Agreement between User and www.medexperthealth.com

Welcome to www.medexperthealth.com.

The www.medexperthealth.com (the "Site") is comprised of various web pages operated by MedExpert International, Inc. ("MedExpert"). www.medexperthealth.com is offered to you conditioned on your acceptance without modification of the terms, conditions, and notices contained herein (the “Terms”). Your use of www.medexperthealth.com constitutes your agreement to all such terms. Please read these terms carefully and keep a copy of them for your reference.

www.medexperthealth.com is an e-Commerce Site.

The PURPOSE of this Site is to assist employers and organizations with compliance with state tracking, notification and reporting laws and policies. The notification process includes sending notices to employees; county and state officials; and agencies (OSHA) on a timely basis. User of the Site is responsible for adding accurate information to the Site, including accurate worksite addresses and information; employee names and contact information; and registering administrative users. Accuracy of worksite identification, employee information and administrator information is the sole responsibility of the User.

Privacy

Your use of www.medexperthealth.com is subject to MedExpert’s Privacy Policy. Please review our Privacy Policy, which also governs the Site and informs users of our data collection practices.

Electronic Communications

Visiting www.medexperthealth.com or sending emails to MedExpert constitutes electronic communications. You consent to receive electronic communications and you agree that all agreements notices, disclosures and other communications that we provide to you electronically via email and on the Site, satisfy any legal requirement that such communications be in writing.

Your Account

If you use this site, you are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your account or password. You may not assign or otherwise transfer your account to any other person or entity. You acknowledge that MedExpert is not responsible for third party access to your account that results from theft or misappropriation of your account. MedExpert and its associates reserve the right to refuse or cancel service, terminate accounts, or remove or edit content in our sole discretion.

Children Under Thirteen

MedExpert does not knowingly collect, either online or offline, personal information from persons under the age of thirteen. If you are under 18, you may use www.medexperthealth.com only with permission of a parent or guardian.

Cancellation/Refund Policy

You may cancel your subscription at any time. Any cancellations made after 30 days of service will not qualify for a refund. Please contact us at notification@medexpert.com with any questions.

Links to Third Party Sites of Third-Party Services

www.medexpert.com may contain links to other websites ("Linked Sites"). The Linked Sites are not under the control of MedExperthealth and MedExpert is not responsible for the contents of any Linked Site, including without limitation any link contained in a Linked Site, or any changes or updates to a Linked Site. MedExpert is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by MedExpert of the site or any association with its operators.

Certain services made available via www.medexperthealth.com are delivered by third party sites and organizations. By using any product, service or functionality originating from the www.medexperthealth.com domain, you hereby acknowledge and consent that MedExpert may share such information and data with any third party with whom MedExpert has a HIPAA/HITECH legal contractual relationship to provide the requested product, service or functionality on behalf of www.medexperthealth.com users and customers.

No Unlawful or Prohibited Use/Intellectual Property

You are granted a non-exclusive, non-transferable, revocable license to access and use www.medexperthealth.com strictly in accordance with these terms of use. As a condition of your use of the Site, you warrant to MedExpert that you will not use the Site for any purpose that is unlawful or prohibited by these Terms. You may not use the Site in any manner which could damage, disable, overburden, or impair the Site or interfere with any other party's use and enjoyment of the Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the Site.

All content included as part of the Service, such as text, graphics, logos, images, as well as the compilation thereof, and any software used on the Site, is the property of MedExpert or its suppliers and protected by copyright and other laws that protect intellectual property and proprietary rights. You agree to observe and abide by all copyright and other proprietary notices, legends or other restrictions contained in any such content and will not make any changes thereto.

You will not modify, publish, transmit, reverse engineer, participate in the transfer or sale, create derivative works, or in any way exploit any of the content, in whole or in part, found on the Site. MedExpert content is not for resale. Your use of the Site does not entitle you to make any unauthorized use of any protected content, and in particular you will not delete or alter any proprietary rights or attribution notices in any content. You will use protected content solely for your personal use and will make no other use of the content without the express written permission of MedExpert and the copyright owner. You agree that you do not acquire any ownership rights in any protected content. We do not grant you any licenses, express or implied, to the intellectual property of MedExpert or our licensors except as expressly authorized by these Terms.

International Users

The Service is controlled, operated, and administered by MedExpert from our offices within the USA. lf you access the Service from a location outside the USA, you are responsible for compliance with all local laws. You agree that you will not use the MedExpert Content accessed through www.medexperthealth.com in any country or in any manner prohibited by any applicable laws, restrictions, or regulations.

Indemnification

You agree to indemnify, defend and hold harmless MedExpert, its officers, directors. employees, agents and third parties, for any losses, costs, liabilities and expenses (including reasonable attorney fees) relating to or arising out of your use of or inability to use the Site or service s, any user postings made by you, your violation of any terms of this Agreement or your violation of any rights of a third party, or your violation of any applicable laws, rules or regulations. MedExpert reserves the right, at its own cost, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will fully cooperate with MedExpert in asserting any available defenses.

Arbitration

In the event the parties are not able to resolve any dispute between them arising out of or concerning these Terms and Conditions, or any provisions hereof, whether in contract, tort, or otherwise at law or in equity for damages or any other relief, then such dispute shall be resolved only by final and binding arbitration pursuant to the Federal Arbitration Act, conducted by a single neutral arbitrator and administered by the American Arbitration Association, or a similar arbitration service selected by the parties, in a location mutually agreed upon by the parties. The arbitrator's award shall be final, and judgment may be entered upon it in any court having jurisdiction. In the event that any legal or equitable action, proceeding or arbitration arises out of or concerns these Terms and Conditions, the prevailing party shall be entitled to recover its costs and reasonable attorney's fees. The parties agree to arbitrate all disputes and claims in regard to these Terms and Conditions or any disputes arising as a result of these Terms and Conditions, whether directly or indirectly, including Tort claims that arc a result of these Terms and Conditions. The parties agree that the Federal Arbitration Act governs the interpretation and enforcement of this provision. The entire dispute including the scope and enforceability of this arbitration provision shall be determined by the Arbitrator. This arbitration provision shall survive the termination of theseTem1s and Conditions.

Class Action Waiver

Any arbitration under these Terms and Conditions will take place on an individual basis; class arbitrations and class/representative/collective actions are not permitted. THE PARTIES AGREE THAT A PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN EACH'S INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PUTATIVE CLASS, COLLECTIVE AND/ OR REPRESENTATIVE PROCEEDING, SUCH AS IN THE FORM OF A PRIVATE ATTORNEY GENERAL ACTION AGAINST THE OTHER. Further, unless both you and MedExpert agree otherwise arbitrator may not consolidate more than one person's claims and may not otherwise preside over any form of a representative or class proceeding.

Liability Disclaimer

THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE SITE MAY INCLUDE INACCU compliance with all local laws. You agree that you will not use the MedExpert Content accessed through www.medexpert.com in any country or in any manner prohibited by any applicable laws, restrictions or regulations.

Liability Disclaimer

THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MEDEXPERT INTERNATIONAL INC. AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE SITE AT ANY TIME.

MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS AND ACCURACY OF THE INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS CONTAINED ON THE SITE FOR ANY PURPOSE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRPAHICS ARE PROVIDED “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND. MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTBILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MEDEXPERT INTERNATIONAL, INC. AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUETIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PRFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE SITE, WITH THE DELAY OR INABILITY TO USE THE SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY IFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVN IF MEDEXPERT INTERNATIONAL, INCL OR ANY OF THE SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMEAGES, because some states/jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation ma not appl to you. If you are dissatisfied with any portion of the site, or with any of discontinue using the site.

Termination/Access Restrictions

MedExpert reserves the right, in its sole discretion, to terminate your access to the Site and the related services or any portion thereof at any time, without notice. The maximum extent permitted by law, this agreement is governed by the laws of the State of California and you hereby consent to the exclusive jurisdiction and venue of courts in California in all disputes arising out of or relating to the use of the Site. Use ofd1e Site is unauthorized in any jurisdiction that does not give effect to all provisions of these Terms, including, without limitation, this section.

You agree that no joint venture, partnership, employment, or agency relationship exists between you and MedExpert as a result of this agreement or use of the Site. MedExpert’s performance of this agreement is subject to existing laws and legal process, and nothing contained in this agreement is derogation of MedExpert’s right to comply with governmental , court and law enforcement requests or requirements relating to your use of the Site or information provided to or gathered by MedExperthealth with respect to such use. If any part of this agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, the warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the agreement shall continue in effect.

Unless otherwise specified herein, this agreement constitutes the entire agreement between the user and MedExperthealth with respect to the Site and it supersedes all prior or contemporaneous communications and proposals, whether electronic, oral or written, between the user and MedExpert , the respect to the Site. A printed version of this agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. It is the express wish to the parties that this agreement and all related documents be written in English.

Personal Identifying Information and Personal Health Information

READ CAREFULLY; REQUIRED COMPLIANCE WITH HIPAA/HITECH LAWS TO PROTECT INDIVIDUAL PERSONAL HEALTH INFORMATION

The COVID-19 compliance program requires access, storage and electronic transmission of personal identifying information and personal health information (PHI). ALL PERSONAL IDENTIFYING INFORMATION AND PERSONAL HEALTH INFORMATION MUST BE KEPT CONFIDENTIAL AND IN COMPLIANCE WITH HIPAA AND HITECH LAWS. All COVID-19 testing or related medical services will be stored and transmitted in a manner that ensures the confidentiality of employees PHI, with the exception of unredacted information on COVID-19 cases that are required by law to be provided to the local health department, CDPH, Cal/OSHA, the National Institute for Occupational Safety and Health (NIOSH), and or as otherwise required by law.

All employees’ medical records will also be kept confidential in accordance with HIPAA/HITECH regulations, with the following exceptions: (1) Unredacted medical records provided to the local health department, CDPH, Cal/OSHA, NIOSH, or as otherwise required by law upon request; and (2) Records that do not contain individually identifiable medical information or from which individually identifiable medical information has been removed.

Transfer and storage of PHI requires a Business Associate Agreement that protects individuals by enforcing compliance with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH. MedExpert is the Business Associate and a “User” who is managing the health information of their employees is, for the purpose of this agreement, the Covered Entity. MedExpert and User, “The Parties,” desire to protect the privacy and security of all such PHI in compliance with all Applicable Laws, as hereinafter defined, including the Health Insurance Portability and Accountability Act of 1996, as supplemented and amended, and all the rules and regulations promulgated, or in the future promulgated, thereunder (collectively, “HIPAA”), and the purpose of this Agreement is to ensure compliance with HIPAA as may be amended from time to time, including all associated existing and future rules and regulations, when and as each is effective.

The parties desire that this Agreement set forth the (1) permitted and required uses and disclosures of PHI by the Business Associate; (2) required safeguards to prevent unauthorized disclosure of the PHI; (3) reporting requirements in the event of any unauthorized use or disclosure of the PHI; (4) requirements regarding any subcontractors or agents of the Business Associate; (5) provisions for the termination of this Agreement and the requirements regarding the handling of the PHI upon termination of the Agreement; and (6) such other terms and conditions as set forth in this Agreement; all with the purpose of ensuring compliance with HIPAA.

DEFINITIONS

All capitalized terms used in this Agreement not otherwise defined in this Agreement have the meanings established for purposes of HIPAA.

"Applicable Laws" or "Applicable Law" shall mean HIPAA and all other federal, state and local laws, regulations and rules to the extent such other laws are not preempted by HIPAA, all as such laws are amended, or as may be amended from time to time.

“Breach” as defined in 45 C.F.R. 164.402 means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Rules which compromises the security or privacy of the PHI as defined in 45 C.F.R. 164.402.

"Business Associate" shall generally have the same meaning as the term "business associate" at 45

C.F.R. 160.103, and in reference to the party to this Agreement, shall mean the Business Associate set forth above in this Agreement.

"Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 C.F.R. 160.103, and in reference to the party to this Agreement, shall mean the Covered Entity set forth above in this Agreement.

"Designated Record Set" shall be as defined in 45 C.F.R. 164.501 and means a group of records maintained by or for Covered Entity that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Covered Entity to make decisions about Individuals. For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.

“Electronic Protected Health Information” (“ePHI”) is defined in 45 C.F.R. 160.103 and means PHI that is transmitted by, or maintained in, electronic media.

"Health Care Operations" shall be as defined in 45 C.F.R. 164.501 and means any of the following activities of Covered Entity to the extent that the activities are related to covered functions: (i) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (ii) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (iii) except as prohibited under 45 C.F.R. 164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of 45 C.F.R. §164.514(g) relating to uses and disclosures of PHI for underwriting and related purposes are met, if applicable; (iv) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (v) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Covered Entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and (vi) business management and general administrative activities of Covered Entity, including, but not limited to: (A) management activities relating to implementation of and compliance with the requirements of the HIPAA Rules; (B) customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policyholder, plan sponsor, or customer; (C) resolution of internal grievances; (D) the sale, transfer, merger, or consolidation of all or part of Covered Entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and (E) consistent with the applicable requirements and limitations of 45 C.F.R. §164.514, creating de-identified health information or a limited data set, or fundraising and fundraising communications for the benefit of Covered Entity.

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as supplemented and amended by HITECH and other Applicable Laws, and any and all references in this Agreement to HIPAA shall also be deemed to include all associated existing and future rules and regulations, when and as each is effective, including the rules enacted as a result of HITECH and the Omnibus Rule, effective March 26, 2013 (the "Omnibus Rule"). HIPAA is hereby incorporated into this Agreement by this reference.

"HIPAA Rules" shall include the Privacy, Security, Breach Notification, and Enforcement Rules and the administrative requirements generally set forth at 45 C.F.R. Parts 160, 162 and 164 and any other rules in effect or adopted in the future under HIPAA including, without limitation, the rules enacted as a result of HITECH and the Omnibus Rule. All such HIPAA Rules and the applicable and related standards, requirements and implementation specifications, rules and regulations are hereby incorporated by this reference into this Agreement.

"HITECH" means the Health Information Technology for Economic and Clinical Health Act of 2009, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, Title XIII of Division A and Title IV of Division B as codified at 42 U.S.C. §§17901-17953, and any and all references in this Agreement to HITECH shall be deemed to include all associated existing and future rules and regulations, when and as each is effective.

"Individual" as defined in 45 C.F.R. 160.103 means a person (as defined in 45 C.F.R. 160.103) who is the subject of the PHI, or that person's personal representative to the extent set forth in 45 C.F.R. 164.502(g).

"Individually Identifiable Health Information" is as defined in 45 C.F.R. 160.103.

“PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, which means any Individually Identifiable Health Information, whether oral or recorded in any form or medium, that is transmitted or maintained in electronic media or any other form or medium, except as specifically excluded under paragraph 2 of the PHI definition in 45 C.F.R. 160.103.

“Privacy Rule” is a part of the HIPAA Rules and means the federal privacy regulations codified at 45 C.F.R. Parts 160, 162 and 164 (Subparts A, C & E), as such may be amended from time to time.

"Required By Law" as defined in 45 C.F.R. 164.103, means a mandate contained in law that compels Covered Entity or Business Associate to make a use or disclosure of PHI and that is enforceable in a court of law. This may include, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

“Security Rule” is a part of the HIPAA Rules and means the federal security regulations codified at 45 C.F.R. Parts 160, 162 and 164 (Subparts A & C), as such may be amended from time to time.

RESPONSIBILITIES OF MedExpert as BUSINESS ASSOCIATE

Permitted Uses and Prohibited Uses. MedExpert agrees to use or disclose PHI only as permitted or required pursuant to this Agreement and in compliance with HIPAA and the HIPAA Rules or as otherwise Required by Law.

Furthermore, MedExpert shall not use or disclose PHI in any manner that would constitute a violation of HIPAA or the HIPAA Rules including the applicable portions of 45 C.F.R. Parts 162 and 164 (such as Subpart E of Part 164) if so used or disclosed by Covered Entity, except that MedExpert may use PHI: (i) for the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of MedExpert provided the disclosures are Required by Law. MedExpert may use and disclose to a subcontractor or agent the PHI in its possession for the purposes described in the first part of this paragraph, provided that any subcontractor or agent to which MedExpert discloses PHI for those purposes provides satisfactory, reasonable written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as Required by Law; (ii) the information will be used only for the purpose for which it was disclosed to the subcontractor or agent; (iii) the subcontractor or agent agrees to the same restrictions and conditions that apply to MedExpert with respect to the PHI; and (iv) the subcontractor or agent promptly will notify MedExpert of any instances of which it becomes aware in which the confidentiality of the information has been breached.

To the extent MedExpert is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, MedExpert shall comply with the requirements of such obligations that apply to the Covered Entity in the performance of such obligation.

Appropriate Safeguards. MedExpert represents that it has in place, and agrees to use, appropriate policies, procedures and safeguards that adequately safeguard any PHI (including ePHI) from use or disclosure other than as provided for by this Agreement, and MedExpert specifically agrees, on behalf of itself, its subcontractors and agents, to safeguard and protect the confidentiality of PHI consistent with Applicable Law, including currently effective provisions of HIPAA and the HIPAA Rules. MedExpert shall implement and maintain a comprehensive information privacy and security program that includes (i) administrative, technical and physical safeguards, (ii) policies and procedures, and (iii) documentation in the same manner as required for Covered Entity and other covered entities ("Privacy and Security Program"). MedExpert shall implement and use its appropriate Privacy and Security Program to: (i) prevent use or disclosure of PHI other than as permitted by this Agreement and in compliance with all Applicable Laws; (ii) reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and ePHI that MedExpert creates, receives, maintains, or transmits; and (iii) comply with the Security Rule requirements including those set forth in 45 C.F.R. §§ 164.304, 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316.

Safeguarding Electronic PHI. With respect to PHI, MedExpert shall comply with the applicable standards, implementation specifications and requirements of Subpart C of 45 C.F.R. 164 with respect to ePHI that MedExpert creates, receives, maintains, or transmits electronically. Furthermore, MedExpert shall implement administrative, technical, and physical safeguards as described in the Security Rule, which reasonably and appropriately protect the confidentiality, integrity, and availability of such electronic PHI. Without limiting the foregoing, MedExpert shall: (i) ensure that any agent, including any subcontractor, to whom MedExpert provides ePHI agrees to implement reasonable and appropriate safeguards to protect such ePHI; (ii) report to the Covered Entity any “Security Incident” as defined by the Security Rule (including the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in your information system containing the Covered Entity’s PHI) of which MedExpert becomes aware; and (iii) make its policies, procedures, practices, records, compliance reports and documentation available to the Secretary to determine compliance with the Security Rules and the applicable administrative simplification provisions of HIPAA and the HIPAA rules, and otherwise as Required by Law.

Notification of Unauthorized Use or Disclosure, or Other Breach. During the term of this Agreement, MedExpert shall notify Covered Entity without unreasonable delay, and in any event within twenty-four (24) hours of its discovery (as defined by 45 C.F.R. 164.410(a)(2)) by MedExpert, of (i) any suspected or actual Breach of security, intrusion or unauthorized use or disclosure of PHI or electronic PHI, or any other actual or suspected use or disclosure of PHI, electronic PHI or other data in violation of this Agreement or any Applicable Law; (ii) any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breaches of Unsecured PHI, in accordance with 45 C.F.R. 164.410 or 45 C.F.R. § 164.504(e)(2)(ii)(C) or any other HIPAA Rule; (iii) any Security Incident of which MedExpert becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(C); or (iv) any incident that involves an unauthorized acquisition, access, use, or disclosure of PHI, even if MedExpert believes the incident will not rise to the level of a Breach.

The notification shall include, to the extent possible, and shall be supplemented on an ongoing basis with: (i) the identification of all individuals whose Unsecured PHI was or is reasonably believed to have been accessed, acquired, used, disclosed or involved; (ii) all other information reasonably requested by Covered Entity to enable Covered Entity and MedExpert to perform and document Risk Assessments in accordance with 45 C.F.R. Part 164 subparts C, D and E including 45 C.F.R. 164.308 with respect to the incident to determine whether a Breach of Unsecured PHI occurred; (iii) the incident, including the date of the Breach and the date of the discovery of the Breach, if known; (iv) who made the unauthorized use or received the unauthorized disclosure; (v) the types of Unsecured PHI involved in the Breach; (vi) any specific steps the Individual should take to protect him or herself from potential harm related to the Breach; (vii) what the Business Associate is doing to investigate the Breach, to mitigate harm to Individuals and to protect against further Breaches; (viii) contact procedures for how the Individual can obtain further information from MedExpert; (ix) such other information, including the Risk Assessment analysis prepared by MedExpert, as Required by Law or as reasonably requested by the Covered Entity or the Privacy Official, and (x) all other available information reasonably necessary or required to provide notice to Covered Entity, any other applicable covered entities, Individuals, HHS or the media, all in accordance with the data breach notification requirements set forth in 45 C.F.R. Parts 160 & 164. Notwithstanding the foregoing, in Covered Entity’s sole discretion and in accordance with its directions, MedExpert shall conduct, or pay the costs of conducting, an investigation of any incident required to be reported under this Section 2.4. If in the opinion of the Covered Entity the incident qualifies as a Breach, MedExpert shall carry out the appropriate notification responsibilities, at its sole cost and expense, if so directed by Covered Entity, after receiving the Covered Entity's approval of MedExpert's plan of proposed notifications and the specific content of such notifications or shall reimburse Covered Entity for the cost and expense of such notifications if Covered Entity chooses to make them. MedExpert shall require all of its subcontractors and agents who experience these events related to the Covered Entity to report the event to MedExpert in such a time so that MedExpert shall comply with the notification requirements described in this section.

Corrective Action. MedExpert shall take: (i) prompt corrective action to cure any deficiencies which led or could lead to a Breach or a Security Incident; and (ii) any action pertaining to such unauthorized disclosure required by Applicable Laws and with Covered Entity's approval as to the actions to be taken, which shall not be unreasonably withheld. MedExpert shall conduct a Risk Assessment to determine whether a Breach occurred and inform the Covered Entity of its assessment.

MedExpert's Subcontractors and Agents. To the extent that MedExpert uses one or more subcontractors or agents, including any person to whom MedExpert delegates a function, activity or service, or who may create, receive, maintain, transmit or have access to PHI, then each such subcontractor or agent shall sign an agreement with MedExpert containing the same provisions, restrictions and conditions on the use or disclosure of PHI that apply to MedExpert as this Agreement, including all terms and conditions mandated by the Privacy Rule and the Security Rule, including but not limited to, 45 C.F.R. 164.502(e)(1), 164.504(e)(2)(ii)(D), 164.308(b)(2) and 164.314(a)(2)(iii) (the "Subcontractor Agreement"). MedExpert shall obtain satisfactory assurances that its subcontractor or agent will appropriately safeguard the PHI. To the extent that MedExpert provides PHI or ePHI to a subcontractor or agent, it shall require the subcontractor or agent to implement reasonable and appropriate safeguards to protect PHI and the ePHI consistent with the requirements of this Agreement, and further identifying Covered Entity as a third party beneficiary with rights of enforcement and indemnification from such subcontractors or agents in the event of any violation of the Subcontractor Agreement. MedExpert shall implement and maintain sanctions against agents and subcontractors that violate such restrictions and conditions and shall mitigate the effects of any such violation and shall be responsible for any costs and liabilities therefrom. MedExpert shall be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were MedExpert's own acts, failures or omissions, to the extent permitted by Applicable Law. MedExpert further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Agreement.

Governmental Access to Records. Unless otherwise prohibited by Applicable Law, MedExpert shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (the "Secretary") for purposes of determining compliance with HIPAA and HIPAA Rules. MedExpert shall immediately notify Covered Entity upon receipt by MedExpert of any such requests for access by the Secretary of HHS, and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. MedExpert shall provide to Covered Entity a copy of any PHI that MedExpert provides to the Secretary concurrently with providing such PHI to the Secretary.

Documentation of Disclosures. MedExpert agrees to document any requests for disclosures of PHI and provide information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. In the event that the request for an accounting is delivered directly to MedExpert or its subcontractors or agents, MedExpert shall within five (5) business days of a request forward it to Covered Entity in writing. Upon receipt of such a request directly from an Individual or forwarded from MedExpert, Covered Entity shall request that MedExpert shall document and make available to Covered Entity the information necessary for Covered Entity (or its applicable Covered Entity customer) to make an accounting of disclosures of PHI about an Individual to the requesting Individual. MedExpert shall comply with such request within ten (10) business days after receiving a written request from Covered Entity and shall provide such information to the Covered Entity or, when and as directed by Covered Entity, make that information available directly to an Individual, all in accordance with the requirements for accounting for disclosures in the HIPAA Rules, including 45

C.F.R. § 164.528.

MedExpert agrees to implement a process that allows for an accounting of disclosures to be collected and maintained by MedExpert and its subcontractors and agents for at least six (6) years prior to the request for the accounting in accordance with 45 C.F.R. 164.528 and all Applicable Law. At a minimum, such information shall include: (A) the date of disclosure; (B) the name of the entity or person who received PHI and, if known, the address of the entity or person; (C) a brief description of PHI disclosed; and (D) a brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual's authorization, or a copy of the written request for disclosure. It shall be Covered Entity's responsibility to prepare and deliver any such accounting of disclosures requested to the Individual. MedExpert shall not disclose any PHI except as permitted by this Agreement.

Access to PHI. MedExpert shall make PHI maintained by MedExpert or its or subcontractors or agents in Designated Record Sets about an Individual available (i) to Covered Entity for inspection and copying within five (5) business days of a request by Covered Entity (whether an original request or a request from Covered Entity which was forwarded to it per below) to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.524, or (ii) when and as directed by Covered Entity, MedExpert shall provide that access directly to an Individual, all in accordance with the requirements of 45 C.F.R. § 164.524. In the event that the request for access to PHI is delivered directly to MedExpert or its agents or subcontractors, MedExpert shall within five (5) business days of a request, forward it to Covered Entity in writing. It shall be Covered Entity's responsibility to respond to any such request for access to PHI. MedExpert shall not disclose any PHI except as permitted by this Agreement.

Electronic Copies. Notwithstanding Section 2.9, in the event that MedExpert uses or maintains an electronic health record of PHI of or about an Individual, then MedExpert shall provide an electronic copy (at the request of Covered Entity, and in the reasonable time and manner requested by Covered Entity but in no event more than five (5) business days after the request) of the PHI, to Covered Entity or, when and as directed by Covered Entity, directly to an Individual.

Amendment of PHI. To the extent that MedExpert maintains Designated Record Sets, within ten (10) business days of receipt of a request from Covered Entity for an amendment of PHI or a record about an Individual contained in a Designated Record Set, MedExpert or its agents or subcontractors shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.526. If any Individual requests an amendment of PHI directly from MedExpert or its agents or subcontractors, MedExpert must notify Covered Entity in writing within five (5) business days of the request as it shall be Covered Entity's responsibility to determine whether any such amendment should be made and to make any such amendments. Any denial of amendment of PHI maintained by MedExpert or its agents or subcontractors shall be the responsibility of Covered Entity. MedExpert shall not disclose any PHI except as permitted by this Agreement.

Communication on Requests. MedExpert shall accommodate requests for confidential communications in accordance with 45 C.F.R. § 164.522, as directed by Covered Entity or, if applicable, as directed by the Individual to whom the PHI relates, with the consent of Covered Entity. MedExpert shall also notify Covered Entity in writing within five (5) business days after MedExpert’s receipt directly from an Individual of any request for an accounting of disclosures, access to, or amendment of PHI or for confidential communications as contemplated in Sections 2.8-2.11.

Minimum PHI Necessary. MedExpert (and its agents or subcontractors) shall request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure as per 45 C.F.R. 164.502(b). MedExpert shall maintain a written policy delineating the standards it will use in determining the minimum necessary information for its uses and disclosures of PHI in accordance with standards set forth in the Privacy Rule.

Prohibited Payments. MedExpert shall not directly or indirectly receive remuneration or payment in exchange for any PHI and shall not sell any PHI. MedExpert shall not receive direct or indirect remuneration or payment for marketing or marketing communications which include PHI relating to Covered Entity or its Individuals.

Prohibited Communications. MedExpert shall not make or cause to be made any communication about a product or service that is not considered a Health Care Operation.

Mitigation. MedExpert shall mitigate, to the extent practicable, any harmful effect that is known to MedExpert of a use or disclosure of PHI by MedExpert that is not permitted by this Agreement.

Compliance with Law. MedExpert shall comply with all Applicable Laws.

Domestic Use. MedExpert shall not use, transfer, transmit, or otherwise send or make available, any PHI outside of the geographic confines of the United States of America without Covered Entity’s advance written consent.

Government Program Requirements. To the extent that MedExpert receives, uses or discloses PHI pertaining to Individuals enrolled in managed care plans through which Covered Entity participates in government funded health care programs, receipt use and disclosure of the PHI pertaining to those Individuals shall comply with the applicable program requirements.

Data Ownership. MedExpert acknowledges that MedExpert has no ownership rights with respect to the PHI.

Retention of PHI. MedExpert and its subcontractors or agents shall retain all PHI throughout the term of the Agreement and shall continue to maintain such information for a period of no less than six (6) years after termination of the Agreement.

Contradictory Terms; Construction of Terms. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HIPAA Rules. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA Rules. To the extent any provision of this Agreement appears contradictory to, or ambiguous with, another term of this Agreement (“Contradictory Terms”), the Contradictory Terms shall be interpreted for the purpose of the

Covered Entity’s and MedExpert's compliance with HIPAA and the HIPAA Rules, and shall be superseded to the extent and only to the extent necessary to resolve such contradiction or ambiguity provided that the terms of this Agreement shall be construed to allow for compliance by the Covered Entity and MedExpert with HIPAA and the HIPAA Rules.

Survival. The provisions of this Agreement regarding indemnification, Article 4, Article 5 and protection of PHI shall survive the expiration or termination for any reason of this Agreement.

Changes to Terms

MedExpert reserves the right, in its sole discretion, to change the Terms under which www.medexperthealth.com is offered. The most current version of the Terms will supersede all previous versions. MedExpert encourages you to periodically review the Terms to stay informed of our updates.

Contact Us

MedExpert welcomes your questions or comments regarding the Terms:

MedExpert International, Inc.

1300 Hancock Street

Redwood City, California 94063

Email Address: notification@medexpert.com

Effective as of February 1, 2024