Patient Pattern Terms and Conditions

1. Definitions

a. "Authorized User" means Customer's clinicians, administrators, and interdisciplinary care staff whose duties require access to or use of the Licensed Product. Customer shall not appoint a third party as an Authorized User. 

b. "Documentation" means any related user documentation, in written, electronic or other format, that accompanies the Patient Pattern software and that Patient Pattern generally provides to licensees of the Patient Pattern software.

c. "Privacy Laws" means the Health Insurance Portability and Accountability Act (1996) and any amendments or implementing regulations as well as the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009) (HITECH Act) and any amendments or implementing regulations.

d. "Intellectual Property Rights" means all current and future worldwide common law and statutory rights of a Party to intellectual property, whether arising under the laws of the United States of America, or any other state, country, jurisdiction, government, or public legal authority, in, to, or associated with: (i) patents, patent applications, and invention disclosures; (ii) copyrights, copyright registrations and applications therefor, moral rights, and mask work rights; (iii) the protection of know-how including trade or industrial secrets or other confidential information; (iv) all other intellectual property rights and proprietary rights; (v) trademarks, service marks, and other designations of source or origin; (vi) any analogous rights to those set forth above; (vii) divisions, continuations, renewals, reissuances, and extensions of the foregoing (as applicable); and (viii) rights to apply for, file for, certify, register, record, or perfect any of the foregoing.

e. "Licensed Product" means, collectively, (i) the Software; (ii) any Documentation; and (iii) all updates, upgrades, bug fixes, patches and other modifications to the foregoing items provided by Patient Pattern.

f. "Medicare Compliance" means, if applicable to the Licensed Products and Professional Services provided by Patient Pattern pursuant to the Agreement, the standards and responsibilities Patient Pattern must adhere to as further provided in Exhibit A. 

g. "Professional Services" means the installation, implementation, management, and maintenance services, including but not limited to software integrations, setup, training, written reports, communications, data analysis and other related and necessary information provided by Patient Pattern to Customer as set forth in the SOW.

h. "Software" means the Patient Pattern software licensed herein and described in the SOW.

i. "Start Month" means the date in which the Licensed Products becomes active and usable by Customer, and as further defined in the applicable SOW.

2. License. Subject to the terms and conditions of this Agreement:

a. Patient Pattern hereby grants Customer a nonexclusive, nontransferable, non-sublicensable, revocable, worldwide, right and license to access and use the Licensed Product solely for the intended Purpose. Customer shall be solely responsibility for the accuracy, quality, integrity and legality of Customer's data and the data of its patients and/or members or enrollees, as applicable. This license will terminate immediately upon any termination of this Agreement.

b. Customer hereby grants to Patient Pattern a nonexclusive, worldwide right and license to access and use the Customer Confidential Information for the purpose of providing the Software, Professional Services, and the Licensed Product.

3. Fees and Payment. Customer shall pay Patient Pattern the fees set forth in the SOW for the Software license, the Professional Services, and other agreed upon items provided hereunder. All amounts due to Patient Pattern shall be billed and paid for in the following manner:

a. Upon the full execution of these Terms & Conditions, Customer shall pay to Patient Pattern, and according to the applicable SOW, the estimated fee for the Start Month which shall include: the enrollment fee, as per Customer's enrollment data as of the first of the month from the Effective Date, and all set-up, implementation, integration, and license fee for the first month use of the Licensed Software and Professional Services.

b. After user access has been granted to Customer, Patient Pattern shall invoice Customer for the ongoing user fees as provided in the applicable SOW, which shall be paid in advance, including but not limited to monthly integration fees, monthly provider license fee, and the monthly user fee that shall be measured from the enrollment data for the first day of the Start Month, as provided by Customer.

c. Patient Pattern will invoice Customer for all fees set forth in the SOW and Customer shall pay such undisputed fees within thirty (30) days of the invoice date. The license fees, service fees, and other amounts required to be paid hereunder do not include any amount for taxes (including interest and penalties), and all such taxes will be Customer's responsibility. A fee will only be considered in dispute if Customer has disputed the fee in good faith, and such disputed fees shall not be considered overdue until the dispute has been resolved.

d. Any amount payable under this Agreement that is not paid within thirty (30) days after its invoice date will accrue interest at the rate of one and one-half percent (1.5%) per month (prorated for partial periods) or at the maximum rate permitted by law, whichever is less. Customer will pay Patient Pattern all such interest and costs of collection, including but not limited to, reasonable attorneys' fees and court costs necessary for Patient Pattern to collect any undisputed outstanding amount due and owing. Customer shall ultimately be responsible for insufficient fund fees that may be incurred by Patient Pattern if Customer provides improper or insufficient form of payment to Patient Pattern. 

e. Non-payment by the due date may result in suspension of use of the Software and Professional Services, and Patient Pattern reserves the right to assess additional fees reasonably incurred to resume and re-start Customer's account following any such suspension. Additionally, non-payment by the due date may result in shorter payment terms than provided in section 3(c) above.

f. Patient Pattern fees may or may not include taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, "Taxes"). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Patient Pattern has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Patient Pattern will include Taxes on the invoice and Customer will pay that amount unless Customer provides Patient Pattern with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Patient Pattern is solely responsible for taxes assessable against it based on its income, property, and employees.

4. Ownership

a. The Parties acknowledge and agree that the Software was developed exclusively at Patient Pattern's expense and that Patient Pattern is the exclusive owner of the Software, Documentation, Services, and all intellectual property associated therewith, and all ofthe associated Intellectual Property Rights. Any revisions or updates made to the Licensed Product shall be treated for all purposes under this Agreement as Licensed Product and all Intellectual Property Rights therein shall be retained by Patient Pattern. Patient Pattern shall own any de-identified data generated by Patient Pattern pursuant to this Agreement. The Parties acknowledge and agree that all right, title and interest in; and any modifications, enhancements or derivative works created by either Party; and all intellectual property and Intellectual Property Rights associated therewith or embodied therein, will be and remain in Patient Pattern and/or its applicable suppliers.

b. Unless otherwise expressly agreed in writing, all suggestions, solutions, improvements, corrections, and other comments provided by Customer regarding the Software, Documentation, Services, or other Patient Pattern materials provided to Customer shall be owned by Patient Pattern. Nothing in this Agreement shall preclude Patient Pattern from using, in any manner or for any purpose it deems necessary, the know-how, techniques, or procedures acquired or used by Patient Pattern in the performance of Services hereunder.

c. To the extent allowed under applicable law, Customer shall own all Personally Identifiable Information ("PII") including Personally Health Information ("PHI") provided to Patient Pattern ("Customer Information") pursuant to this Agreement and any data generated by the Customer using the Customer Information.

d. Except for the rights set forth herein, this Agreement does not confer on either Party any ownership of or interest in the other Party's products or services. Without limitation, neither Party grants any license or other right under this Agreement to any government or government agency nor can any license or other right be acquired under a government contract or otherwise granted or provided to a government or government agency under this Agreement. The Parties acknowledge and agrees that the Software was developed exclusively at Patient Pattern's expense. Patient Pattern will have the unrestricted and permanent right to use and implement all ideas, advice, recommendations or proposals of Customer provided during the Agreement with respect to the Software in any manner and in any media.

5. Confidentiality.

a. "Confidential Information" includes all information disclosed by either Party, before or after the Effective Date of this Agreement, that is generally not publicly known, whether tangible or intangible and in whatever form or medium provided, as well as any information generated by a Party that contains, reflects, or is derived from such information. In particular, Customer acknowledges that Patient Pattern considers the Licensed Product and Services to be secret and proprietary information of great value to Patient Pattern. 

b. Nothing in this Agreement shall be construed to convey any title or ownership rights in Confidential Information from one Party to the other Party.

c. Each Party shall take every reasonable precaution, but no less than those precautions used to protect its own Confidential Information, to prevent the theft, disclosure, and the unauthorized copying, reproductionor distribution of the Confidential Information.

d. Neither Party shall have any confidentiality obligation with respect to the use or disclosure of such information to others not parties to this Agreement that: (a) is or becomes available to the public through no breach of this Agreement; (b) was previously known by the receiving party without any obligation to hold it in confidence; (c) is received from a third party free to disclose such information without restriction; (d) is independently developed by the receiving party without the use of the Confidential Information of the disclosing party; (e) is approved for release by written authorization of the disclosing party, but only to the extent of such authorization; or (f) is disclosed in response to a valid order of a court or other governmental body of the United States or any political subdivision thereof, but only to the extent of and for the purposes of such order, and only if the receiving party first notifies the disclosing party of the order and permits the disclosing party to seek an appropriate protective order. 

e. The obligations of this section shall survive any termination or expiration of this Agreement.

6. Business Associate Agreement. The parties acknowledge that either Party may be acting as a business associate or a subcontractor business associate to each other regarding the analysis and review of protected health information ("PHI") and, if needed, shall enter into an appropriate business associate agreement to allow information sharing pursuant to the Privacy Laws in the form attached hereto as Exhibit B.

7. Injunctive Relief. Each Party acknowledges that any unauthorized disclosure or use of the Confidential Information would cause the other Party imminent irreparable injury and that such Party shall be entitled to, in addition to any other remedies available at law or in equity, temporary, preliminary, and permanent injunctive relief in the event the other Party does not fulfill its obligations.

8. Warranties and Limitations. Patient Pattern represents and warrants that:

a to Patient Pattern's knowledge, the Licensed Product, when used properly and as expressly authorized by Patient Pattern, does not infringe any valid patent, registered copyright, or other registered intellectual property right under the laws of the United States, provided that Patient Pattern makes no such warranty to the extent that such infringement results from: (i) use or access of the Software by Customer in combination with any data, software, or equipment provided by Customer or any third party that could have been avoided by use or access of the Software without such data, software, or equipment; or (ii) any breach of an agreement by, or any negligent or other wrongful act or omission of, Customer or any party acting on Customer's behalf; and

b it will perform its responsibilities in providing the Software to Customer diligently and in accordance with applicable industry standards. Except as otherwise set forth herein, Patient Pattern makes no warranty of any kind whether express or implied (either in fact or by operation of law), including any implied warranties of merchantability, fitness for a particular purpose and non-infringement, or results to be obtained from the Licensed Product. 

c. Except as expressly provided herein, the Software is provided "AS IS" and Patient Pattern does not warrant that the Software will be error-free or will be provided (or available) without interruption or meet Customer's business or operational needs.

9. Limitation of Liability. PATIENT PATTERN SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND AND HOWEVER CAUSED INCLUDING BUT NOT LIMITED TO BUSINESS INTERRUPTION OR LOSS OF PROFITS, BUSINESS OPPORTUNITIES, OR GOODWILL EVEN IF NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. IN NO EVENT SHALL PATIENT PATTERN, PATIENT PATTERN'S THIRD PARTY LICENSORS OR SUB-CONTRACTORS BE LIABLE UNDER ANY THEORY OF LIABILITY FOR DAMAGES WHICH, IN THE AGGREGATE, EXCEED THE AMOUNT OF THE FEES PAID BY CUSTOMER UNDER THE SOW FOR THE TWELVE (12) MONTHS PRIOR TO THE EVENT THAT GAVE RISE TO THE DAMAGES.

10. No Medical Services. Patient Pattern shall provide installation, training, educational, analytical, and consulting services related only to the access and use of the Licensed Product as set forth in the SOW. Patient Pattern is not providing licensed medical professional services.

11. Support and Maintenance. Upon execution of this Agreement, Patient Pattern will render the support and maintenance services set forth in the SOW in support of the Licensed Product.

12. Marketing.Customer shall not advertise, market, promote, or publicize its use of and access to the Licensed Product without the express written consent of Patient Pattern, which will not be unreasonably withheld.

13. Compliance with Laws/Regulations. Each Party agrees to comply with all applicable federal, state, and local laws and regulations including, without limitation, the provisions set forth on Exhibit A (Medicare and Medicare Advantage) and Exhibit B (Business Associate Agreement, if applicable). In the event that any of the provisions set forth below are inconsistent with the provisions of any of the Exhibits referenced herein, the Exhibits shall control.

14. No Disqualified or Excluded Parties. Each Party represents and warrants to the other Party that, during the term of the Agreement, such Party and each employee, contractor and/or agent of such Party providing services hereunder has not been: (a) convicted of a criminal offense that falls within the ambit of 42 USC Section 1320a-7(a) (e.g., a conviction relating to services or supplies paid for by Medicare, Medicaid or other federal healthcare program), or (b) excluded, debarred, suspended or otherwise ineligible to participate in a federal health care program, including but not limited to Medicare and Medicaid.

15. Term.The term of this Agreement and the license rights granted hereunder will commence upon the date the SOW is signed by both parties or such other date as specified therein, and will continue for the term set forth in the SOW ("the "Initial Term"), after which this Agreement and the license rights granted hereunder will automatically renew for additional one (1) year terms (each a "Renewal Term"; the "Initial Term" and the "Renewal Terms" collectively referred to herein as the "Term") unless either Party gives the other written, non-renewal notice at least thirty (30) days prior to the end of the Initial Term or any Renewal Term. 

16. Termination by Patient Pattern. In addition to the termination rights set forth in the SOW, if any, this Agreement may be terminated by Patient Pattern: (a) if Customer fails to make any payments due hereunder within ten (10) days after Patient Pattern delivers notice of default to Customer; (b) on ten (10) days written notice to Customer if Customer fails to perform any other material obligation required of it hereunder, and such failure is not cured within such ten (10) day period; or (c) Customer files a petition for bankruptcy or insolvency, has an involuntary petition filed against it, commences an action providing for relief under bankruptcy laws, files for the appointment of a receiver, or is adjudicated a bankrupt concern or for any other reason or no reason. 

17. Effect of Termination. Upon termination or expiration of this Agreement, Patient Pattern shall have no further obligation or liability hereunder and all fees due under the Agreement shall become due and payable by Customer to Patient Pattern immediately upon such termination.

18. Other Remedies.Termination of this Agreement or any service created hereunder shall not limit either Party from pursuing other remedies available to it, including injunctive relief, nor shall such termination relieve Customer's obligation to pay all fees that have accrued or are otherwise owed by Customer under this Agreement.

19. Third Party Liability. Except as otherwise set forth herein, none of the provisions of this Agreement will be for the benefit of, or enforceable by, any third party.

20. Assignment.Neither Party will assign this Agreement without the prior written consent of the other Party, provided that either Party may assign this Agreement with no less than ninety (90) days prior notice as part of a corporate reorganization, consolidation, merger, change of control with respect to its outstanding stock, or sale of substantially all of its assets, and provided further that the assigning Party and the assignee will remain liable for any unperformed obligations under this Agreement arising prior to the effective date of any such transaction, and any attempt to assign this Agreement not in according this this Section shall be null and void.

21. Entire Agreement.This Agreement, including the SOW and the Exhibits attached hereto contains the entire understanding of the Parties with respect to the Licensed Product and the Professional Services and supersedes any prior agreements or understandings among the Parties with respect to the subject matter hereof. This Agreement may be only amended by a written document signed by all Parties. There are no representations, warranties, or obligations of any Party not expressly contained herein.

22. Notices. Any notice required under this Agreement shall be given in writing and shall be deemed effective upon delivery to the Party to whom the notice is addressed and specified in the SOW. Any notice of material breach shall clearly define the breach including the specific contractual obligation that has been breached.

23. Force Majeure.Neither Party shall be liable to the other Party for any delay or failure to perform its obligations hereunder if such delay or failure arises from any cause or causes beyond the reasonable control of such Party, which shall include, without limitation, acts of God, floods, fires, global pandemic, loss of electricity or other utilities, or delays by either Party in providing required resources or support or performing any other requirements hereunder.

24. Severability and Reformation. Each provision of this Agreement is a separately enforceable provision. If any provision of this Agreement is determined to be or becomes unenforceable or illegal, such provision shall be reformed to the minimum extent necessary in order for this Agreement to remain in effect in accordance with its terms as modified by such reformation. 

25. Independent Contractor. The relationship between the Parties is that of an independent contractor for all purposes, and the Parties acknowledge and agree that neither shall be involved in the management or operations of the other and neither shall have the power or authority to control the activities of the other. Neither Party nor any agent, officer, employeeor subcontractor of such Party is an agent or employee of the other Party. The Parties intend that nothing contained in this Agreement be construed to create a joint venture, partnership, or like relationship between the Parties, and their relationship is and will remain that of independent parties to a contractual service agreement. Neither Party will be liable for the debts or obligations of the other Party.

26. Choice of Law. This Agreement shall be governed and interpreted by the Laws of the State of New York without regard to the conflicts of law provisions of any state or

jurisdiction. The Federal District Court for the Western District of New York or any state court in Erie County, New York will be the exclusive venue for any resolution of any dispute. The parties hereby submit to and consent irrevocably to the jurisdiction of such courts for these purposes.

27. Headings.Section headings are for convenience only and will not affect the meaning of this Agreement.

28. Draftor. Despite the possibility that one Party or its representatives may have prepared the initial draft of this Agreement or any provision hereof, neither Party shall be deemed the drafter of this Agreement and no provision hereof shall be construed in favor of one Party on the ground that such provision was drafted by the other.

29. Survival. The following Sections of this Agreement will survive termination and continue in force: 1, 3-5, 8-9, 17-29.

Exhibit A

Medicare Advantage Compliance

To the extent Patient Pattern is deemed a first tier, downstream or related entity in accordance with 42 C.F.R. Parts 422 and 423, (the "FDR") hereby agrees to this Medicare Compliance Addendum (the "Compliance Addendum"). In the event of any conflict or inconsistency between the terms of this Exhibit A and the terms of the Agreement or any applicable policies, procedures, guidelines, or modifications of this Agreement, the terms of this Exhibit A shall apply. Any term not defined herein shall have the meaning set forth in the Agreement.

The Parties acknowledge that Customer may be required to produce, upon the request by CMS or its designees, governing bodies and participating network plans any books, contracts, records related to the Medicare Advantage program with regard to any Medicare Advantage services furnished or arranged for under Customer's delegated arrangement. As may be applicable to, and consistent with, Customer's Medicare Advantage oversight program, as well as CMS and Federal requirements, FDRs are required to comply with the following:

1. Compliance with Medicare Laws, Regulations, and CMS Guidance: FDR agrees to comply with all applicable Medicare laws, regulations, and CMS instructions. Regulations: 42 C.F.R §§ 422.504(i)(4)(v) and 423.505(i)(4)(iv)

2. Medicare Standards of Conduct and Policies and Procedures:FDR agrees to make available Standards of Conduct and policies and procedures to all of its employees who provide administrative services for the Customer's Medicare business pursuant to this Agreement at the time of hire and annually thereafter. FDR may either provide (a) the Customer's Standards of Conduct and policies and procedures to FDR's employees, or (b) FDR's own comparable Standards of Conduct and policies and procedures to FDR's employees. Regulations: Medicare Managed Care Manual ("MMC Manual"), Chapter 21, §§ 50.1.3 and 50.3.1; and Medicare Prescription Drug Benefit Manual ("PDB Manual"), Chapter 9, §§ 50.1.3 and 50.3.1 MCA 1.2020.v.2

3. Conflict of Interest: FDR agrees to comply with the Customer's Conflict of Interest Policy or its own Conflict of Interest Policy that complies with CMS requirements. If requested by Customer, FDR will require its governing body, officers, and senior leadership (as applicable) to sign a conflict of interest upon the Effective date, and annually thereafter, certifying that they are free from any conflict of interest related to Medicare. Regulations: 42 C.F.R. §§ 422.503(b)(4)(vi)(A) and (C) and 423.504(b)(4)(vi)(A), (C) & (F)

4. Fraud, Waste, and Abuse ("FWA") and General Compliance Training: FDR agrees that all of its employees who provide administrative services or health care services for Customer's Medicare business pursuant to the Agreement participate in FWA and general compliance training within 90 days of hire and annually thereafter. Regulations: MMC Manual, Chapter 21, § 50.3.2; PDB Manual, Chapter 9, § 50.3.2; 42 C.F.R. §§ 422.503(b)(4)(vi)(A) and (C) and 423.504(b)(4)(vi)(A), (C) & (F)

5. Reporting Compliance and FWA Concerns: FDR agrees to report compliance or FWA concerns to CMS or Customer. Reporting should occur within five (5) days of discovery; if there is an immediate impact to beneficiary access to care and/or a financial strain, please report immediately but at least within twenty-four (24) hours. FDR also agrees to inform Customer within five (5) days of discovery of any pending lawsuits, investigations, audits, or other enforcement actions against FDR by or on behalf of any state or federal government agency related to the Licensed Products provided by FDR under this Agreement, or of any legal, governmental, or other action or event which may impair FDR's ability to perform any duties or obligations under the Agreement. Customer has a no-tolerance policy for retaliation or retribution against any employee or FDR for good-faith reporting of FWA. Regulations: 42 C.F.R. §§ 422.503(b)(4)(vi)(D) and 423.504(b)(4)(vi)(D)

6. Enforcement of Disciplinary Standards: FDR agrees to establish, or has established, its own disciplinary standards, which include its expectation that employees report compliance issues and unethical or illegal behavior. FDR's disciplinary standards must state that any violation of these standards will result in appropriate disciplinary action, up to and including termination of employment. FDR's violation of this provision may result in the Customer's termination of the Agreement. Regulations: 42 C.F.R. §§ 422.503(b)(4)(vi)(E) and 423.504(b)(4)(vi)(E)

7. Exclusion from Participation in Federal Programs:Pursuant to Federal law, FDR certifies that neither it nor any of its employees or governing body members are on any list of excluded individuals or entities, or its equivalent (collectively, "LEIE"), maintained by the: (a) U.S. Treasury Office of Foreign Assets Control (OFAC); (b) Office of Inspector General (OIG); or (c) U.S. General Services Administration (GSA). If an employee or governing body member is on any LEIE, FDR will immediately remove that person from any work related directly or indirectly to any Federal healthcare program. FDR agrees to check the Federal exclusions lists prior to hire and on a monthly basis to ensure that none of its employees have become excluded from participation in Federal programs. The term "employees" includes temporary employees, volunteers, and consultants. If applicable, FDR will establish a process to identify and prevent payment for claims at point-of-sale for any drugs or services prescribed, dispensedor delivered by excluded providers. Regulations: 42 C.F.R. §§ 422.503(b)(4)(vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), and 423.752(a)(6), and 42 C.F.R. § 1001.1901. Additionally, FDR shall not employ or contract with any individual or entity who is excluded from participating in Medicare under Sections 1128 or 1128A of the Social Security Act (or with an entity that employs or contracts with such an individual or entity) for the provision of any Licensed Product or Professional Services applicable to Medicare under this Agreement, including but not limited to, (i) healthcare services; (ii) utilization review; (iii) medical social work; or (iv) administrative services; and must notify Plan immediately if any such excluded individual or entity provides or performs a delegated function on behalf of Customer. Regulations: 42 C.F.R. §§ 422.224 and 422.752(a)(8)

8. Record Retention: FDR agrees to maintain, or assure the maintenance of timely and accurate medical, financial, and administrative records, books and contracts related to the Licensed Product and Professional Services provided by this Agreement and as part of any delegated function, as well as the Customer's contract with CMS. Unless a longer time period is required by applicable statutes or regulations, FDR agrees to maintain such records and any related contracts for ten (10) years from the final date of the Plan's contract with CMS, the delegated arrangement period, or from the date of the completion of any audit, whichever is later, or otherwise as required by CMS. FDR agrees to comply with any CMS required document requests by Customer pursuant to an audit or to monitor FDR's compliance with the terms of this Exhibit A. Regulations: 42 C.F.R. §§ 422.504(d), 422.504(e), 422.504(i)(4)(iii), 423.504(d)(2), 423.505(i)(4)(iii)

9. Audit Rights and Access to Records: FDR agrees to allow the Department of Health and Human Services (HHS), CMS, the Comptroller General or their designees, regulatory bodies, and Customer, to audit, evaluate, collect and inspect and make copies of any books, contracts, computer or other electronic systems, including medical records and patient care documentation, and other records maintained by the FDR pertaining to Licensed Products and Professional Services provided pursuant to this Agreement and are related to the Customer's contract with CMS and Customer services rendered to the Members under the delegated arrangement. This right to audit, evaluate, collect, make copies of and inspect any pertinent information for any particular contract period will exist through ten (10) years, from the final date of the contract period, the delegated arrangement period, or from the date of completion of any audit, whichever is later, or otherwise as required by CMS. Regulations: 42 C.F.R §§ 422.504(d), 422.504(e), 422.504(i)(2)(i), 422.504(i)(2)(ii) and 422.504(i)(2)(iv), 422.504(i)(4)(iii), and 423.505(d)(2), 423.505(i)(2), 423.505(i)(2)(ii), 423.505(i)(2)(iv) and 423.505(i)(4)(iii) FDR's failure to comply with this section could result in referral to law enforcement and/or implementation of corrective action. Regulations: 42 C.F.R. Subpart O

10. Hold Harmless: In no event, including, but not limited to, nonpayment by the Customer or its insolvency, shall FDR bill, charge, collect a deposit from, seek compensation, remuneration or reimbursement from, or have any recourse against the Medicare Members or persons acting on their behalf, other than the Customer for the Licensed Products and Professional Services provided under this Agreement. Regulations: 42 C.F.R §§ 422.504(g), 422.504(i)(3)(i) and 423.505(g)

11. Responsibility and Oversight: Customer maintains ultimate responsibility for adhering to and otherwise complying with all terms and conditions of its contract with CMS and may only delegate activities or functions in a manner consistent with Customer's contractual obligations to CMS. Regulations: 42 C.F.R. §§ 422.504(i)(1), 422.504(i)(3)(ii), and 422.504(i)(3)(iii), 422.504(i)(4), 423.505(i)(3)(ii) and 423.505(i)(4)

12. Monitoring, Delegation, and Revocation: FDR shall comply with all applicable policies and procedures of the Customer's Medicare Advantage agreement with CMS. Customer will oversee and monitor FDR's performance on an ongoing basis. Customer retains the right to approve, suspend, revoke, or terminate the delegated arrangement or any such Agreement with FDR if CMS or Customer determines that FDR has (a) not performed satisfactorily under the terms of the Agreements or this Exhibit, (b) failed to maintain compliance, (c) engaged in FWA or (d) if any FDR reporting and disclosure obligations is not fully met in a timely manner.  Regulations: 42 C.F.R §§ 422.504(i)(4)(ii), 422.504(i)(4)(iii), 422.504(i)(5), 423.505(i)(4)(ii), and 423.505(i)(4)(iii)

13. Flow-Down Provision: FDR shall incorporate the terms of this Exhibit into all subcontracts entered into with any downstream or delegated entity that performs any of FDR's obligations under the Agreement or this Exhibit. Regulations: 42 C.F.R §§ 422.504(i)(3), 422.504 (i)(4)(v), 423.505 (i)(3)(iii), and 423.505(i)(4) MCA 1.2020.v.2

14. Enrollee Records: All information about a Medicare enrollee shall be treated as confidential so as to comply with all applicable federal, state, and local laws, rules, regulations and Medicare confidentiality and enrollee record accuracy requirements including: (1) ensuring that medical information is released only in accordance with applicable federal or state law, or pursuant to court orders or subpoenas, (2) maintaining the records and information in an accurate and timely manner, and (3) if applicable, ensuring timely access by enrollees to the records and information that pertain to them. In addition, FDR agrees to abide by the confidentiality requirements of the Medicare Advantage Program as set forth in 2 C.F.R. §§ 422.118. Regulations: 42 C.F.R §§ 422.504(a)(13) and 422.118 and 423.505(b)(14)

15. Plan's Contractual Obligations: FDR's Licensed Products and Professional Services provided pursuant to the Agreement are consistent and comply with the Customer's contractual obligations. Regulations: 42 C.F.R. §§ 422.504(i)(3)(iii) and 423.505(i)(3)(iii)

16. Amendments Required by Law: If Medicare laws, regulations, or CMS guidance require a change to any provision of this Exhibit, this Exhibit will automatically be deemed amended to conform with the law, regulation, or guidance on the date said requirements become effective. Customer will make reasonable business efforts to notify FDR of those changes, but in no event does any lack of notice change the applicability of federal law.

17. No-Cause Termination: If FDR is a health care provider, Customer's contract with FDR contains a no-cause termination clause, such clause shall provide for at least sixty (60) days' written notice. Regulations: 42 C.F.R §§ 422.201(d)(4)

18. Location of Services: FDR agrees that it shall not perform functions offshore, or delegate functions to offshore entities or persons, without obtaining advanced approval in writing from the Customer and demonstrating compliance with CMS guidelines and Customer policies, terms, and conditions. Additionally, in no event shall Customer information, any enrollee information or Protected Health Information leave the United States or be accessible or viewable outside of the United States without strict information security and privacy agreements, oversight and practices in place.

19. Non-Discrimination: FDR agrees to provide the Licensed Product and Professional Services to Customer without regard to race, ethnicity, national origin, religion, gender, age, mental or physical disability, sexual orientation, genetic information or source of payments. Regulations: MMC Manual, Chapter 4, § 10.5

20. FDR Contracting Requirements: If Customer performs delegated functions as described above, all required Medicare Advantage provisions, including but not limited to those identified at 42 C.F.R. §422.504 and the Medicare Managed Care Manual (MMCM), Chapter 11, Section 100, as amended from time-to-time, apply to FDR contracts that are related to the Agreement.

21. Data and Reporting Requirements: FDR agrees to cooperate with Customer by providing all information necessary for the Customer to meet its Medicare Advantage reporting obligations, including but not limited to, providing data necessary to characterize the context and purpose of each service furnished to Medicare enrollees. Regulations: 42 C.F.R. §§ 422.310, 422.516, 422.2460

22. Enrollee Protection and Continuation of Benefits: In the event of the Plan's insolvency or other cessation of operations, Customer's services to Medicare enrollees, including those delegated to FDR, will continue through the period for which the CMS payment has been paid to Customer, and services to the Medicare enrollees confined in an inpatient hospital on the date of insolvency or other cessation of operations will continue until their discharge. Regulations: 42 C.F.R. §§ 422.504(i)(3)(i), 422.504(g), 422.318(c) and 423.505(g) FDR agrees, that (i) the hold harmless and continuation of benefits provisions above shall survive the termination of the delegated arrangement regardless of the cause giving rise to the termination and shall be construed to be for the benefit of the Medicare enrollee, and that (ii) these provisions supersede any oral or written contrary agreement now existing or hereafter entered into between the Customer and their applicable Medicare enrollees, or persons acting on their behalf, that relates to liability for payment for, or continuation of, covered services provided under the terms and conditions of these clauses.

23. 508 Compliance: If FDR supplies a Medicare enrollee-facing internet website on behalf of Customer, the website must be compliant with Section 508 of the Rehabilitation Act for web-based technology and information standards for people with disabilities: http://section508.gov

Exhibit B

I. Definitions.

For the purposes of this BAA, the following capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA and the HITECH Act.

A. "Designated Record Set" or "DRS" shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR Section 164.501. "Information" shall mean any "health information" as defined in 45 CFR Section 160.103.

B. "Individual" shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).

C. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164.

D. "Protected Health Information" shall have the meaning ascribed to this term in 45 CFR Section 160.103, and, for purposes of this BAA, is limited to the information created, received, or maintained by Business Associate for, from, or on behalf of Covered Entity.

E. "Required by Law" shall have the meaning ascribed to this term in 45 CFR Section 164.512.

F. "Secretary" shall have the meaning ascribed to this term in 45 CFR Section 160.103.

II. Confidentiality and HIPAA.

The Parties shall comply with all federal and state laws governing the confidentiality and privacy of health information including, without limitation, the Privacy Standards promulgated pursuant to HIPAA.

A. Obligations of Business Associate

1. Use and Disclosure of Protected Health Information.

Business Associate warrants that Business Associate, its agents and subcontractors: (a) shall use or disclose Protected Health Information only in connection with fulfilling its duties and obligations under this BAA and the Service Agreement; (b) shall not use or disclose Protected Health Information other than as permitted or required by this BAA or required by law; (c) shall not use or disclose Protected Health Information in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity; and (d) shall only use and disclose the minimum necessary Protected Health Information for its specific purposes.

Subject to the restrictions set forth in the previous paragraph and throughout this Agreement, Business Associate may use Protected Health Information if necessary for (a) the proper management and administration of Business Associate; or (b) to carry out the legal responsibilities of Business Associate.

Subject to the restrictions set forth in Section II(A)(i) and throughout this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that: (a) disclosures are required by law; or (b) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Business Associate acknowledges that, as between Business Associate and Covered Entity, all Protected Health Information shall be and remain the sole property of Covered Entity, including any and all forms thereof developed by  Business Associate in the course of its fulfillment of its obligations pursuant to the BAA and the Agreement.

Business Associate further represents that, to the extent Business Associate requests that Covered Entity disclose Protected Health Information to Business Associate, such a request is only for the minimum necessary Protected Health Information for the accomplishment of the Business Associate's purpose.

Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate covenants such safeguards shall include, without limitation, implementing written policies and procedures in compliance with HIPAA and ARRA, conducting a security risk assessment, and training Business Associate employees who will have access to Protected Health Information with respect to the policies and procedures required by HIPAA and ARRA.

2. Availability of Books and Records

Business Associate shall permit the Secretary and other regulatory and accreditation authorities to audit Business Associate' s internal practices, books and records at reasonable times as they pertain to the use and disclosure of Protected Health Information received from, created, or received by Business Associate on behalf of Covered Entity in order to ensure that Covered Entity and/or Business Associate is in compliance with HIPAA.

3. Access of Individuals to Information

In order to allow Covered Entity to respond to a request by an Individual for an access pursuant to 45 CFR Section 164.524, Business Associate, within five (5) business days of a written request by Covered Entity for access to Protected Health Information about an Individual contained in a Designated Record Set, shall make available to Covered Entity such Protected Health Information for so long as such information is maintained in the Designated Record Set. If Protected Health Information is stored offsite, Protected Health Information shall be made available to Covered Entity within twenty (20) days of Business Associate's receipt of written request.

In the event any Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days. Before forwarding any Protected Health Information to Covered Entity, Business Associate shall indicate in the Designated Record Set, any material it deems unavailable to the Individual pursuant to 45 CFR Section 164.524. Any denial of access to Protected Health Information determined by Covered Entity pursuant to 45 CFR Section 164.524, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.

4. Amendment of Information

In order to allow Covered Entity to respond to a request by an Individual for an amendment pursuant to 45 CFR Section 164.526, Business Associate shall, within five (5) business days of a written request by Covered Entity for amend to Protected Health Information about an Individual contained in a Designated Record Set, make available to Covered Entity such Protected Health Information for so long as such information is maintained in the Designated Record Set.

In the event any Individual requests amendment of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days. Before forwarding any Protected Health Information to Covered Entity, Business Associate shall indicate in the Designated Record Set, any material it deems unavailable to the Individual pursuant to 45 CFR Section 164.526.

Any denial of amendment to Protected Health Information determined by Covered Entity pursuant to 45 CFR Section 164.526, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.

Within ten (10) business days of receipt of a request from Covered Entity to amend an Individual's Protected Health Information in the Designated Record Set, Business Associate shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.

5. Accounting of Disclosures

In order to allow Covered Entity to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within five (5) business days of a written request by Covered Entity for an accounting of disclosures of Protected Health Information about an Individual, make available to Covered Entity such Protected Health Information.

At a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and (iv) a brief statement of the purpose of such disclosure. In the event any Individual requests an accounting of disclosure of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.

Business Associate shall implement an appropriate recordkeeping process to enable it to comply with the requirements of this Agreement.

Business Associate shall support Covered Entity in a manner that enables Covered Entity to meet its obligations under 45 CFR Section 164.528.

6. The provisions of this Section (A) shall survive the termination of this Agreement

B. Obligations of Covered Entity

1. Covered Entity warrants that Covered Entity, its directors, officers, subcontractors, employees, affiliates, agents, and representatives; (i) shall comply with the Privacy Rule in its use or disclosure of Protected Health Information; (ii) shall not use or disclose Protected Health Information in any manner that violates applicable federal and state laws; (iii) shall not request Business Associate to use or disclose Protected Health Information in any manner that violates applicable federal and state laws if such use or disclosure were done by Covered Entity; and (iv) may request Business Associate to disclose Protected Health Information directly to another party only for the purposes allowed by the Privacy Rule.

2. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

3. The provisions of this Section shall survive the termination of this BAA.

III. Disclosure to Third Parties.

Business Associate shall obtain and maintain an agreement with each subcontractor and agent that has or will have access to Protected Health Information, which is received from, or created or received by, Business Associate on behalf of Covered Entity, pursuant to which agreement such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions

that apply to Business Associate pursuant to the Agreement with respect to such Protected Health Information.

IV. Reporting of Breaches and Improper Disclosures.

In the event of a Breach (as hereinafter defined) of any Unsecured (as hereinafter defined) Protected Health Information that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity within thirty (30) days. "Breach" shall mean the unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information. "Unsecured" shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary from time to time.

Notice of a Breach shall include, at a minimum: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Business Associate's response to the Breach. In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach known to Business Associate.

In the event of any use or disclosure that does not constitute a Breach, but that is an unauthorized or improper use or disclosure of any Protected Health Information under this Agreement or applicable laws, Business Associate shall report to Covered Entity such unauthorized or improper use or disclosure as soon as practicable, but in no event later than five (5) business days of the date on which Business Associate becomes aware of such use or disclosure. In such event, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to Business Associate of such unauthorized or improper use disclosure.

In the event of any successful Security Incident, Business Associate shall report such Security Incident in writing to Covered Entity within ten (10) business days of the date on which Business Associate becomes aware of such Security Incident.

V. Term and Termination.

A. General Term and Termination

This BAA shall become effective on the Effective Date set forth in the Agreement; and shall terminate upon the termination or expiration of the Agreement, and when all Protected Health Information provided by either party to the other, or created or received by Business Associate on behalf of Covered Entity is, in accordance with Section VI below, destroyed or returned to Covered Entity or, if it is not feasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the terms of this BAA.

B. Material Breach

Where either Party has knowledge of a material breach by the other Party, and cure is possible, the non-breaching Party shall provide the breaching Party with an opportunity to cure. Where said breach is not cured within ten (10) business days of the breaching Party's receipt of notice from the non-breaching Party of said breach, the non-breaching Party shall terminate this BAA and the portion(s) of the Agreement affected by the breach.

In the event that either Party has knowledge of a material breach of this BAA by the other Party, and cure is not possible, the non-breaching Party shall terminate this BAA and the portion(s) of the Agreement affected by the breach.

VI. Return/Destruction of Protected Health Information upon Termination. Upon termination of this BAA for any reason, Business Associate shall:

(a) if feasible, return or destroy all Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or

(b) if Business Associate reasonably determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible, in which case Business Associate's obligations under this Section shall survive the termination of this Agreement.

VII. Amendment.

If any of the regulations promulgated under HIPAA or ARRA are amended or interpreted in a manner that renders this BAA inconsistent therewith, the Parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.

VIII. Conflicting Terms.

In the event any terms of this BAA conflict with any terms of the Agreement, the terms of this BAA shall govern and control.

IX. Governing Law.

This BAA shall be governed by and construed in accordance with the laws of the State of Delaware.

X. Notices.

All notices, requests, approvals, demandsand other communications required or permitted to be given under this BAA shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when

received.