MightyWELL Health Business Enrollment

THIS ADMINISTRATIVE SERVICES AGREEMENT (“Ag reement”), dated as of is entered into by and between the undersigned “Client” (“C lient”), and Planstin Administration, Inc., a Utah corporation (“P lanstin”) (Client and Planstin may be referred to herein individually as a “P a rty” or collectively as the “P a rties” Client desires to retain Planstin to perform administrative services for Client and Planstin is willing to perform such services, on terms set forth more fully below. In consideration of the mutual promises contained herein, the Parties agree as follows:

1. SCOPE AND SERVICES. Client retains and hires Planstin to provide general health benefit administration services and other related or additional services as set forth in Schedule A on behalf of Client (the S ervices” Client shall promptly provide to Planstin all information requested by Planstin prior to Planstin providing the Services so that Planstin may properly perform the Services outlined in Schedule A. Additionally, Planstin may perform the Services and such acts as are reasonably necessary related thereto based upon Planstin’s reasonable interpretation of the plan documents, but Client shall retain all discretionary authority related to the underlying health benefit plans such that Client retains ultimate decision making authority and retains all duties as the Plan Fiduciary as defined under ERISA, and in no event shall Planstin be deemed to have assumed any fiduciary obligations as a Plan Fiduciary.

2. TERM. The term of this Agreement shall be from the Effective Date and will continue for the period of time indicated in Schedule A, attached hereto and incorporated hereby. (the “Term

3. INDEPENDENT CONTRACTOR STATUS. It is the Parties’ intent that Planstin at all times, and with respect to all Services covered by this Agreement, function as and remain an independent contractor, and not an employee or officer of Client, and neither party shall represent to third parties that Planstin is an employee or officer of Client. (a) Client shall be responsible for the payment of all taxes on amounts received from Planstin for the Services or payment remitted. Planstin will regularly report amounts paid to Client by filing Form 1099 MISC with the Internal Revenue Service, as required by law. No part of Planstin’s or Client’s fees or payment will be subject to withholding by Client for payment of any social security, federal, state or other employee payroll taxes. Client agrees to indemnify and hold Planstin harmless from any liability for, or assessment of, any such taxes imposed on Client by relevant taxing authorities; (b) Planstin will determine the method, details, and means of performing the administrative Services. Client shall have no right to, and shall not control, the manner or determine the method of accomplishment of the administrative Services, though it may define the Services to be performed. Such Services may be amended, from time-to-time, by the Parties by written agreement, signed by the Planstin and Client, provided that Planstin does not hereby assume any role as a Plan Fiduciary; (c) Planstin may, at Planstin’s own expense, employ such administrators or subcontractors as Planstin may deem necessary to perform the Services. Client shall not control, direct or supervise the work of Planstin’s administrators or subcontractors or employees in the performance of Services. Planstin assumes full and sole responsibility for the quality of Services provided by the Planstin’s administrators, subcontractors or employees, for the payment of all compensation and expenses of these administrators, subcontractors and employees, for state and federal income taxes and other applicable payroll taxes and withholding that may be required with respect to such administrators, subcontractors or employees, and for the provision of all benefits and insurance, including without limitation, worker’s compensation insurance, to such administrators, subcontractors or employees.

4. CLIENT RESPONSIBILITIES. Client shall be responsible to:

(a) Provide Planstin with accurate information relating to all plan participants and any other appropriate information requested by Planstin; (b) Promptly inform Planstin of the addition or deletion of persons covered under the plan administered under this Agreement; and (c) Promptly fund or provide for funding of any and all health benefit plans administered pursuant to this Agreement. Client understands that Planstin will not, in any event, fund any health plan benefits administered pursuant to this Agreement and Client shall retain sole responsibility for funding such plans.

5. FEES. As consideration for the Services provided by Planstin, Planstin shall retain the collected Service Fee(s) described in Schedule A to this Agreement (“S ervice F ee” The Parties acknowledge that payment for the Services provided hereunder is consistent with the fair market value of such Services and is not conditioned in any way on the volume or value of any business (i) between Client and any other party, or (ii) resulting, directly or indirectly, from any of the Services.

6. COSTS & EXPENSES; SELF-FUNDED BENEFITS; INVOICES; PAST DUE AMOUNTS.

(a) Client shall be responsible for all costs related to the health benefits administered by Planstin (the Ben ef it s”) such that Client qualifies as a self-funded health care benefit employer. (b) Upon the termination or expiration of this Agreement, all unpaid charges, costs and expenses, whether invoiced or not as of such time, shall become immediately due and payable. (c) No refunds shall be issued to Client in the event of a termination or suspension of this Agreement.

7. SUSPENSION/TERMINATION OF SERVICES.

(a) Planstin has the right to suspend performance of Services upon fifteen (15) days’ written notice to Client of Client’s failure to pay Planstin or any other breach of this Agreement. Such suspension shall continue until the breach is cured or this Agreement is terminated. (b) Planstin may terminate this Agreement if Client fails to cure any breach hereof within fifteen (15) days of written notice from Planstin. (c) Client shall not be entitled to any reimbursement, refund, or return of any amounts paid to Planstin hereunder as a result of the termination of this Agreement by Planstin for Client’s breach. (d) Planstin may terminate this Agreement for any reason upon thirty (30) days’ written notice to Client.

8. Roles, LIABILITY & INDEMNIFICATION.

(a) Planstin does not insure nor underwrite the liability of Client under the plans administered under this Agreement. Client acknowledges and agrees that: (a) Client is the fiduciary under the plans, pursuant to the Employee Retirement Income Security Act of 1974 ; (b) the services provided by Planstin to the plans shall be performed within the framework established by the Client; (c) the Client retains the ultimate responsibility for claims made under the plans, COBRA compliance, the purchase of stop-losscoverage, the filing of Form 5500 and all expenses incident to the plans; (d) the Client retains the exclusive discretionary authority and control to manage and otherwise administer the plans and the disposition of its assets, and (e) with the exception of payments made by Client to Planstin in satisfaction of any administrative fees, Planstin will act as a mere financial intermediary, or commercial conduit with respect to any funds provided by Client to Planstin pursuant to this Agreement, and Planstin shall not be considered an initial transferee of those funds, as those terms are applied to Section 550 of Title 11 of the United States Code.

Except to the extent Planstin is otherwise indemnified by a third party, Client agrees to indemnify Planstin and hold Planstin harmless against claims for insurance premiums, taxes, penalties, employee benefits and any and all losses, damages, expenses, costs or liabilities, including reasonable attorneys’ fees and court costs, arising out of claims brought against Planstin 1) to recover benefits under the plans, 2) to recover damages for failure to pay such benefits, including any purported lost discounts, or 3) in connection with any other action or claim relating to the plans, including, without limitation, any action for recovery of amounts paid to Planstin for the plans (with the exception of payments in satisfaction of administrative fees), whether under Sections 544, 547, and 548 of Title 11 of the United States Code or otherwise, unless such losses, damages, expenses, costs or liabilities are incurred solely as a result of the negligence or willful misconduct of Planstin. (b) Except to the extent Planstin is otherwise indemnified by a third party, Client agrees to indemnify Planstin and hold Planstin harmless for penalties levied by the federal government against Planstin for failure to provide all social security numbers and HICNs (when applicable) of Client’s plan participants to the centers for Medicare and Medicaid services, pursuant to the Medicare, Medicaid and SCHIP Extension Act. This section will not apply when such failure is based on the negligence of Planstin. Planstin agrees to send a letter to Client on a quarterly basis regarding the necessary social security numbers. (c) Any regulatory or governmental assessment, tax, fee or penalty assessed or imposed on Planstin (except to the extent such a penalty is assessed or imposed as a result of Planstin’s negligence or willful misconduct), as a result of the existence of the plans or Planstin’s administration of the plans, will be the responsibility of the Client. (d) Planstin shall not be liable to Client for any claim which is asserted by Client more than one (1) year after Client is aware or should have been reasonably aware of such claim, provided that in no event will Planstin be liable to Client for any claim, regardless of Client’s awareness of such claim, which is asserted by Client more than twenty-four (24) months after the event resulting in damage or loss. (e) The provisions contained within this Section 8 shall survive termination of this Agreement.

9. ASSESSMENTS, TAXES, PENALTIES AND GOVERNMENTAL FEES. Subject to Section 8 herein, all assessments will be paid in accordance with and will be the responsibility of the applicable party set forth or otherwise prescribed in the regulation or other applicable law governing the applicable assessment. To the extent the regulation or other applicable law does not identify the responsible party, the following guidelines shall be used to determine the party responsible for the payment of such assessment: (i) Assessments directly related to the payment for medical care will be processed and paid in the same manner as claims paid in accordance with the terms of the applicable plan. As such, these assessments are not the responsibility of Planstin; (ii) Residency taxes and/or fees will be billed to and paid by the Client as a separate line item on its monthly bills. As such, these taxes and/or fees are not the responsibility of Planstin; (iii) Planstin license fees that are charged as a result of doing business, as well as Planstin’s corporate taxes, will be the responsibility of Planstin; (iv) Except to the extent otherwise agreed upon between Planstin and a third party, nothing in this section shall preclude Planstin from passing through to the Client any applicable assessment, tax, penalty or fee for which the responsible party cannot be determined based on the foregoing.

10. CONFIDENTIAL INFORMATION. Planstin and Client acknowledge that each may receive confidential

information during Planstin’s performance of the Services. Neither Party shall, without the prior written consent of the other: (i) use or disclose to any third party any details regarding Planstin or Client or Planstin’s or Client’s business, including, without limitation, any information regarding any of the Planstin’s or Client’s customer information, business plans, or price points (the “C o nfidential Information”), (ii) make copies of any Confidential Information or any content based on the concepts contained within the Confidential Information for personal use or for distribution, or (iii) use the Confidential Information other than solely for the benefit of the other Party; except that Planstin may disclose Confidential Information to persons who may be designated to work with Planstin in order to provide the Services.

11. HIPAA PRIVACY AND SECURITY POLICIES. Both Parties shall comply with (i) the HIPAA Privacy and Security Policies and Procedures set forth in Schedule B hereto to the extent applicable to either Party by virtue of its being a “Business Associate” of the other Party; and the Business Associate Agreement set forth in Schedule C hereto, to ensure compliance with all applicable HIPAA regulations.

12. TRADE SECRETS. The Parties acknowledge and agree that they shall not use or distribute any of the other Party’s trade secrets related to this Agreement, including any formula, pattern, compilation, program, device, method, technique, process, financial data, or list of actual or potential customers or suppliers that derives independent economic value from not being generally known to or readable ascertainable by other persons, and covenant not to do so during the Term, unless such trade secrets are disclosed in accordance with U.S.C. § 1833 (b

13. NON-DISPARAGEMENT. The Parties covenant and agree that they will not, during the Term or afterwards, either directly or indirectly, disparage the other Party or any of the other Party’s affiliates, owners, directors, managers, officers, employees, agents, or invitees or any of their family or friends.

(a) The Services are not to be construed in any way whatsoever as legal advice or of a legal nature. (b) PLANSTIN HEREBY DISCLAIMS AND EXPRESSLY WAIVES ANY AND ALL WARRANTIES, WHETHER

EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. ALL SERVICES ARE PROVIDED “AS I S.” PLANSTIN IS PROVIDING SERVICES TO ASSIST CLIENT. CLIENT IS RESPONSIBLE FOR REVIEWING INFORMATION ASSOCIATED WITH THE SERVICES AND THE RESULTS OBTAINED FROM ITS USE OF THE INFORMATION ASSOCIATED WITH THE SERVICES. NOTHING IN THIS AGREEMENT, AND NOTHING IN PLANSTIN’S STATEMENTS TO CLIENT, MAY BE CONSTRUED AS A PROMISE OR GUARANTEE ABOUT THE POTENTIAL OUTCOME OF UTILIZING THE SERVICES OR THE BENEFITS OR THE SUCCESS OF CLIENT’S BUSINESS. PLANSTIN’S ENTIRE LIABILITY AND CLIENTS’ SOLE AND EXCLUSIVE REMEDY FOR ANY BREACH OF THIS WARRANTY IS FOR PLANSTIN, UPON RECEIPT OF WRITTEN NOTICE, TO USE DILIGENT EFFORTS TO CURE A BREACH.

(c) UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS AGREEMENT, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, PUNITIVE OR OTHER SIMILAR DAMAGES, INCLUDING LOST PROFITS, LOST SALES OR BUSINESS, BUSINESS INTERRUPTION OR ANY OTHER LOSS INCURRED BY THE OTHER PARTY OR SUCH THIRD PARTY IN CONNECTION WITH THIS AGREEMENT OR THE CONSULTING SERVICES, REGARDLESS OF WHETHER A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.

15. SEVERABILITY. Wherever possible, each provision of this Agreement shall be interpreted in such a manner as to be effective and valid under applicable law. Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.

16. ENTIRE AGREEMENT; MODIFICATION. This Agreement contains the full and complete agreement between the Parties with respect to the within subject matter and supersedes all other agreements between the Parties whether written or oral relating thereto and may not be modified except by a written instrument executed by both the Parties.

17. AMENDMENTS AND WAIVERS. This Agreement may be only be amended by a writing signed by the Parties.

18. NOTICES. Any notice required or permitted by this Agreement shall be in writing and shall be deemed sufficient upon receipt, when delivered personally, via electronic mail or by courier or overnight delivery service, or three (3) days after being deposited in the regular United States mail as certified or registered mail (airmail if sent internationally) with postage prepaid, if such notice is addressed to the Party to be notified at such Party’s address or facsimile number presently known to the other Party, or as subsequently modified by written notice.

19. LEGAL FEES. If any dispute arises between the Parties with respect to matters covered by this Agreement, the prevailing Party in any such dispute shall be entitled to receive its reasonable attorney fees, other professional service provider fees and out-of-pocket costs incurred in connection with such dispute, in addition to any other relief to which it may be entitled.

20. COUNTERPARTS; DIGITAL ACCEPTANCE AND ELECTRONIC SIGNATURE. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together will constitute one and the same instrument. In lieu of a physical signature on this Agreement, Planstin may obtain Client’s consent and agreement to the terms set forth herein through Planstin’s online enrollment platform and Client’s electronic representation of having reviewed and accepted the terms herein shall be binding on Client and Client shall be bound by the terms of this Agreement immediately upon Client’s electronic acceptance and consent to the terms hereof as if Client’s physical signature appeared below.

21. ADVICE OF COUNSEL. EACH PARTY ACKNOWLEDGES THAT, IN EXECUTING THIS AGREEMENT, SUCH PARTY HAS HAD THE OPPORTUNITY TO SEEK THE ADVICE OF INDEPENDENT LEGAL COUNSEL AND HAS READ AND UNDERSTOOD ALL OF THE TERMS AND PROVISIONS OF THIS AGREEMENT. THIS AGREEMENT SHALL NOT BE CONSTRUED AGAINST ANY PARTY BY REASON OF THE DRAFTING OR PREPARATION HEREOF.

22. GOVERNING LAW; DISPUTES; VENUE. This Agreement shall in all respects be subject to the laws of the United States and the State of Utah. If a dispute, controversy or claim arises out of or relates to this Agreement, or the breach thereof, the exclusive jurisdiction and venue for dispute resolution will be the Fifth Judicial District Court in Washington County, Utah.

IN WITNESS WHEREOF, the Parties have executed and/or electronically consented and agreed to the terms

set forth in this Agreement as of the day and year first written above.

NOTIC E: This Agreement does not affect any immunity under 18 USC Sections 1833(b) (1) or (2), which read as follows (note that for purposes of this statute only, individuals performing work as contractors or consultants are considered to be employees): (1) An individual shall not be held criminally or civilly liable under any Federal or State trade secret law for the disclosure of a trade secret that (A) is made (i) in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and (ii) solely for the purpose of reporting or investigating a suspected violation of law; or (B) is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. (2) An individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the court proceeding, if the individual (A) files any document containing the trade secret under seal; and (B) does not disclose the trade secret, except pursuant to court order.

NOTIC E R EQUIRED F OR M ICHIGAN RESIDENTS: Client shall provide written notice to each individual covered by a plan related to this Agreement, which written notice shall contain the following information: (1) What benefits are being provided; (2) Of changes in benefits; (3) The fact that individuals covered by the plan are not insured or are only partially insured, as the case may be; (4) If the plan is not insured, the fact that in the event the plan or Client does not ultimately pay medical expenses that are eligible for payment under the plan for any reason, the individuals covered by the plan may be liable for those expenses; (5) The fact that Planstin merely processes claims and does not insure that any medical expenses of individuals covered by the plan will be paid; and (6) The fact that complete and proper claims for benefits made by individuals covered by the plan will be promptly processed but that in the event there are delays in processing claims, the individuals covered by the plan shall have no greater rights to interest or other remedies against Planstin than as otherwise afforded them by law.

Benefit administration of self-funded plans (which plans are more particularly described in Schedule D and in the corresponding plan documents). Benefit administration services includes general management of plan sponsor’s benefits, including company setup, plan sponsor’s employee enrollments, plan sponsor’s employee maintenance, COBRA notices and administration, combined billing, claim processing, claim payments and assistance with the preparation and filing of 1094/1095 forms. Client shall provide Planstin with all information necessary to complete all such forms. In the event Client fails to timely provide Planstin with any information requested by Planstin to complete such forms, Planstin will not complete or file the same and Client shall be solely responsible for the filing of such forms. Planstin’s benefit administration services do not include any services or actions as a Plan Fiduciary and Client retains all duties as Plan Fiduciary. Any benefits or services will be billed to the plan sponsors directly based on agreed rates.

The Term of the Agreement shall be one (1) year beginning on the Effective Date and continuing until the date that is one (1) year thereafter (“Initial Term”), after which the Agreement shall automatically renew for successive 1-year periods (each a Renewal Period”), unless either Party provides written notice to the other Party of its intent to not renew the Agreement at least sixty (60) days prior to the end of the then current term.

In consideration for the Services provided by Planstin, Client shall pay to Planstin the following fees (check all applicable fees):

• See Breakdown of third-party compensation attached as Addendum I to Schedule A
• Rates are subject to change at annual anniversary or renewal of administration services based on claims experience, associated costs and market trends. Other Fees Associated:

• Greater of $25 or 1% of invoice late payment fee,** if payment not received by the 10th of the month.
• $25 non-sufficient funds fee, returned ACH or check payments.
• $25 monthly invoicing and collection fee, when not on reoccurring payment plan.
• 3% convenience fee for credit card transactions of monthly benefits.

*Please make checks payable to Planstin Administration. ACH payment draft available and preferred. **Payment is due by the 1st of every month. Planstin reserves the right to cancel for non-payment.

The rates payable during the Initial Term of the Agreement for the plans and benefits administered under this Agreement shall be as set forth in the applicable plan documents. All unused amounts from any claim fund, as set forth in the applicable plan documents, shall be applied to reinsurance premiums at the end of each annual term. At termination of the Agreement, any unused claim funds shall be applied to reinsurance premiums. 

15. SEVERABILITY. Wherever possible, each provision of this Agreement shall be interpreted in such a manner as to be effective and valid under applicable law. Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.

16. ENTIRE AGREEMENT; MODIFICATION. This Agreement contains the full and complete agreement between the Parties with respect to the within subject matter and supersedes all other agreements between the Parties whether written or oral relating thereto and may not be modified except by a written instrument executed by both the Parties.

ADDENDUM I TO SCHEDULE A: THIRD-PARTY COMPENSATION DISCLOSURE

The following parties may receive compensation in excess of $1,000.00 related to Client’s health benefits plan and are hereby disclosed pursuant to ERISA Section 408(b2):

1. ASSIGNMENT OF HIPAA PRIVACY/SECURITY OFFICER. Client’s Primary Contact (as identified in Client’s Enrollment Form), or such other party designated in writing in the Enrollment Form has been designated as the “HI PAA Officer” for Client (the “C ompany”, “our” or “we”) and is charged with, and granted authority to, establish, implement, and enforce these “P olicies and P rocedures” for the security and privacy of our patients’ protected health information (“P HI

2. RISK ASSESSMENT. HIPAA Officer is responsible for conducting annual HIPAA privacy and security risk assessments. The assessment may be completed with the assistance of other employees as deemed necessary by HIPAA Officer. Additional risk assessments may be necessary each time (i) new software or hardware is acquired and placed in service; (ii) when a new service or procedure is initiated; (iii) when there is a significant change in an existing service or procedure; or (iv) when there is a change or addition to the physical layout of our office. HIPAA Officer will complete a “Risk Assessment Form” for each completed risk assessment. A sample Risk Assessment Form is attached hereto as Ad d en d u m I.

3. PERIODIC REVIEW OF REGULATIONS. HIPAA Officer will periodically, but at least quarterly, review the DHHS’s HIPAA website to determine if there have been any changes in the HIPAA rules and regulations and to determine if any changes or modifications to these Policies and Procedures is necessary due to changes in HIPAA rules, regulations or regulatory interpretations.

4. EMPLOYEE TRAINING. HIPAA Officer shall organize and hold trainings with all employees and contractors as deemed necessary by HIPAA Officer, but at least (i) when each employee or contractor is hired by Company; (ii) annually with all employees and contractors; and (iii) in the event of any material change or addition to these Policies and Procedures.

5. PHYSICAL ACCESS TO BUILDING AND FACILITIES WHERE PHI IS STORED. Employees and contractors access

Company’s office(s) via the main entrance or “employee” entrance. The main entrance is locked after hours and is unlocked each morning at 8:00. The office Sales Associate for each office has the key to both entrances and is responsible for unlocking main entrance each morning. The “employee” entrance is accessed only via key. Employees, contractors, or service personal may gain entrance through the employee” entrance by knocking on the door.

6. CONFIDENTIALITY OF ALL FORMS OF PHI. All PHI regardless of its form, mechanism of transmission, or storage is to be kept confidential. Only individuals with a business need to know are allowed to view, read, or discuss any part of a patient’s PHI. During initial new hire orientation, and at annual HIPAA training, employees and contractors are reminded that any viewing, reading, or discussions of PHI that is not for business purposes is prohibited. An employee or contractor who violates this confidentiality policy will be subject to sanctions, including immediate termination. All employees are required to verify in writing that they have read and will comply with our policy regarding confidentiality of all forms of PHI.

SECURITY OF ELECTRONIC PHI (E-PHI Employees and contractors whose job functions require access to our computer system will be given a secure, unique password to access the system. Passwords will consist of at least five characters, upper and lower case, alpha numeric and shall be changed at least every ninety (90) days. Access will be immediately terminated for employees who leave our employment. All PHI

7. transmitted to third parties will be transmitted on secured lines. The security of transmission lines will be verified via contract with the third party responsible for transmitting the PHI. No digitally stored PHI shall leave Company’s facility without being first encrypted; this includes laptops, flash drive devices, CDs, and e-mail.

8. PATIENT REQUEST FOR ACCOUNTING OF ALL DISCLOSURES. Patients have a right to request an accounting of all disclosures of their PHI made by Company. When a patient makes such a request, HIPAA Officer will be notified, and the patient will be told when the information will be available and given the option of waiting or returning to pick up the data.

9. PATIENT REQUEST FOR RESTRICTION OF PHI PAID FOR “OUT OF POCKET”. Patients who pay for a procedure, test, or service out of pocket (fully paid for by patient with no reimbursement or additional payment by a third party), have a right to have all information regarding such procedure/test held confidentially and not released to third parties. To exercise this right the patient must: (i) pay for the test/procedure; and (ii) make known to Company the patient’s desire to have information regarding the procedure/test held in confidence and not released to third parties. Any employee who receives such a request must immediately inform HIPAA Officer who will flag the information as being restricted. HIPAA allows for the release of restricted PHI (1) in compliance with a subpoena; (2) in compliance with statutory reporting requirements; or (3) upon receiving an unrestricted, HIPAA compliant authorization for release of medical records from the patient, patient’s legal representative, or executor of deceased patient’s estate.

10. CHARGES FOR COPIES OF MEDICAL RECORDS. Company may charge a reasonable, cost-based fee to a patient requesting copies of medical records, whether such copies are physical paper copies or electronic copies.

11. BUSINESS CONTINUITY. Company will take reasonable measures to prepare any and all physical Company facilities for natural disasters or other events that might lead to the compromise of PHI and ensure that the security measures provided for in these Policies and Procedures are maintained, to the extent possible, during such an event.

12. HIPAA INCIDENT/BREACH NOTIFICATION & INVESTIGATION. Any incident in which the privacy/security of a patient’s PHI may have been compromised will be immediately reported to HIPAA Officer. An incident investigation will be initiated without unreasonable delay. HIPAA Officer may establish an Incident Response Team (IRT) to investigate incidents and determine if the incident rises to the level of a breach. The procedure for conducting a HIPAA incident/breach investigation is set forth in Ad d en d u m I I.

13. SANCTION POLICY. All employees and relevant contractors will receive training regarding Company’s policy for sanctioning employees who violate our HIPAA privacy/security policy. Employees and relevant contractors shall receive training prior to assuming work duties and annually thereafter. Company’s HIPAA sanction policy is set forth in Ad d en d u m I I I.

14. DOCUMENT RETENTION POLICY. All HIPAA documentation such as policies and procedures, Risk Assessment Forms, incident investigations, breach notifications, and training records will be maintained by Company for at least six (6) years.

15. BUSINESS ASSOCIATE AGREEMENTS. Company shall ensure that it has in place a Business Associate Agreement with each and every Business Associate of Company (as defined in Ad d en d u m I I

16. DEFINED TERMS. All capitalized terms not defined in this Exhibit 1 are defined in Addendum I I.

ADDENDUM I TO SCHEDULE B: RISK ASSESSMENT FORM

Risk Assessment Form ( Exam p le) Scoring: 0 = Probability – possible, but not likely 1 = Probability - could happen 2 = Probability - likely to happen, but not guaranteed to happen Probability of Occurrence:Lost laptop (employee takes unencrypted laptop home) Lost paper medical record (employee puts lab reports in pocket and waits 2 until end of day to file reports) Hacker getting into our system and obtaining e-PHI Lost CD or flash drive (employee takes unencrypted flash drives home) Break-in and patient records stolen (Facility specializes in pain 5 management and is located in a high crime area) Patient’s HIV prescription accidentally broadcast to dozens of fax numbers 6 in the system

1. Begin with blank spreadsheet or flip chart and have Risk Assessment Team brainstorm all the possible ways in which the confidentiality of PHI might be breached.

2. List each risk under the risk column, and then as a group assign the probability of the risk occurring at our facility.

3. Take all the “2s” and develop risk interventions that will eliminate or reduce the possibility of the risk occurring. For example; under risk number 2 a policy could be established that all lab reports are filed as soon as they are received; risk number 4 could be reduced to a “0” with the adoption of encryption technology for CDs and flash drives used in the facility; and, risk number 5 could be lowered to a “1” with the addition of better lighting and a monitored security service.

4. Risk number 6 was scored a “0” because the Office Sales Associate had the broadcast function removed prior to putting the software into service.

5. Keep documentation of the meeting to use as a beginning point for next year’s session; check DHHS’s HIPAA web site to determine if other facilities have had breaches that might occur in our facility; perform risk assessment each time new or updated electronic medical records software/hardware is adopted; perform risk assessment any time a new procedure or new clinical technology is adopted; and maintain documentation for at least six years.

6. Keep in mind that the purpose of Risk Assessment is to (i) identify potential risk to PHI, (ii) set the priority for addressing identified risks, (iii) establish risk management interventions to minimize or eliminate identified risks, (iv) test our current risk management interventions to make sure they are still appropriate, and (v) gauge the effectiveness of our HIPAA training.

ADDENDUM II TO SCHEDULE B: HIPAA INCIDENT/BREACH INVESTIGATION PROCEDURE

1. PURPOSE. To distinguish between: (i) cases in which our HIPAA Policies and Procedures were not correctly followed but such violation did not result in the unauthorized release of protected health information (PHI) (referred to as a HIPAA incident); and (ii) cases involving the unauthorized release of PHI and said release resulted in or is reasonably expected to result in financial, reputational or other harm to the patient. This investigation procedure outlines the process for contacting the patient and identifying risk management measures to mitigate identified risks.

(a) “Breach” means the unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA regulations which compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the patient except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. (Also see definition of Incident and Reportable Breach

(b) “Breach Notification” is a HIPAA requirement in which the Covered Entity that has experienced a Breach must notify the patient that the privacy or security of their PHI has been compromised.

(c) “Business Associate” or “BA” is a business organization but not an employee of the CE that performs or assists in the performance of activity involving the use or disclosure of individually identifiable health information; for example, claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management or practice management.

(d) “Commercial Supplier” or “CS” is a business organization that provides services to a CE. While said services do not require CS to directly handle or impact PHI, their presence in the CE’s facility may cause or allow them to come in contact with PHI. A janitorial service is an example of a commercial supplier.

(e) “Commercial Supplier Agreement” is a signed contract or memo of understanding between the CE and Commercial Supplier explaining the CS’s duty to avoid PHI and provides assurances that the CS will instruct their employees regarding their duty to avoid viewing, reading, copying or otherwise obtaining information relating to patients PHI.

(f) “Covered Entity” or “CE” is a healthcare provider, a health plan, or a healthcare clearinghouse.

(g) “e-PHI” is individually identifiable patient Healthcare Information created, stored or transmitted in electronic format.

(h) “Healthcare I nformation” is any information, whether oral or recorded in any form or medium, that: (i) is created or received by a healthcare provider, health plan, public health authority, employer, and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

(i) “HIPAA Officer” is the individual formally assigned the duty to establish, implement, and monitor

the CE’s HIPAA policy and procedures. In small CEs both the Privacy and Security regulations could be

handled by one individual, whereas in a large CE one individual may be assigned as the CE’s HIPAA Privacy Officer and a second individual assigned as the CE’s HIPAA Security Officer.

(j) “Incident” is an actual or suspected unauthorized release, loss, or destruction of PHI but upon complete investigation it is determined by the Incident Response Team that the incident does not represent a significant risk of financial, reputational, or other harm to the individual.

(k) “Incident Response Team” or “I RT” is composed of members of the CE’s staff including at least one (1) key individual with decision making authority. The team is responsible for investigating the actual or suspected unauthorized access, release, or destruction of PHI; making the determination as to whether or not: (1) the incident did in fact occur; (2) whether or not the incident rises to the level of a Breach; (3) identifying appropriate Risk Management interventions to prevent similar re-occurrence; (4) assuring appropriate individuals are notified; and (5) assuring appropriate reports are made to Department of Health and Human Services (DHHS) when a Breach occurs.

(l) “Individually Identifiable Health I nformation” means any protected health information about an individual that can possibly be used to identify that individual and connect him/her to the health information.

(m) “Notification” means the contacting of individual(s) (or if deceased-next of kin or executor of estate) who is the subject of the unauthorized disclosure, release, loss or destruction of their PHI. Notification is required when the incident is determined to rise to the level of a Breach.

(n) “Office of Civil Rights” or “O C R” is the Federal agency authorized by DHHS to investigate claims of HIPAA Privacy or Security breaches.

(o) “Protected Health Information” or “P HI” means Individually Identifiable Health Information created, transmitted or maintained by CE or BA that (i) identifies the individual or offers a reasonable basis for reconstructing said identity, (ii) is created, received, maintained or transmitted by the CE or BA, and (ii) refers to a past, present or future physical or mental condition, healthcare treatment, or payment for healthcare.

(p) “Reportable Brea ch” is an Incident that rises to the level of a Breach. A Breach requires the CE to notify the patient, log the Breach and report all such Breaches to DHHS annually—If five hundred (500) or more individuals are involved in a given Breach then special notification/reporting requirements apply.

(q) “Risk An alysis” is the process by which the CE attempts to (i) identify all ways in which an unauthorized release, loss, access, or destruction of PHI could occur; (ii) determine what risk management protections are currently in place to minimize the likelihood of the identified risk occurring; (iii) assess the current level of risk management protections for each identified risk; (iv) recommend additional privacy or security safeguards as needed; (v) review DHHS’s website for breach events at other CEs that might suggest weaknesses in CE’s privacy/security safeguards; and (vi) assess adequacy of HIPAA training for CE’s staff.

(r) Sanction Policy” is CE’s written employee disciplinary policy that outlines the consequences of an employee’s violation of the CE’s HIPAA Privacy and Security policy and procedures. The sanction policy (clearly states that the CE retains the right to immediately terminate an employee for what the CE determines to be an egregious violation of the CE’s HIPAA Privacy or Security policy/procedures.

(s) “Unsecured PHI” is PHI that is not secured through the use of a technology or methodology specified by HIPAA/HITECH rules or regulations. Generally, it would be e-PHI not secured by encryption, paper or other media containing PHI that has not been shredded or destroyed in a manner that would prevent it from being reassembled.

3. ACQUIRING KNOWLEDGE OF ACTUAL OR SUSPECTED BREACH. There are many ways in which we may become aware of an actual or suspected Breach. Employee training is a major key to the early discovery of a suspected or actual Breach. Early detection will often prevent an incident from becoming a Reportable Breach. As part of employee HIPAA training all employees will be instructed to report any actual or suspected Breach to the HIPAA Officer as soon as it is discovered or suspected. Company will investigate all incidents we become aware of to determine if a breach did in fact occur; to determine steps necessary to mitigate possible damage to patient; to determine risk management interventions necessary to prevent such incidents from reoccurring; and, to provide appropriate notification to patient and report to Department of Health and Human Services (DHHS).

4. UNSECURED PHI—EXCEPTIONS & SAFE HARBORS. HIPAA allows for two (2) exceptions and three (3) safe harbors for the unauthorized release of PHI in which breach notification is not required. The following exceptions are allowed:

(a) when unauthorized access or use of PHI is unintentional and is made by an employee working within the scope of their job in which they would normally be expected to access or use PHI and such access is not continued, enlarged or disclosed by said employee; and

(b) an unintended or accidental disclosure is caused by an employee who is authorized to access, use or disclose PHI at the facility in which they work (our employee) who sends or causes to be sent PHI to another individual in another healthcare facility who is also authorized to access, acquire or use PHI at their facility (an employee of another healthcare facility or other CE) provided the second employee agrees to return or destroy PHI and agrees not to disclose or further access PHI.

The three (3) safe harbors are:

(a) The unauthorized release of e-PHI but the e-PHI is protected by encryption;

(b) The media on which the PHI was stored has been destroyed: (a) paper, film or hard copy media destroyed via shredding, incineration or, for digital/video media, destroyed in such a manner that the PHI cannot be reconstructed (For example; cutting CD into small parts), (b) electronic media destroyed or rendered un-retrievable in a manner consistent with NIST Special Publication 800-88, Guide to Media Sanitization; or

(c) The unauthorized release consisted of health information that was completely de-identified removal of all names, addresses down to zip code, social security numbers, date of birth, phone numbers, case numbers or any other data that might be used to trace back and identify the individual.

Unauthorized releases that fall under these exceptions or safe harbors are not considered a Breach and do not require notification of patient or reporting to DHHS.

5. INCIDENT RESPONSE TEAM (IRT Company has established an Incident Response Team and charged it with the responsibility of investigating HIPAA Incidents. The team is composed of at least one (1) key decision maker, i.e., an individual who is authorized by the organization to make key decisions relative to organizational policy and expenditure of organizational funds, and at least two (2) employees one of whom has line (as opposed to management) responsibility. The following individuals are members of Company’s Incident Response Team:

(a) Key Decision Maker: Client’s Primary Contact

(b) HIPAA Officer: Client’s Primary Contact

(c) Incident Response Team Members: Client’s Primary Contact and such other employee(s) identified by Client.

6. PROCEDURE. Distinguish between a HIPAA Incident and a Breach. Breaches of PHI would require notification of patient and inclusion in the annual report to DHHS. If a Breach involves five hundred (500) or more individual patients then DHHS must be immediately notified and public news media must be advised.

(a) First determine if the Incident/Breach falls within one of the exceptions or safe harbors allowed by

(i) If Yes, document and close file;

(ii) If No, move to subsection 6(b).

(b) Second determine if there has been an impermissible use or disclosure of PHI under HIPAA rules.

(i) If No (there has not been an impermissible use or disclosure of PHI), document rationale and close file. For example, the incident falls under the “Oops!” category or a case in which the individual would not reasonably be able to retain the PHI, such as a visitor glancing at a computer screen containing PHI.

1) Documentation should include date, time and names of Incident Response Team members as well as a brief description of the incident and the reason it was determined the incident was not an impermissible use or disclosure of PHI under HIPAA rules. Include any FAQ from DHHS’s website that was used to support final decision as well as citation to any HIPAA rules or regulations used to make the determination.

(ii) If Yes, move to subsection 6(c).

(c) Third, determine if the impermissible use or disclosure compromises the security or privacy of the PHI, i.e., there is a significant risk of financial, reputational, or other harm to the individual.

(i) If No (this was an Incident that did not rise to the level of a Breach), document your rationale, record this as a HIPAA incident, and close file.

(b) If individual is deceased then notification will be mailed to next of kin or executor of estate.

8. BUSINESS ASSOCIATE NOTIFICATION. If a Business Associate (BA) becomes aware of a breach caused by the BA, our written BA agreement requires the BA to notify us immediately. Our Incident Response Team will conduct the investigation to determine if impermissible disclosure occurred, how to notify the patient, and what steps should be taken to prevent similar incident/breach from reoccurring.

9. DELAY OF NOTIFICATION REQUESTED BY LAW ENFORCEMENT. Notification may be delayed if law enforcement official determine that notification would impede a criminal investigation or endanger national security. The delay request must be in written form and identifies the law enforcement official making the request. The delay can be for no more than thirty (30) days unless a written request for a specific extension is made within the initial 30-day extension by a law enforcement official.

10. ELEMENTS OF THE WRITTEN NOTIFICATION. The patient’s written notification of a breach involving their PHI will contain:

(a) A short description of how the Breach occurred; when it occurred; when we discovered the Breach;

(b) An explanation of the type of PHI involved in the Breach such as patient name (full or partial), diagnosis, treatment, lab/test results, social security number, date of birth, patient’s address, account or case number and/or financial data such as credit card numbers;

(c) Our recommendation(s) to the patient as to the steps he/she should take to protect themselves from identity theft or the unauthorized use of their medical insurance accounts;

(d) An explanation of what we are doing to prevent re-occurrence of such Breaches; and

(e) Information the patient may use to contact us if they have further questions.

11. NOTE REGARDING DETERMINATION OF INCIDENT VS. BREACH. If, after an appropriate investigation has been conducted, it is determined that the Incident did not rise to the level of a Breach, we have the burden of proof, i.e., we must be able, if required at a later time, to demonstrate to DHHS or OCR that the impermissible use or disclosure did not constitute a Breach, and therefore we were not required to notify the patient and include incident in our annual report of Breaches to DHHS. Appropriate documentation of the investigation and the rationale used to make our non-breach (Incident) determination will be maintained for at least six years after the initial non-breach finding. To demonstrate due diligence regarding our desire to comply with HIPAA requirement, we will document all changes in policies/procedures and/or additional staff training that resulted from our investigation into the Incident. We will also include the Incident in our annual risk assessment.

ADDENDUM III TO SCHEDULE B: SANCTION GUIDELINE

LEGAL AND ETHICAL DUTY. Healthcare providers, employees, consultants, business associates and others who have a business reason to create, maintain, view, or transmit confidential data relative to patient’s medical care have a legal and ethical duty to maintain the privacy, security and confidentiality of such medical information. Violation of this duty will result in sanctions being imposed on the responsible party.

FEDERAL PRIVACY AND SECURITY LEGAL REQUIREMENTS. Company requires all employees, as a condition of employment, to receive training regarding their responsibility relative to HIPAA privacy and security standards. All employees must follow established privacy and security policies to ensure the confidentiality, integrity, and availability of all protected health information. All individuals having access to protected health information (PHI) are required to read, sign, and comply with Company’s HIPAA Privacy and Security Policies and Procedures. By signing Company’s HIPAA Privacy and Security Policies and Procedures, each employee acknowledges that both Company and the employee have a legal duty to comply to the best of their ability with Company’s HIPAA Privacy and Security Policies and Procedures.

SANCTIONS FOR BREACH OF PRIVACY AND SECURITY POLICY. An employee(s) who, without a business “need to know,” unintentionally or carelessly views or accesses PHI is subject to an initial verbal warning. This warning is given with an additional warning that repeat of this or similar offense will result in further disciplinary action not to exclude suspension without pay or immediate termination of employment.

An employee(s) who, without a business “need to know,” unintentionally or carelessly views or accesses PHI and then relates portions of the PHI to another individual is subject to an initial written warning. This warning is given with an additional warning that repeat of this or similar offense will result in further disciplinary action not to exclude suspension without pay or immediate termination of employment.

An employee(s) who, without a business need to know, intentionally views or accesses PHI to satisfy personal desire to learn details regarding a patients PHI is subject to immediate termination of employment.

An employee(s) who views or access PHI with malicious intent or desire for personal gain is subject to immediate termination of employment.

NON-RETALIATION POLICY. An employee who, in good faith and belief that a privacy or security policy has been violated, reports such concern to Company HIPAA officer shall not be subject to retaliation, harassment, or intimidation as a result of such communication to HIPAA officer. Should such an employee believe he/she is being harassed by the individual serving as the HIPAA Officer, the employee should report situation to the HIPAA Officer’s immediate supervisor.

THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is made and entered into effective as of (the “Effective Date”), by and between , a company, with its principle place of business at (“Covered Entity”), and Planstin Administration, Inc., a Utah corporation (“Business Associate)

A. Business Associate has agreed to provide certain services for, or on behalf of, Covered Entity under and pursuant to that certain Administrative Services Agreement, of even date herewith (the “ASA”), between Covered Entity and Business Associate, which may require access to, or the use or disclosure of, Protected Health Information.

B. Covered Entity and Business Associate desire to enter into this Agreement in order to ensure compliance by Covered Entity and Business Associate with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended, the Privacy Standards and Security Standards promulgated thereunder, the Health Information Technology for Economic and Clinical Health Act, included in Division A, Title XIII, Subtitle D of The American Recovery and Reinvestment Act of 2009 (“HI TECH Act”), and any regulations issued pursuant thereto (collectively, “HI P AA” This Agreement will apply only to the extent Business Associate is acting as a “Business Associate” of Covered Entity (and excluding those functions or activities of Business Associate that do not require a business associate agreement

NOW, THEREFORE, in consideration of the mutual promises and other consideration contained herein and in the ASA between the parties, the sufficiency of which is hereby acknowledged, the parties agree as follows:

Certain Defined Terms. For purposes of this Agreement:

Breach” has the same meaning as the term “breach” in 45 CFR § 164.402.

Designated Record Set” has the same meaning as the term “designated record set” in 45

Electronic Protected Health Information” has the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate for, or on behalf of, Covered Entity.

Individual” has the same meaning as the term “individual” in 45 CFR § 160.103 and

includes any person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g

Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.

Protected Health Information” has the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate for, or on behalf of, Covered Entity. As used in this Agreement, Protected Health Information includes Electronic Protected Health Information.

Required by Law” has the same meaning as the term “required by law” in 45 CFR §

Secretary” means the Secretary of the U.S. Department of Health and Human Services or

Security Incident” has the same meaning as the term “security incident” in 45 CFR §

Security Standards” means the regulations found at 45 CFR Part 160 and Part 164,

Subparts A and C, as amended by the HITECH Act and as may otherwise be amended from time to time.

Subcontractor” has the same meaning as the term “subcontractor” in 45 CFR § 160.103.

Unsecured Protected Health Information” has the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.

1.2. meaning assigning by HIPAA.

Other Terms. Terms used but not otherwise defined in this Agreement will have the

USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION

2.1. or disclose Protected Health Information as necessary to perform its duties, obligations and functions

Permitted Uses and Disclosures. Pursuant to this Agreement, Business Associate may use under the ASA, or as otherwise permitted by this Agreement or the business relationship between the parties, unless such use or disclosure violates HIPAA. Business Associate may also use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities only if: (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person agrees to notify Business Associate immediately of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached. Business Associate will only use and disclose Protected Health Information if such use or disclosure complies with each applicable requirement of 45 CFR § 164.504(e) and would not otherwise violate the requirements of the Privacy Standards if done by Covered Entity.

Individual” has the same meaning as the term “individual” in 45 CFR § 160.103 and includes any person who qualifies as a personal representative in accordance with 45 CFR §

Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.

Protected Health Information” has the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate for, or on behalf of, Covered Entity. As used in this Agreement, Protected Health Information includes Electronic Protected Health Information.Required by Law” has the same meaning as the term “required by law” in 45 CFR § Secretary” means the Secretary of the U.S. Department of Health and Human Services or Security Incident” has the same meaning as the term “security incident” in 45 CFR § Security Standards” means the regulations found at 45 CFR Part 160 and Part 164, Subparts A and C, as amended by the HITECH Act and as may otherwise be amended from time to time.

Subcontractor” has the same meaning as the term “subcontractor” in 45 CFR § 160.103.

Unsecured Protected Health Information” has the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.

2.2. meaning assigning by HIPAA.

Other Terms. Terms used but not otherwise defined in this Agreement will have the USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION Permitted Uses and Disclosures. Pursuant to this Agreement, Business Associate may use or disclose Protected Health Information as necessary to perform its duties, obligations and functions under the ASA, or as otherwise permitted by this Agreement or the business relationship between the parties, unless such use or disclosure violates HIPAA. Business Associate may also use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities only if: (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person agrees to notify Business Associate immediately of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached. Business Associate will only use and disclose Protected Health Information if such use or disclosure complies with each applicable requirement of 45 CFR § 164.504(e) and would not otherwise violate the requirements of the Privacy Standards if done by Covered Entity.

3.2. or to the minimum necessary to accomplish the intended purposes of such use, disclosure or request, in accordance with the minimum necessary standards at 45 CFR § 164.502(b) and in any guidance issued by the Secretary.

Protected Health Information to a Limited Data Set (as defined in 45 CFR § 164.514(e2

OBLIGATIONS OF BUSINESS ASSOCIATE

4.1. becomes aware of any use or disclosure of Protected Health Information in violation of this Agreement,

Reporting of Unauthorized Uses or Disclosures and Breaches. If Business Associate

Business Associate will, within twenty (20) business days of discovery, report such information to Covered Entity. Further, if Business Associate becomes aware of any Breach of Unsecured Protected Health Information, Business Associate will report the same in writing to Covered Entity without unreasonable delay, and in no event more than twenty (20) business days of discovery of the Breach, with such report to include identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, Breached.

4.2. applicable, with the Security Standards with respect to any Electronic Protected Health Information it

Security Standards. Business Associate will use appropriate safeguards and comply, where

creates, receives, maintains, or transmits on behalf of Covered Entity, to prevent the use or disclosure of such information other than as permitted by this Agreement. Business Associate will report to Covered Entity any Security Incident of which it becomes aware within twenty (20) business days of discovery of the Security Incident. Covered Entity acknowledges that Business Associate may, from time to time, experience trivial and unsuccessful security incidents, such as pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. This Agreement will be sufficient notice of such trivial and unsuccessful security incidents and no further notice of the same will be required. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any such Security Incident.

4.3. Protected Health Information agrees in a writing, which complies with the requirements of 45 CFR §

Subcontractors. Business Associate will ensure that any Subcontractor to whom it provides

164.504(e2) through (e4), that it will comply with the same restrictions and conditions that apply to Business Associate with respect to such information.

4.4. relating to the use and disclosure of Protected Health Information available to the Secretary for the Books and Records. Business Associate will make its internal practices, books, and records purposes of determining Covered Entity’s compliance with the Privacy Standards. Notwithstanding the above, no attorney-client or other legal privilege will be deemed waived by Business Associate or Covered Entity by virtue of this provision.

Access. If Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate will provide access to such information at reasonable times, at the request of the Covered Entity or, as directed by the Covered Entity, to an Individual (or Individual’s designee), in accordance with the requirements under 45 CFR § 164.524. Business Associate will notify Covered Entity within twenty (20) business days of any request for access by an Individual. Covered Entity will determine whether to grant or deny any access requested by the Individual.

4.6. Information maintained by Business Associate in a Designated Record Set that Covered Entity directs Amendment. Business Associate will make any amendment(s) to Protected Health or agrees to pursuant to 45 CFR § 164.526, within thirty (30) business days of such request. Business Associate will notify Covered Entity within 10 business days of a receipt of any request for amendment by an Individual. Covered Entity will determine whether to grant or deny any amendment requested by the Individual.

4.7. Covered Entity or, at the request of Covered Entity, to the Individual, such disclosures of Protected Accounting of Disclosures. Business Associate agrees to document and make available to Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR § 164.528 and Section 13405(c) of the HITECH Act, and any regulations issued pursuant thereto. Business Associate will notify Covered Entity within twenty (20) business days of a receipt of any request for an accounting of disclosures by an Individual. This Section 3.7 will survive termination of the Agreement.

4.8. or disclosure of Protected Health Information to which Covered Entity has agreed pursuant to 45 CFR Restrictions. Business Associate will comply with any communicated restrictions in the use § 164.522, and will further comply with any Individual’s request for restrictions on Protected Health Information disclosures that Covered Entity or Business Associate is required by law to honor, including without limitation, requests for restrictions on disclosures to a health plan if the disclosure is for payment or health care operations and pertains solely to a health care item or service for which the Individual has paid his or her health care provider out of pocket in full, unless disclosure is otherwise required by law. Business Associate will forward any request for restrictions by an Individual to Covered Entity within twenty (20) business days of such request. Covered Entity will determine whether to grant or deny an Individual’s request for restrictions.

4.9. out any obligation of Covered Entity under the Privacy Standards, Business Associate will agree to Performance of Covered Entity Obligations. To the extent Business Associate is to carry comply with the same Privacy Standard requirements that apply to Covered Entity in the performance of such obligation.

5.1. terminated as provided herein, will expire when the ASA expires or terminates and all of the Protected Term. This Agreement will become effective as of the Effective Date and, unless otherwise Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the Protected Health Information, protections are extended to such information, in accordance with the termination provisions in Section 4.3 below.

Termination. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity will: (i) Provide Business Associate with thirty (30) days in which to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within such time period, terminate this Agreement; or (ii) immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.

5.3. for any reason, Business Associate will within thirty (30) business days of the effective date of the Return of Protected Health Information. Upon termination of this Agreement or the ASA termination notice return all Protected Health Information received from Covered Entity or created by Business Associate on behalf of Covered Entity. If such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to such Protected Health Information and will limit further uses and disclosures of such information to those purposes which make the return or destruction of such information infeasible.

Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN,

BUSINESS ASSOCIATE’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT FOR ANY CLAIMS OF ANY NATURE WILL NOT EXCEED THE AMOUNT OF SERVICE FEES RECEIVED BY BUSINESS ASSOCIATE UNDER THE ASA DURING THE PRECEDING TWELVE (12) MONTH PERIOD (NET OF REIMBURSABLE EXPENSES IN NO EVENT WILL BUSINESS ASSOCIATE BE LIABLE FOR ANY INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE BREACH THEREOF, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION OR OTHER ECONOMIC LOSS. THE LIMITATION OF LIABILITY SET FORTH IN THIS SECTION 5.1 WILL APPLY EVEN IF COVERED ENTITY HAS BEEN ADVISED OF

THE POSSIBILITY OF SUCH DAMAGES AND SHALL SURVIVE ANY TERMINATION OF THIS AGREEMENT.

6.2. permitted to be delivered, given or otherwise provided under this Agreement must be in writing and Notices. All notices, requests, demands, claims and other communications required or must be delivered, given or otherwise provided: (a) by hand (in which case, it will be effective upon delivery); (b) by facsimile or e-mail during normal business hours (in which case, it will be effective upon receipt of confirmation of good transmission); or (c) by overnight delivery by a nationally recognized courier service (in which case, it will be effective on the business day after being deposited with such courier service), (x) if to Covered Entity: to the address and email listed under Client’s contact information in Client’s Enrollment Form, and, if to Business Associate: Planstin Administration Inc., 1506 S Silicon Way, Suite 2B, Saint George, Utah 84770 , Attention: Nathan Udy, E-mail: nathan@planstin.com. A party may change its address or any portion thereof for purposes of this Section 5.2 by giving notice to the other party as provided above, but such notice of change in address will be effective only upon actual receipt by the other party.

6.3. any breach or default by the other party in the performance by the other of its obligations hereunder Waiver; Consents. No consent or waiver, express or implied, by either party hereto or of will be valid unless in a writing signed by the party to be charged thereby, and no such consent or waiver will be deemed or construed to be a consent or waiver to or of any other breach or default in the performance by such other party of the same or any other obligations of such party hereunder. Failure on the part of either party to complain of any act or failure to act of the other party or to declare

Termination. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity will: (i) Provide Business Associate with thirty (30) days in which to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within such time period, terminate this Agreement; or (ii) immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.

5.3. for any reason, Business Associate will within thirty (30) business days of the effective date of the Return of Protected Health Information. Upon termination of this Agreement or the ASA termination notice return all Protected Health Information received from Covered Entity or created by Business Associate on behalf of Covered Entity. If such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to such Protected Health Information and will limit further uses and disclosures of such information to those purposes which make the return or destruction of such information infeasible.

Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN,

BUSINESS ASSOCIATE’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT FOR ANY CLAIMS OF ANY NATURE WILL NOT EXCEED THE AMOUNT OF SERVICE FEES RECEIVED BY BUSINESS ASSOCIATE UNDER THE ASA DURING THE PRECEDING TWELVE (12) MONTH PERIOD (NET OF REIMBURSABLE EXPENSES IN NO EVENT WILL BUSINESS ASSOCIATE BE LIABLE FOR ANY INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE BREACH THEREOF, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION OR OTHER ECONOMIC LOSS. THE LIMITATION OF LIABILITY SET FORTH IN THIS SECTION 5.1 WILL APPLY EVEN IF COVERED ENTITY HAS BEEN ADVISED OF

THE POSSIBILITY OF SUCH DAMAGES AND SHALL SURVIVE ANY TERMINATION OF THIS AGREEMENT.

6.2. permitted to be delivered, given or otherwise provided under this Agreement must be in writing and Notices. All notices, requests, demands, claims and other communications required or must be delivered, given or otherwise provided: (a) by hand (in which case, it will be effective upon delivery); (b) by facsimile or e-mail during normal business hours (in which case, it will be effective upon receipt of confirmation of good transmission); or (c) by overnight delivery by a nationally recognized courier service (in which case, it will be effective on the business day after being deposited with such courier service), (x) if to Covered Entity: to the address and email listed under Client’s contact information in Client’s Enrollment Form, and, if to Business Associate: Planstin Administration Inc., 1506 S Silicon Way, Suite 2B, Saint George, Utah 84770 , Attention: Nathan Udy, E-mail: nathan@planstin.com. A party may change its address or any portion thereof for purposes of this Section 5.2 by giving notice to the other party as provided above, but such notice of change in address will be effective only upon actual receipt by the other party.

6.3. any breach or default by the other party in the performance by the other of its obligations hereunder Waiver; Consents. No consent or waiver, express or implied, by either party hereto or of will be valid unless in a writing signed by the party to be charged thereby, and no such consent or waiver will be deemed or construed to be a consent or waiver to or of any other breach or default in the performance by such other party of the same or any other obligations of such party hereunder. Failure on the part of either party to complain of any act or failure to act of the other party or to declare

legal and other counsel, and has consulted with and been advised by such counsel, and the terms and conditions contained herein have been arrived at by arm’s length negotiations between the parties. The parties hereto intend that rules of interpretation or construction of contracts that would construe any ambiguity herein against the draftsman, by virtue of being the draftsman, will not apply. 6.11.Governing Law; Venue; Attorneys’ Fees. This Agreement will be governed by the laws of the State of Utah, without regard to the principles of conflicts of law thereof. Subject to the provisions of Section 5.13 hereof, all actions, suits or other proceedings with respect to this Agreement will be brought only in a court of competent jurisdiction sitting in the State of Utah. In any civil action, arbitration or other proceeding brought to enforce the terms hereof, or to redress a breach of a term hereof, the more prevailing party will be entitled to payment from the less prevailing party of its reasonable attorneys’ fees and expenses in addition to any damages or other relief to which it may become entitled.

6.12.Counterparts; Digital Acceptance and Electronic Signature. This Agreement may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. In making proof with respect to this Agreement, it will be necessary to produce only one copy hereof signed by the party to be charged. The parties may deliver executed counterpart signature pages to this Agreement by facsimile transmission, by electronic mail in .pdf form, or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, and such delivery will have the same effect as physical delivery of the paper document bearing an original signature. n lieu of a physical signature on this Agreement, Planstin may obtain Client’s consent and agreement to the terms set forth herein through Planstin’s online enrollment platform and Client’s electronic representation of having reviewed and accepted the terms herein shall be binding on Client and Client shall be bound by the terms of this Agreement immediately upon Client’s electronic acceptance and consent to the terms hereof as if Client’s physical signature appeared below.

6.13.Dispute Resolution. Any dispute, claim or controversy between or among the parties to this Agreement, whether arising in contract, tort or by statute, including but not limited to controversies or claims that arise out of or relate to this Agreement and any dispute or claim concerning the existence, validity, interpretation, performance, breach or termination of this Agreement and all claims of arbitrability (any of the foregoing, a “Dispute”) will be resolved exclusively as follows:

a) Upon the written demand of either party hereto, the Dispute will then be submitted to mediation administered by the American Health Lawyers Association or its successor (“AHLA”) in accordance with its rules for mediation. Representatives of the parties with authority to settle the matter will participate in the mediation. The mediator will be selected and appointed in accordance with such AHLA rules, and the mediation will be conducted in the State of Utah. Each party may be represented by one or more attorneys or other selected representative(s) of its choice. Each party will bear and pay equally the fees and expenses of AHLA and the mediator associated with the mediation, and each party will bear its own attorneys’ fees, costs and other expenses in connection with the mediation (except as may be otherwise agreed upon in writing by the parties If no amicable resolution or settlement of the Dispute is reached during the mediation process within sixty (60) days after it commences, then upon the written demand of either party, the Dispute will be submitted to final and binding arbitration, which will be conducted expeditiously and completed within one

a) hundred twenty (120) days after being submitted for arbitration. The arbitration will be governed by the Federal Arbitration Act (9 U.S.C. §§ et seq Unless otherwise agreed in writing by the parties,the arbitration will be administered by the AHLA and conducted by a single arbitrator in accordance with the AHLA Rules of Procedure for Commercial Arbitration then in effect. The arbitrator will be selected and appointed in accordance with such AHLA rules, and the arbitration will be conducted in the State of Utah. Each party may be represented by one or more attorneys or other selected representative(s) of its choice. Each party will bear and pay equally the fees and expenses of AHLA and the arbitrator associated with the arbitration, and each party will bear its own attorneys’ fees, costs and other expenses in connection with the arbitration, except as may be otherwise awarded by the arbitrator as contemplated in Section 5.11. The arbitration award will be final and binding, and judgment on it may be entered by any court of competent jurisdiction. If the arbitrator determines that this Agreement or any part thereof (whether this Agreement itself or together with the other relationships between or involving the parties) is illegal, invalid, unenforceable, void or voidable, then the arbitrator will determine and effectuate an equitable modification of this Agreement that complies with applicable law and that approximates as closely as possible the economic arrangements and position of the parties hereunder.

b) During the pendency of any such mediation or arbitration and until final judgment thereon has been entered, this Agreement will remain in full force and effect unless otherwise terminated as provided hereunder, and each party is required to continue to perform obligations under this Agreement pending final resolution of a Dispute arising out of or relating to this Agreement. All privileges under applicable state and federal law, including attorney-client and work-product privileges, will be preserved and protected to the maximum extent that such privileges would be protected in a federal or state court proceeding applying Utah law. The arbitration proceedings and arbitration award will be maintained by the parties as strictly confidential, except as is otherwise required by court order or as is necessary to confirm, vacate or enforce the award and for disclosure to the parties’ respective officers, directors, employees, equityholders, attorneys, accountants, lenders, acquirers and prospective lenders and acquirers (and advisors of the foregoing The provisions of this Section 5.13 will survive expiration or other termination of this Agreement regardless of the cause of such termination. This Section 5.13 will not preclude either party from seeking, or a court of competent jurisdiction from granting, a temporary restraining order, temporary injunction or other equitable relief to remedy any breach or to enforce applicable terms of this Agreement to compel mediation or arbitration or upon the occurrence of any attempted assignment of a party’s interests in this Agreement in breach of the provisions of this Agreement.

c) BY AGREEING TO BINDING ARBITRATION PURSUANT TO THIS SECTION 5.13, THE PARTIES IRREVOCABLY AND VOLUNTARILY WAIVE ANY RIGHT THEY MAY HAVE TO A TRIAL BY JURY IN RESPECT OF ANY DISPUTE.

IN WITNESS WHEREOF, the Parties have executed and/or electronically consented and agreed to the terms set forth in this Agreement as of the day and year first written above.

Client agrees to adopt a group health plan for the benefit of its eligible employees and, if applicable, their eligible dependents (the “Plan” The costs of the Plan Benefits may be paid by Client or by a combination of Client and the employees.

Planstin’s base health plans include minimum essential coverage (MEC) which is designed for employers to comply with the “A” tax under the Affordable Care Act. Upon request Planstin can make available a customizable medical plan which is designed for employers to comply with the “B” tax under the Affordable Care Act.

By choosing to self-fund or level-fund your company medical, dental and/or vision plan Client intends to create an employer sponsored plan under the Employment Retirement Income Security Act (“ERISA”) and the Patient Protection and Affordable Care Act (“PPACA”

Level-funded plans provide coverage for claims using the monthly Claim Fund Amount (set forth in Schedule A Claim costs in excess of the Claim Fund Amount shall be submitted to the reinsurance company selected by Planstin and Client, with no additional funds required from Client. In compensation for this service, all unused amounts from the Claim Fund Amount shall be applied to reinsurance premiums provided through Greystone Risk, Inc. or such other reinsurance provider selected and agreed to by Planstin and Client.

The MEC plan will satisfy the “A” tax, otherwise known as the ‘hard tax’ under the Patient Protection and Affordable Care Act (“PPACA” The MEC alone DOES NOT satisfy the “B” tax, otherwise known as the ‘soft tax.’ This tax is applicable only when an eligible employee receives a premium subsidy on a health exchange and employed by an Applicable Large Client (ALE) as outlined by the Affordable Care Act (“PPACA” Generally, this applies to employers with more than 50 employees or full-time equivalent employees.

Planstin may request additional information from Client during the enrollment and on-boarding process and Client agrees to fully cooperate and provide such information as Planstin requests. A successful enrollment and approval process is contingent on Planstin’s receipt and acceptance of accurate information.

Monthly contributions will be due per the plan enrollments selected. Although not anticipated, it is also understood that expenses for any other professional services, such as tax, legal and estate planning services, are not included in the above fee

Reoccurring monthly payments by credit card or bank account draft are required and will be processed based upon the payment information set forth in Schedule D. Planstin may cancel or charge additional administrative fees if not on a reoccurring payment plan. Medical Plans (level-funded or self-funded) or ancillary benefits are billed directly by administrator or carrier of plan. Payments are due by the firs

Planstin has designed its unique self-funded programs to help employers and employees comply with the Affordable Care Act and provide important benefits to their employees. If the prefunding claims option is selected, the prefunding of claims may not meet funding requirements. Although highly unlikely, and due to the low risk nature of the Preventative & Wellness Plan, it is NOT anticipated that any extra funds are required by the Client for employees’ medical costs. However, as a self-funded employer, you are responsible for additional claims costs not covered by reinsurance, if any.

Standalone dental or vision plans require a minimum of the greater of 5 or 25% of eligible employees. Standalone plans are dental or vision benefits without a base health plan.

Client gives Planstin the ability to enter into the necessary agreements on its behalf to implement the selected benefits, including, but not limited to; Human Resource Compliance Software, Telemedicine Services, the purchase of stop-loss insurance and network access.

Please signify your understanding and acceptance of the terms and conditions of this Agreement and Acknowledgement by signing below.

Applicant Confirmation and Approval

Client Representative Signature

Here’s how recurring payments work:

• It’s convenient
• Saves you time and money
• Your payment is always on time

• You authorize monthly payments of your monthly invoices
• Payments will draft on the 1 of each month
• Credit card payments for monthly recurring payments will be assessed a 3% convenience fee

Credit Card Payment Information (3% convenience fee will be charged for monthly payments)

authorize Planstin and if applicable assigned third

party administrator to charge my bank account indicated above.

Client Representative Signature

I understand that this authorization will remain in effect until I cancel it in writing, and I agree to notify Planstin in writing of any changes in my account information or termination of this authorization at least 15 days prior to the next billing date. If the above noted periodic payment dates fall on a weekend or holiday, I understand that the payment may be executed on the next business day. I understand that because this is an electronic transaction, these funds may be withdrawn from my account as soon as the above noted periodic transaction dates. In the case of an ACH Transaction being rejected for Non-Sufficient Funds (NSF) I understand that Planstin may at its discretion attempt to process

the charge again within 30 days, and agree to an additional $25 charge for each attempt returned NSF which will be initiated as a separate transaction from the authorized recurring payment. I acknowledge that the origination of ACH transactions to my account must comply with the provisions of U.S. law. I agree not to dispute this recurring billing with my bank so long as the transactions correspond to the terms indicated in this authorization form.