reasons for beingunable to return PHI in writing and must, at a minimum, maintain PHI asrequired by this Agreement and HIPAA and/or HITECH for so long as the CLIENTPHI exists.  Business Associate shall nottransfer possession of CLIENT PHI without prior written approval of CLIENT.  If at any time Business Associate determinesit is unable to protect CLIENT PHI, Business Associate shall destroy all CLIENTPHI and all copies and maintain proof of such destruction. Business Associate’sobligations under this paragraph shall survive the termination of thisAgreement.

3.     CLIENT may terminate this Agreement effective immediately, if (i) BusinessAssociate is named as a defendant in a criminal proceeding for a violation ofHIPAA, HITECH, or other security or privacy laws or (ii) there is a finding orstipulation that Business Associate has violated any standard or requirement ofHIPAA, HITECH, or other security or privacy laws in any administrative or civilproceeding in which Business Associate is involved.

4.     Terminationof Other Agreements.  If this Agreementis terminated for any reason, CLIENT or Business Associate also may terminateany or all other agreements between the parties. This provision shall supersedeany termination provision to the contrary which may be set forth in any otheragreement.