Master Services Agreement

This Master Service Agreement (this "Agreement") by and between Eko Health, Inc., a Delaware corporation with offices located at 2100 Powell Street, Suite 300, Emeryville, California 94608 ("Eko") and the entity listed on the Order Form ("Customer"), is effective as of the latter of Eko or Customer’s execution below (the “Effective Date”). Eko and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."

WHEREAS, Eko provides medical devices including digital stethoscopes and EKG devices as well as Software and Services enabling the transmission and analysis of health information procured by Eko medical devices.

WHEREAS, Customer desires for its Authorized Users to use the medical devices and access the Software and Services, and Eko desires to provide Customer and its Authorized Users with access to the Software or Services, subject to the terms and conditions of this Agreement.

NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions.

(i) "Aggregated Statistics" means data and information related to Customer's use of the Services or Software that is used by Eko in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services or Software.

(ii) "Authorized User" means Customer's employees, consultants, contractors, patients, and agents (i) who are authorized by Customer to access and use the Devices, Services or Software under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Devices, Services or Software has been purchased hereunder.

(iii) “Confidential Information” means any competitively sensitive or secret business, marketing, or technical information disclosed by one Party (a “Disclosing Party”) to the other Party (a “Receiving Party”).  Confidential Information shall include source code, development-level documentation, Customer Data, technical information, and all other data or materials related to the past, present, or future business activities of a Disclosing Party or any of its subsidiaries, affiliates, or clients, including methods, processes, telephone conversation, financial data, systems, participant names, account numbers, lists, statistics, programs, and research and development pertaining to a Disclosing Party's business.  Confidential information shall not include: (i) information that is or becomes generally available or known to the public through no fault of the Receiving Party; (ii) information that was already known by or available to the Receiving Party without obligation of confidentiality to the party who disclosed the information; (iii) information that is subsequently disclosed to the Receiving Party by a third party who is not under any obligation of confidentiality to the party who disclosed the information; (iv) information that has already been or is hereafter independently acquired or developed by the Receiving Party without violating any confidentiality agreement or other similar obligation; (v) information that is de-identified and aggregated with other information; or (vi) Protected Health Information (“PHI”).

(iv) "Customer Data" means, other than Aggregated Statistics, information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services or Software, including, without limitation, body sounds and EKG data.

(v) “Devices” means Apple iPad, device cart, Eko CORE, 3M Littmann CORE, and/or Eko DUO.

(vi) "De-Identified Data" means Customer Data which has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules.

(vii) "Documentation" means Eko's user manuals and other documentation relating to the Devices, Software or Services made available by Eko to Customer either electronically or in hard copy form.

(viii) "Eko IP" means the Services, the Devices, the Software, the Algorithms, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Eko IP includes Aggregated Statistics and any information, data, or other content derived from Eko's monitoring of Customer's access to or use of the Software or Services, but does not include Customer Data.

(ix) "Services" means the Eko software-as-a-service offerings as set forth in the Order Forms, which may include Eko AI algorithm analyses, Eko Dashboard (ekodevices.com), Eko Livestream, and Eko Telehealth that are accessible through the Eko app.

(x) "Software" means downloadable software provided to Customer by Eko, including, without limitation, the Eko Windows Application, Eko iOS Application, and Eko Android Application.

2. Access and Use.

(i) Provision of Access. Subject to the terms and conditions of this Agreement, Eko hereby grants Customer a limited, non-exclusive, non-transferable right to access and use the Devices, Software, Services, and Documentation during the Term, solely for use by Authorized Users. Such use is limited to Customer's internal business purposes only. Eko shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Software and Services. Authorized Users will have a unique identifier and password. The Authorized User shall not share the log-on details or passwords with any other person. If it is determined by Eko that Customer’s Authorized Users have shared the log-in details or passwords, Customer shall be liable for additional Authorized User fees. 

(ii) Use Restrictions. Customer shall not use the Devices, Software, Services, or Documentation for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Devices, Software, Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Devices, Software, Services or Documentation to individuals other than Authorized Users; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Devices, Software or Services, in whole or in part; (iv) remove any proprietary notices from the Devices, Software, Services or Documentation; or (v) use the Devices, Software, Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law. Company shall require Authorized Users to use the Devices, Software and Services in accordance with this Agreement and the Documentation. Customer shall be liable for fees if Customer loses any Devices provided by Eko to the Customer. If Customer breaks any Devices (outside of the standard Eko warranty), Customer shall be liable for fifty percent (50%) of the fees for any replacement Devices. At the end of the Term of the Program, Customer shall return to Eko all Devices provided to Customer for the Program.

(iii) Reservation of Rights. Eko reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Eko IP.

(iv) Suspension. Eko may temporarily suspend Customer's and any Authorized End User's access to any portion or all of the Software or Services (in each instance, a “Suspension”) if:

(i) Eko reasonably determines that: (A) there is a threat or attack on any of the Eko IP; (B) Customer's or any Authorized End User's use of the Eko IP disrupts or poses a security risk to the Eko IP or to any other customer or vendor of Eko; (C) Customer, or any Authorized End User, is using the Eko IP for fraudulent or illegal activities; or (C) Eko's provision of the Software or Services to Customer or any Authorized End User is prohibited by applicable law;

(ii) Any vendor of Eko has suspended or terminated Eko's access to or use of any third-party services or products required to enable Customer to access the Software or Services.

Eko shall use commercially reasonable efforts to provide written notice of any Suspension to Customer and to resume providing access to the Software or Services as soon as reasonably possible after the event giving rise to the Suspension is cured. Eko will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Suspension. Eko shall have the right to terminate this Agreement if there is continue violations as set forth in Section 2(iv) and Eko shall not be liable for any damages associated with terminating the Services or Software.

(v) Aggregated Statistics and De-Identified Data. Eko continuously strives to evaluate and improve the reliability and diagnostic value of its Devices, and the Software and Services with which they may be used. Aggregated Statistics and De-Identified Data provide an important resource for improving Eko’s offerings.  Thus, notwithstanding anything to the contrary in this Agreement, Eko may monitor Customer's use of the Software or Services and collect, compile and utilize for its own business purposes Aggregated Statistics and De-Identified Data. As between Eko and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Eko.  Customer agrees that Eko may (i) make Aggregated Statistics publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided that such Aggregated Statistics do not identify Customer or Customer's Confidential Information.   

(vi) Feedback. Notwithstanding the foregoing, any feedback, suggestions, comments, improvements, or know-hows provided by Customer to Eko concerning the Services, Software, or Devices shall be deemed Eko’s IP and Eko shall have the ability to utilize the information without any restrictions.

3. Customer Responsibilities.

(i) General. Customer is responsible and liable for all uses of the Devices, Software, Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement's provisions as applicable to such Authorized User's use of the Devices, Software, or Services, and shall cause Authorized Users to comply with such provisions.

(ii) Consent Obligation. Customer is responsible for obtaining the appropriate consent from patients in order to collect the patient’s PHI through the Services and to provide said patient’s PHI to Eko. The consent received from the patient should include at minimum: 1) a description of the Device and Services; 2) a description of the information that will be collected through the Services; 3) the fact that Eko will have access to PHI; and 4) a weblink or physical copy of the Eko Privacy Policy.

4. Fees and Payment.

(i) Fees. Customer shall pay Eko the fees ("Fees") as set forth in any applicable order form, as agreed to by the Pa Customer shall make all payments on or before the due date set forth in the quotation or order form agreed to by the Parties.

(ii) Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, or excise taxes or duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Eko's income, unless Customer provides Eko with a valid tax exemption certificate.

(iii) Overdue Payments. All undisputed amounts not paid within thirty (30) days of the due date are subject to a late payment charge of one and a half percent (1.5%) per month simple interest (or, if less, the maximum rate allowed by applicable law) from the due date until the date of payment. All undisputed amounts not paid within sixty (60) days of the due date, may be sent by Eko to an attorney or collection agency and Eko may, at its sole discretion, suspend provision of the Software or Services although fees would continue to accrue during suspension. Customer shall be responsible for paying all costs of collection, including, but not limited to reasonable attorneys’ fees and, where lawful, collection agency fees.

5. Confidentiality and HIPAA.

(i) Requirements. Each Receiving Party acknowledges that it will be exposed to Confidential Information of the Disclosing Party during the performance of this Agreement and shall only be entitled to use such Confidential Information for the purposes intended hereunder. Each Receiving Party agrees it will use the same degree of care, but at no time less than reasonable care, in protecting the Confidential Information from disclosure to others as it uses in protecting its own Confidential Information of a similar nature.  Each Receiving Party agrees not to disclose Confidential Information of the Disclosing Party to any third party without the prior written consent of the Disclosing Party.  The Receiving Party may disclose Confidential Information of the Disclosing Party to the Receiving Party's employees (collectively, “Representatives”), only on a need-to-know basis. Each party shall be responsible and liable for ensuring its Representatives comply with the terms of this Section 5 and any breach of this Section 5 by a Party’s Representatives shall be deemed a breach by such Party.

(ii) Injunction. Each Party acknowledges and agrees that the other Party may suffer irreparable loss and damage if the Receiving Party should breach or violate any of the covenants and agreements contained in this Section 5, and that damages at law may be an inadequate remedy to the Disclosing Party. Each Party further acknowledges and agrees that each of such covenants is reasonably necessary to protect and preserve the legitimate business interests and assets of the Disclosing Party. Therefore, as a material inducement for each Party to enter into this Agreement, each Party agrees and consents that, in addition to any other remedies available to the other Party, such other Party shall be entitled to preliminary and permanent injunctive relief to prevent a breach of any of the covenants or agreements contained in this Section, without prejudice to any other right or remedy, legal or equitable, to which such other Party may be entitled.  The Parties agree that no bond or other security shall be required to obtain such injunctive relief.

(iii) Business Associate Agreement. The parties agree PHI is not Confidential Information as defined herein and shall be governed solely and exclusively by the Business Associate Agreement (“BAA”) attached hereto.

6. Intellectual Property Ownership.

(i) Eko IP. Customer acknowledges that, as between Customer and Eko, Eko owns all right, title, and interest, including all intellectual property rights, in and to the Eko IP. Customer does not acquire any rights, express or implied, in any Eko IP whatsoever. All applicable rights to patents, copyrights, trademarks, trade secrets in any Device, Software, Service, or Eko IP are and shall remain with Eko.

(ii) Customer Data. Eko acknowledges that, as between Eko and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Eko (i) a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Eko to provide the Software or Services to Customer, and (ii) a non-exclusive, perpetual, irrevocable, sublicensable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Aggregated Statistics and De-Identified Data for any purpose, including, without limitation, development and improvement of algorithms for analysis of data procured by Eko medical devices (“Algorithms”).

7. Warranties

(i) Eko represents and warrants that when installed, the Software and Services will possess the functional capabilities described in the Documentation and will perform such functions without material defects on hardware approved by Eko and operate in accordance with applicable laws.

(ii) Eko represents and warrants that when first made available to Customer, the Software and Services shall not contain any malware including, without limitation, any automatic shut-down, lockout, virus, spyware, worm, trap door, Trojan horse, back door, time bomb or other similar mechanism.

(iii) EXCEPT AS OTHERWISE STATED HEREIN, THE EXPRESS WARRANTIES SET FORTH IN THIS AGREEMENT ARE EXCLUSIVE AND THE ONLY WARRANTIES MADE BY EKO TO CUSTOMER. EKO HEREBY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. EKO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EKO MAKES NO WARRANTY OF ANY KIND THAT THE EKO IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

8. Intended Use; Compliance With Laws; Indemnification.

(i) It is the responsibility of Customer and its Authorized Users to confirm that Authorized Users of the Devices, Services, Software and Eko devices have appropriate qualifications, training and expertise for their indications for use as set forth by the Department of Health and Human Services Food and Drug Administration for the Devices, Services and Software; and interpret any information provided by or through the Services and Software, in combination with other information, as one portion of a professional health assessment. The Devices, Services, and Software shall not be a substitute for an Authorized Users’ professional medical judgment. For clarity, Eko DUO 1, Eko DUO Second Generation, and any Eko AI algorithm analyses shall be used when obtaining a medical prescription, and EKO AI algorithm analyses must be reviewed by a physician.

(ii) Health care regulation varies by jurisdiction, and depending on your location, local telemedicine restrictions may restrict your ability to utilize some aspects of the Devices, Software and the Services. It is the responsibility of Customer and its Authorized Users to ensure that their use of the Devices, the Software, the Services by Customer or any Authorized User, is in accordance with all local laws and regulations.

(iii) Discounts. The dollar value of the discounts, incentives, or rebates provided hereunder, if any, are intended by the parties to be "discounts and other reductions in price" under Section 1128B (b) (3) (A) of the Social Security Act (42 U.S.C. § 1320-a-7b (b) (3) (A)), as amended.  It is the intent of the Parties that all services and payments in this Agreement comply with the Anti-Kickback Statute.  The Discount Safe Harbor may require that certain discounts be reported to Federal and State health care programs, such as Medicare and Medicaid, and Eko agrees to cooperate to provide Customer with relevant information to support any such reporting.

(iv) Eko Indemnification.

(i) Eko shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys' fees) ("Losses") incurred by Customer resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") (A) based on Eko’s gross negligence or willful misconduct; or (B) that the Software or Services, or any use of the Software or Services in accordance with this Agreement, infringes or misappropriates such third party’s US intellectual property rights, provided that Customer promptly notifies Eko in writing of the claim, cooperates with Eko, and allows Eko sole authority to control the defense and settlement of such claim, provided that such settlement does not impose a payment obligation on Customer, does not require Customer to admit or acknowledge any fault or guilt, and obtains a complete release for Customer. If the settlement of the claim does require Customer to admit or acknowledge fault or guilt, Eko shall obtain Customers consent which shall not be unreasonably withheld, delayed, or conditioned. This section shall survive the termination or expiration of this Agreement for any reason.

(ii) If such an Indemnification claim of infringement is made, Eko may, at Eko’s sole discretion, to (A) modify or replace the Software or Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Eko determines that neither alternative is reasonably available, Eko may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer. This Section 8(c)(ii) is Eko’s entire liability and Customer’s exclusive remedy for infringement.

(iii) Eko’s indemnification obligations will not apply to the extent that the alleged infringement arises from Customer’s: (A) use of the Services or Software in combination with data, software, hardware, equipment, or technology not provided by Eko; (B) authorized by Eko in writing or modifications to the Services or Software not made by Eko or authorized by Eko in writing; or (C) use of the Services or Software in a manner other than as set forth in the Documentation or authorized by Eko in writing.

(v) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Eko's option, defend Eko from and against any Losses resulting from any Third-Party Claim that, through the intended functionality of the Devices, Software and Services, Customer or any Authorized User has transmitted or disclosed the Customer Data in an unauthorized or illegal manner, and any Third-Party Claims based on Customer's or any Authorized User's (i) gross negligence or willful misconduct; (ii) use of the Devices, Services or Software in a manner not in accordance with the Documentation; (iii) use of the Devices, Services or Software in combination with data, software, hardware, equipment or technology not provided by Eko or authorized by Eko in writing; or (iv) modifications to the Devices, Services or Software not made by Eko, provided that Customer may not settle any Third-Party Claim against Eko unless Eko consents to such settlement, and further provided that Eko will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

(vi) Limitations of Liability.

EKO WILL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA, OR LOSS OF BUSINESS OR CONFIDENTIAL INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THE EKO DEVICES, SOFTWARE AND SERVICES.  EKO’S MAXIMUM LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID BY THE CUSTOMER UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT, ACTION, OR OMISSION GIVING RISE TO THE EKO’S LIABILITY.

THE DEVICES, SOFTWARE, SERVICES, AND DOCUMENTATION DO NOT PROVIDE MEDICAL DIAGNOSIS OR ADVICE.  EKO IS NOT A LICENSED HEALTH CARE PROVIDER, NOR DOES IT RENDER HEALTHCARE ADVICE OR SERVICES.  THE DEVICES, SOFTWARE, SERVICES, AND DOCUMENTATION ARE NOT A REPLACEMENT FOR THE ADVICE OF A MEDICAL PROFESSIONAL.  CUSTOMER AND ITS USERS ARE SOLELY RESPONSIBLE FOR USING THEIR OWN PROFESSIONAL JUDGMENT IN ASSESSING THE VALIDITY AND USEFULNESS OF ANY RESULTS OR OTHER INFORMATION MADE AVAILABLE THROUGH THE SERVICES OR SOFTWARE.  USE OF THE SERVICES DOES NOT CREATE A PHYSICIAN-PATIENT RELATIONSHIP. CUSTOMER IS RESPONSIBLE FOR COMPLIANCE WITH HIPAA STANDARDS.

9. Term and Termination.

(i) Term. The term of this Agreement begins on the Effective Date and will continue for a period of one (1) year (“Initial Term”). Unless either Party notifies the other of its intent not to renew this Agreement at least thirty (30) days prior to the expiration of the then-current term, this Agreement will automatically renew for subsequent terms of one (1) year or such other duration as may be specified on a renewal quotation or order form executed by the Parties (each a “Renewal Term”; the Initial Term and any Renewal Terms referred to as “Term”)

(ii) Termination. In addition to any other express termination right set forth in this Agreement:

(i) If there shall be a failure in the performance or observance of any other agreement or condition contained herein on the part of either Party to be performed or observed and such failure shall not be corrected within thirty (30) days after such Party shall receive notice from the other Party of such failure, then the non-defaulting Party shall have the right, at its election, by notice to the defaulting Party to terminate this Agreement on the date designated therefor in said notice, which date shall be not less than thirty (30) days after the receipt of such notice by the defaulting Party.

(ii) either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

(iii) Effect of Expiration or Termination. No expiration or termination will affect Customer's obligation to pay all Fees that may have become due before such expiration or termination, or entitle Customer to any refund.

(iv) Survival. This Section 9(iv) and Sections 1, 4, 5, 6, 7, 8, and 10 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

10. Miscellaneous.

(i) Entire Agreement.  This Agreement contains the entire agreement between the Parties and supersedes all prior negotiations or agreements, whether written or oral, between them with respect to the matters set forth herein. This Agreement may be amended only in writing signed by both Parties. The section headings contained in this Agreement are for convenience of reference only and will not be used for substantive purposes. Should any part of this Agreement be declared invalid or unenforceable for any reason, such decision shall not affect the validity of the remainder of this Agreement, which will remain in full force and effect and enforceable in accordance with its terms. This Agreement and any amendment hereto may be executed in counterparts, and electronically signed, scanned, or facsimile signatures will have the same effect as original manual signatures. The waiver by either Party of a breach or violation of any provision hereunder will not constitute a waiver of any prior simultaneous, or subsequent breach of the same or any other provision hereof.

(ii) Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a "Notice") must be in writing and addressed to the Parties at the addresses set forth on the last page of this Agreement.

(iii) Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party's reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority after the Effective Date of this Agreement, including imposing an embargo. (“Force Majeure Event”). If a Force Majeure Event persists for thirty (30) days or longer, either Party may terminate this Agreement upon written notice to the other Party.

(iv) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(v) Publicity. Eko shall be entitled to utilize Customer’s name and Customer’s trademark or logo in marketing content, including but not limited to Eko’s website, and marketing materials that identify Customer as Eko’s client.

(vi) Severability If any provision of this Agreement is invalid under any applicable statute or rule of law, it is to that extent to be deemed omitted. The remainder of the Agreement shall be valid and enforceable to the maximum extent possible.

(vii) Governing Law; Submission to Jurisdiction. This Agreement shall be construed in accordance with the laws of the State of California. Any proceeding arising between the Parties in any matter pertaining or related to this Agreement shall, to the extent permitted by law, be held in Alameda County, California.

(viii) Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Eko, which consent shall not be unreasonably withheld. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

(ix) Export Regulation. Customer agrees to comply with the export laws and regulations of the United States and any other country with jurisdiction over the Devices, Software and Services.

(x) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

(xi) Attorneys’ Fees.  Except as otherwise set forth herein, in the event that either Party finds it necessary to employ the services of any attorney to enforce any of its rights hereunder, the prevailing Party will be entitled to receive from the non-prevailing Party all of those costs it incurred including, but not limited to, the fees and costs of its attorneys, paralegals and consultants incurred as a result of such enforcement action and all appeals thereof.

(xii) Nature of Relationship. The nature of the Parties’ relationship under this Agreement will be that of an independent contractor. Nothing herein will be interpreted or applied to create a Partnership, joint venture, principal and agent, employment or other relationship between Eko and Customer. 

 

This Business Associate Agreement (“BAA”) is effective as of the date of the last signature below (the “Effective Date”), and is entered into by and between Customer (the “Covered Entity”) and Eko Health, Inc. (“Eko”) (each a “Party” and collectively the “Parties”).

RECITALS

WHEREAS, Eko performs certain services for or on behalf of Covered Entity relating to digital stethoscopes and EKG devices enabling the transmission and analysis of health information procured by Eko medical devices that involve the use or disclosure of “PHI”, as that term is defined herein, which services are reflected in one or more separate written contracts between Eko and Covered Entity, (the “Underlying Contract(s)”).

WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, as amended from time to time, (“HIPAA”) Title XIII, Subtitle D, of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), known as the Health Information Technology for Economic and Clinical Health Act, as amended (the “HITECH Act”), and the implementing regulations for HIPAA and the HITECH Act, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, set forth at 45 C.F.R. Part 160 and Part 164 (Subparts A and E) (the “Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information, set forth at 45 C.F.R. Part 160 and Part 164 (Subparts A and C) (the “Security Rule”), the Standards for Electronic Transactions, set forth at 45 C.F.R. Parts 160 and 162 (the “Electronic Transactions Rule”), and the Breach Notification for Unsecured Protected Health Information, set forth at 45 C.F.R. Parts 160 and 164 (Subpart D) (the “Breach Notification Rule”), as such implementing regulations may have been or may in the future be amended from time to time (the Privacy Rule, the Security Rule, the Electronic Transactions Rule and the Breach Notification Rule, as amended from time to time, are referred to collectively as the “Rules”) (HIPAA, the HITECH Act, and the Rules, collectively, the “HIPAA Laws”).

WHEREAS, the purpose of this BAA is to satisfy the obligations of Covered Entity under the HIPAA Laws and to ensure the integrity and confidentiality of PHI held, transmitted, disclosed, received or created by Eko from or on behalf of Covered Entity.

NOW, THEREFORE, in consideration of the foregoing recitals and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions. Unless otherwise defined in this BAA, all capitalized terms used in this BAA have the meanings ascribed to such term in the HIPAA Laws, as applicable.
   1. “Breach” shall have the same meaning as that term is defined and used within the Breach Notification Rule.
   2. "Disclosure” and any variant thereof, whether or not capitalized, shall have the same meaning as that term is defined in the HIPAA Laws.
   3. “Discovery” shall mean, with respect to a use or disclosure by Eko not provided for by this BAA, including, without limitation, any Breach, the earlier to occur of: (i) Eko’s actual knowledge of such use or disclosure or (ii) the first day on which Eko, by exercising reasonable diligence, reasonably would have known (other than of the person committing the breach) of such use or disclosure.
   4. “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in the Security Rule, to the extent such information is created, maintained, received or transmitted by Eko from or on behalf of Covered Entity.
   5. “Individual” shall have the same meaning as the term “individual” in the Privacy Rule, and shall include a person who qualifies as a personal representative in accordance with the Privacy Rule.
   6. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in the Privacy Rule, to the extent such information is created, maintained, received or transmitted by Eko from or on behalf of Covered Entity. Where applicable, PHI shall also include ePHI.
   7. “Required by Law” shall have the same meaning as “required by law” as used in the Privacy Rule.
   8. “Secretary” shall mean the Secretary of the Department of Health and Human Services. 
   9. “Security Incident” shall have the same meaning as the term “security incident” in the Security Rule.
   10. “Subcontractor” shall mean any agent, subcontractor or other third party with whom Eko shares or otherwise makes available PHI subject to this BAA.
   11. “Use” and any variant thereof, whether or not capitalized, shall have the same meaning as that term is defined in the HIPAA Laws 
       
       
2. Scope. This BAA shall supplement and/or amend each of the Underlying Contract(s) only with respect to Eko’s use, and disclosure of PHI pursuant to the Underlying Contract(s) to allow Covered Entity and Eko to comply with the HIPAA Laws.  Except as so supplemented and/or amended, the terms of the Underlying Contract(s) shall continue unchanged and shall apply with full force and effect to govern the matters addressed in this BAA and in each of the Underlying Contract(s).
   
   
3. Permitted Activities of Eko. Unless otherwise limited or prohibited by this BAA, Eko may:

1. use and disclose PHI as necessary to perform the services of the Underlying Contracts or fulfill any other contractual obligations to Covered Entity or to carry out Covered Entity’s written instruction(s), provided that such use or disclosure would not violate the Privacy Rule or the Security Rule if done by Covered Entity.
2. use PHI in its possession as Required by Law or as necessary for its proper management and administration and to fulfill any present or future legal responsibilities.
3. disclose PHI in its possession to a third party if necessary for the purposes of its proper management and administration or to fulfill any present or future legal responsibilities, provided that: (i) the disclosure is Required by Law, as provided for in the Privacy Rule; or (ii) Eko has received from the third party reasonable assurances regarding its confidential handling of such PHI and that the PHI will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party and (iii) the third party notifies Eko of any instances of which it is aware in which the confidentiality of the information has been breached.
4. use PHI to provide Data Aggregation services relating to the Health Care Operations of the Covered Entity.
5. de-identify any and all PHI, provided that the de-identification conforms to the requirements of 45 C.F.R. 164.514 of the Privacy Rule and guidance issued by the Secretary from time to time.  The Parties agree that such de-identified information does not constitute “PHI” and the terms of this BAA shall no longer apply.
6. use or disclose PHI for purposes and to the extent authorized by the Individual.

4. Protection of PHI by Eko. With regard to its use and/or disclosure of PHI, Eko shall:

1. not Use or Disclose PHI other than as permitted or required by this BAA or as Required By Law.
2. use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA.
3. implement administrative, physical and technical safeguards and comply with the policies, procedures and documentation requirements of the Security Rule.
4. report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, including without limitation: (i) any Breach; or (ii) Security Incident without unreasonable delay, but in no event later than thirty (30) days following its Discovery.  The Parties acknowledge and agree that this section constitutes notice by Eko to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.  “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Eko’s firewall, port scans, unsuccessful log-on attempts, denial of service of attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
5. use commercially reasonable efforts to mitigate any deleterious effect that is known to Eko of an improper use or disclosure of PHI by Eko in violation of the requirements of this BAA.
6. ensure that any Subcontractor that may receive PHI from Eko enters into an agreement or similar arrangement with Eko which contains substantially similar restrictions and limitations on Subcontractor as those imposed upon Eko in this BAA. 
7. if Eko maintains PHI in a Designated Record Set, following a written request from Covered Entity, provide access to PHI in such Designated Record Set, directly to Covered Entity for Covered Entity to comply with its obligations under the Privacy Rule in responding to an Individual’s request for access their PHI. In the event any Individual requests access to PHI directly from Eko, Eko shall within ten (10) business days forward such request to Covered Entity.  Any denials of access to the PHI requested shall be the exclusive responsibility of the Covered Entity.
8. if Eko maintains PHI in a Designated Record Set, following a written request from Covered Entity, make available to the Covered Entity such PHI necessary for Covered Entity to comply with its obligations under the Privacy Rule in responding to an Individual’s request for amendment and Eko shall incorporate any amendments to the PHI as directed or instructed by Covered Entity.  In the event any Individual requests an amendment to PHI directly by Eko, Eko shall within ten (10) business days forward such request to Covered Entity.
9. make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures of PHI as required by the Privacy Rule.  In the event any Individual requests an accounting of PHI directly from Eko, Eko shall within ten (10) business days forward such request to the Covered Entity.
10. make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Laws, subject to attorney-client and other applicable privileges.
11. to the extent that Eko carries out one or more of Covered Entity’s obligations under the Privacy Rule, comply with the requirements as they apply to Covered Entity in the performance of such obligations.
12. utilize a Limited Data Set, if practicable, when using, disclosing, or requesting PHI. Otherwise, Eko shall use, disclose or request only the Minimum Necessary PHI to accomplish the purpose of the use, disclosure, or request.

5. Obligations of Covered Entity. With regard to the use and disclosure of PHI by Eko, Covered Entity agrees to:
   1. provide Eko with the notice of privacy practices that Covered Entity produces in accordance with the Privacy Rule, as well as inform Eko of any changes in said notice that may affect Eko’s use and disclosure of PHI.
   2. obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit PHI to Eko and to enable Eko and its subcontractors and agents to use and disclose PHI as contemplated by this BAA and any Underlying Contracts, including consents and authorizations relating to mental illness, HIV, substance use disorders, and other particularly sensitive conditions.
   3. inform Eko of any changes in, or revocation of, permission by the Individual to use or disclose PHI, if such changes may affect Eko’s use or disclosure of PHI. 
   4. notify Eko of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with in accordance with the Privacy Rule, if such restriction may affect Eko’s use or disclosure of PHI.
   5. not request that Eko use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
      
      
6. Term. This BAA shall commence as of the earlier of (i) the Effective Date or (ii) the date Eko first held, transmitted, disclosed, received or created PHI and shall continue in effect until terminated as provided in Section 7 of this BAA.
   
   
7. Termination. This BAA shall terminate when all PHI provided by Covered Entity to Eko, or created or received by Eko on behalf of Covered Entity, is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy all of the PHI, protections are extended to such information in accordance with the provisions of Section 7.b.
   1. Termination for Cause.  Should a Party become aware of a material breach of this BAA, including without limitation a pattern of activity or practice that constitutes a material breach of a material term of this BAA, the non-breaching Party shall provide the breaching Party with written notice of such breach in sufficient detail to enable the breaching Party to understand the specific nature of the breach.  The non-breaching Party shall be entitled to immediately terminate this BAA and the Underlying Contract associated with such breach if, after the non-breaching Party provides such notice of breach to the breaching Party, the breaching Party fails to cure the breach or end the violation within a reasonable time period from the breaching Party’s receipt of such notice; provided, however, the non-breaching Party shall have the discretion to agree to such longer cure period based on the nature of the breach involved and subject to the HIPAA Laws.
   2. Effect of Termination.  Except as provided in this section, upon termination of this BAA for any reason, Eko shall return or destroy all PHI received from Covered Entity or created or received by Eko or any Subcontractor on behalf of Covered Entity and neither Eko nor any Subcontractor shall retain copies of the PHI.  In the event Eko reasonably determines that returning or destroying the PHI is infeasible, Eko shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Eko shall extend the protections of this BAA to such retained PHI and limit further uses and disclosures of such retained PHI to those purposes that make the return or destruction infeasible, for so long as Eko and its contractors, agents or Subcontractors maintain such PHI.  The respective rights and obligations of Eko set forth within this paragraph shall survive the termination of this BAA, for whatever reason.
      
      
8. MISCELLANEOUS.
   1. Notice.  Any notice required by this BAA to either Party shall be sent by certified mail or electronic mail to the address(es) listed below:

If to Eko: Eko Health, Inc. Attn: Legal Department 2100 Powell Street, Suite 300 Emeryville, California 94608   Email: legal@ekohealth.com

If to Covered Entity: To the address set forth on     the applicable Order Form(s)_______________________

 

1. Survival.  The respective rights and obligations of Eko and Covered Entity under this BAA which by their nature shall survive this BAA shall survive the expiration or termination of this BAA indefinitely, including without limitation Section 4(i) and (j), Section 7(b), and this Section 8(a). 
   
   
2. Interpretation.  The terms of this BAA shall prevail in the case of any conflict with the terms of any Underlying Contract to the extent necessary to allow Covered Entity and Eko to comply with the HIPAA Laws.  Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Laws.  
   
   
3. Relationship of the Parties.  In the performance of the work, duties and obligations described in this BAA, the Parties acknowledge and agree that each Party is at all times acting and performing as an independent contractor and at no time shall the relationship between the Parties be construed as a partnership, joint venture, employment, principal/agent relationship, or master/servant relationship.
   
   
4. No Third Party Beneficiaries.  Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.  Without in anyway limiting the foregoing, it is the Parties’ specific intent that nothing contained in this BAA give rise to any right or cause of action, contractual or otherwise, in or on behalf of any Individual whose PHI is used or disclosed pursuant to this BAA.
   
   
5. Entire Agreement and Amendment.  This BAA constitutes the entire agreement between the Parties with respect to PHI, and may not be modified or amended, except in a writing duly signed by authorized representatives of the Parties.  As the requirements of HIPAA may be modified from time to time, the Parties agree to negotiate in good faith amendments to this BAA as needed to ensure continued compliance with HIPAA and its implementing regulations as determined by the Parties’ respective counsel.
   
   
6. Waiver.  No provision of this BAA may be waived except by an agreement in writing signed by the waiving party. A waiver with respect to one event will not be construed as continuing, or as a bar or waiver of any right or remedy as to subsequent events.  
   
   
7. Headings.  The headings of each section are inserted solely for purposes of convenience and shall not alter the meaning of this BAA.
   
   
8. Governing Law.  The Parties hereby agree that this BAA shall be governed by, and construed in accordance with, the laws of the state of California, without giving effect to its conflicts of law principles and hereby submit themselves to the jurisdiction and venue of the federal and state courts of California. 
   
   
9. Counterparts. This BAA may be executed in multiple counterparts, which shall constitute a single agreement, and by facsimile or pdf signatures, which shall be treated as originals.