This HIPAA Business Associate Agreement (hereinafter “This Agreement”) constitutes an integral part of the Terms of Use between you and WebCeph.

WHEREAS, you (hereinafter “Covered Entity”) are subject to the requirements of the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and related regulations;

WHEREAS, Webceph (hereinafter “Business Associate”) may maintain, transmit, create or receive data for or from Covered Entity in connection with Webceph services that constitutes Protected Health Information (“PHI”);

1 Definitions

The following terms used in this Agreement shall have the meanings set forth below:

1.1 Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, refers to Webceph.

1.2 Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, refers to you, a member of WebCeph.

1.3 Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information’ at 45 CFR 160.103, and for the purpose of this Agreement, is limited to the information received for or from Covered Entity in connection with WebCeph services.

1.4 HIPAA. “HIPAA” collectively refers to the HIPAA Statute, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, the HITECH Act, and any associated Regulations, as such may be amended from time to time.

Other terms used and not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPPA rules or the Terms of Use, unless context otherwise requires.

2 Use and Disclosure of Protected Health Information (PHI)

2.1 Business Associate agrees to use PHI only as necessary to provide WebCeph services, including but not limited to, analysis services for orthodontic and orthognathic surgery, to Covered Entity.

2.2 Business Associate agrees to limit disclosure of PHI to the extent practical, to the minimum necessary to accomplish the intended purpose of such disclosure.

2.3 Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement or as required by law.

3 De-Identified Data.

3.1 Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information is duly de-identified in accordance with 45 CFR 164.514(a) - (c), and does not include a key or other mechanism that would enable the information to be identified.

3.2 The purpose of the use of de-identified data will include, but is not limited to, academic and commercial research and development, and improvement of artificial intelligence orthodontic diagnostic devices and services.

4 HIPAA Assurances

In the event Business Associate creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information ("PHI") in the Health Insurance Portability and Accountability Act of 1996 or its relevant regulations ("HIPAA") and otherwise meets the definition of Business Associate as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), Business Associate shall:

4.1 Recognize that HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity;

4.2 Not use or further disclose the PHI, except as permitted by law;

4.3 Not use or further disclose the PHI in a manner that had the Covered Entity done so, would violate the requirements of HIPAA;

4.4 Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by this Agreement;

4.5 Comply with each applicable requirement of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity;

4.6 Report promptly to the Covered Entity any security incident or other use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware;

4.7 Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are explained the Business Associate obligations under this paragraph and agree to the same restrictions and conditions;

4.8 Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations;

4.9 Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include: (i) dates of disclosure, (ii) names of the entities or persons who received the PHI, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose and basis of such disclosure;

4.10 Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining Customer’s compliance with HIPAA; and

4.11 Incorporate any amendments or corrections to PHI when notified by Customer or enter into a Business Associate Agreement or other necessary Agreements to comply with HIPAA.

5 Breach of Provisions

Notwithstanding any other provision of this Agreement, Covered Entity may immediately terminate this Agreement if it determines that Business Associate breaches any term in this Agreement. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach. Covered Entity shall also have the option to immediately stop all further disclosures of PHI to Business Associate if Covered Entity reasonably determines that Business Associate has breached its obligations under this Agreement. In the event that termination of this Agreement and the Agreement is not feasible, Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding any other provision of this Agreement or Agreement to the contrary.

6 Return or Destruction of PHI upon Termination

Upon the termination of this Agreement, unless otherwise directed by Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible upon termination of this Agreement, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this Agreement shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information.

7 No Third-Party Beneficiaries

The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third-party beneficiaries.

8 General Provisions

This agreement sets forth the entire understanding of the Parties. Any amendments must be in writing and signed by both Parties. Any ambiguity in the terms of this Agreement shall be resolved to permit compliance with HIPAA. Any references in this Agreement to a section in HIPAA means the section as in effect or as may be amended. This Agreement may be modified or amended from time to time as is necessary for compliance with the requirements of HIPAA and other applicable law. Amendments must be made in writing and signed by the Parties. The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver or limitation of that Party's right to subsequently enforce and compel strict compliance with every provision of this Agreement. The terms of this Agreement are hereby incorporated into any service or business agreement that may be entered into between the Parties with the intent to form a business relationship. In the event of a conflict of terms between this Agreement and any such service or business agreement the terms of this Agreement shall prevail.