MedBot Marketplace
Healthcare Provider User Agreement
(U.S. Based Healthcare Providers – Version 05.2023)


This Healthcare Provider User Agreement (this “Agreement”) is entered into on Form Acceptance Date, (“Effective Date”) by Form Submission User with a primary business address provided on Form Submission (“Practice,” “you,” or “your”) and Medtrix Technologies, LLC dba MedBot (“MedBot” “we,” or “us”), a Florida limited liability company with a principal business address of 360 Central Avenue, Suite 300, St. Petersburg, Florida 33701. This Agreement governs your access to and use of the MedBot Marketplace which shall be strictly in conformance with the terms and conditions set forth in this Agreement.

1. Definitions.

(a) “Affiliate” means any other Person that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such Person. The term “control” for purposes of this Agreement means the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of voting securities, by contract, or otherwise.

(b) “Agent” means any officer, director, manager, member, shareholder, employee, contractor, consultant, professional advisor or other Persons acting on behalf of or pursuant to an agreement with you.

(c) “Aggregated Statistics” means data and information related to or generated by use of the MedBot Marketplace by Practices, Practice Providers, Product Providers and Patients and which is stored and used by MedBot in an aggregate manner and deidentified in accordance with the HIPAA Privacy Rule’s de-identification standards at 45 CFR § 164.514(a)-(c) and 45 CFR § 164.502(d), including to compile statistical and performance information related to the provision and operation of the MedBot Marketplace as well as Sales Data and Financial Data for Practice’s benefit.

(d) “Authorized User” means your Agents who are authorized by you to access and use the MedBot Marketplace under the rights granted to you pursuant to this Agreement.

(e) “Business Associate Agreement” or “BAA” means the agreement attached hereto as Exhibit C which shall be executed contemporaneously herewith by MedBot and Practice in compliance with HIPAA Rules which generally require that Covered Entities and Business Associates, as those terms are defined in the BAA, enter into contracts with their Business Associates to ensure that the Business Associates will appropriately safeguard Protected Health Information.

(f) “Financial Data” means data visible by Practice on the Healthcare Provider Hub that shows you how much money you are owed as a result of transactions on the MedBot Marketplace and when you will receive the payments, as well as Medbot Fees you have incurred and payment due dates.

(g) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996.

(h) “Logistics Provider” means a company operating in the United States and selected by MedBot that is responsible for fulfillment and logistics, including inventory storage, packing and shipping of all Products ordered by Patient-Buyers and sold by Practice-Sellers on the MedBot Marketplace.

(i) “Marketplace Facilitator” means a Person, including any Affiliate of the Person, that, like MedBot: (i) contracts or otherwise agrees with Marketplace Sellers to facilitate for consideration, regardless of whether deducted as fees from the transaction, the sale of the Marketplace Seller’s products through a physical or electronic marketplace operated, owned, or otherwise controlled by the Person; and
(ii) either directly or indirectly through contracts, agreements, or other arrangements with third parties, collects the payment from the purchaser and transmits all or part of the payment to the Marketplace Seller.

(i) “Marketplace Seller” means a seller, like the Practice, that makes sales through any physical or electronic marketplace operated, owned, or controlled by a Marketplace Facilitator.

(j) “Medbots” means digital product promotions which are sent via text or email to a Patient in accordance with the Patient’s contact information and permissions in the Practice’s EHR system, and which are from a Practice Provider to his or her patient recommending a specific Product or bundle of Products and enabling the Patient to make the purchase through the MedBot Marketplace.

(k) “MedBot Documentation” means Medbot Marketplace’s user manuals, handbooks, and guides whether digital or print relating to the MedBot Marketplace and use thereof by Practice, Practice Providers, Authorized Users and Patients, whether made available electronically or in hard copy form.

(l) “MedBot IP” means the MedBot Software, processes, procedures, methodology, patents, copyrights, tradenames, trademarks, design marks (registered or unregistered), content, imagery, Documentation, and any and all other intellectual property owned by MedBot, including all MedBot IP associated with the MedBot Software and the MedBot Marketplace. For the avoidance of doubt, MedBot IP includes Aggregated Statistics and any information, data, or other content derived from MedBot’s monitoring of access to or use of the MedBot Marketplace, but does not include Practice Data, PHI, PII, or Third-Party Products IP.

(m) “MedBot Marketplace” is a Marketplace Facilitator, using the MedBot Software, which:

(i) facilitates the sale of Products from Product Providers to Practices for resale to Patients;

(ii) transmits the offer and the acceptance between the Patient as buyer and Practice as seller of the purchase and sale of the Products using Medbots.

(iii) engages, directly or indirectly, through one or more Persons, in the following activities regarding the Products sold by Practice-Sellers to Patient-Buyers:

• payment processing services (currently Stripe);
• inventory storage, packing, shipping and other fulfillment services, through one or more Logistics Providers engaged by MedBot;
• listing Products for sale, along with their retail prices, and communicating the same via Medbots sent by the Practice Provider to his or her Patient;
• processing purchases made through the MedBot Marketplace;
• collecting and remitting sales tax as a Marketplace Facilitator on behalf of Practice, if required of MedBot by applicable law; and/or
• processing returns, exchanges and/or refunds of purchases made through the MedBot Marketplace.



(n) “MedBot Fees” means the fees charged to Practice for the use of the MedBot Marketplace and Transactions processed by MedBot, as specified in Exhibit A.

(o) “MedBot Software” means MedBot’s proprietary online non-downloadable middleware which interfaces with Practice Data and electronic commerce applications to enable Practice Providers to efficiently offer to Patients, through e-mail and/or text messaging (after confirming permission to communicate the sale of Products to each Patient in that manner, as required by HIPAA), Products which are selected for each Patient by their Practice Provider, and sold to the Patient-Buyers.

(p) “Patient” means a patient of a Practice.

(q) “Patient-Buyer” means a Patient who purchases one or more Products sold by Practice through the MedBot Marketplace.

(r) “Payment Processor” means the payment processor integrated into the MedBot Software for collecting and processing payments (example: Stripe).

(s) “Person” means any individual, corporation, limited liability company, trust, joint venture, association, company, limited or general partnership, unincorporated organization, Governmental Authority, or other entity.

(t) “Personally Identifiable Information” or “PII” refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

(u) “Practice Data” means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Practice, an Authorized User or a Patient- Buyer through the MedBot Marketplace, other than Aggregated Statistics, which data can be provided to MedBot by Practice in several ways: (i) manual entry of data; (ii) exportation of data in bulk, or (iii) if Practice elects to subscribe to the EHR integration option for an additional fees set forth in Exhibit A, automatically through the Practice EHR integration.

(v) “Practice EHR” (aka EMR) means the electronic health (medical) records software utilized by Practice.

(w) “Practice Revenue” means the net revenue payable to the Practice for the resale of Products to Patient-Buyers, as further described in Exhibit B.

(x) “Practice-Seller” means the Practice which uses the MedBot Marketplace to resell Products which the Practice or individual Practice Providers select and recommend to Patient-Buyers.

(y) “Practice” means the healthcare practice that becomes a Marketplace Seller on the MedBot Marketplace and which is a party to this Agreement.

(z) “Practice Provider” means any healthcare professional or individual who works for the Practice and is recognized under HIPAA as administering or delivering direct patient care and who CMS identifies as requiring a National Provider Identification (NPI) number for payment or reimbursement. This typically includes (but is not limited to): physicians, physician assistants, midwives, nurse practitioners, nurse anesthetists, dentists, denturists, chiropractors, clinical social workers, psychologists, psychiatrists, physical therapists, athletic trainers.

(aa) “Practice Provider Price” means the price of a Product that the Practice decides to charge to the Patient-Buyer on the MedBot Marketplace.



(bb) “Product Provider” means a manufacturer or wholesaler of Products which are made available to Practices for resale to Patients using the MedBot Marketplace.

(cc) “Product Provider Price” is the wholesale price that a Product Provider will sell a Product to the Practice.

(dd) “Protected Health Information” or “PHI” shall have the meaning given to such term at 45 C.F.R. §160.103, limited to the information that MedBot creates, receives, maintains or transmits from or on behalf of the Practice.

(ee) “Products” means Third-Party Products that are offered to the Practice for resale utilizing the MedBot Marketplace.

(ff) “Reseller Certificate” (also known as a tax exemption certificate) means a document which allows Product Providers to sell the Products to the Practice without paying local sales tax, serves as evidence that the Practice is purchasing the Products for resale, and which makes the Practice responsible for collecting sales tax from the Patient-Buyers when the goods are sold and remitting it to the tax agencies, which is a task that MedBot Marketplace will process for the Practice in most instances, excepting those jurisdictions where it is not commercially feasible to do so or where the applicable laws and regulations do not permit a MedBot Marketplace to do so.

(gg) “Sales Data” means the data to which you will have access, including data as to the number of Products that are being (i) recommended by each Practice Provider in your Practice, and (ii) sold by which Practice Providers within your Practice.

(hh) “Services” means the Marketplace Facilitator services that MedBot provides to all of the stakeholders using the MedBot Marketplace, including Product Providers, Practices, Practice Providers and Patients.

(ii) “Term” is defined in Section 12.

(jj) “Third-Party Products” means healthcare related products which are manufactured by third-parties and offered to Practice for resale utilizing the MedBot Marketplace, which are generally available without a prescription and over-the-counter, and which MedBot Marketplace does not submit (or facilitate the submission of) for reimbursement by federal health care programs or other third-party payors.

2. Sale of Products using MedBot Marketplace; Practice Revenue.

(a) Provision of Access. Subject to Practice’s compliance with all other terms and conditions of this Agreement, MedBot hereby grants Practice a non-exclusive, non-transferable (except in compliance with Section 13(g)) right to access and use the MedBot Marketplace during the Term solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Practice’s internal use; no sub-licensing is permitted. MedBot shall provide to Practice and its Authorized Users the necessary user IDs and passwords and network links or connections to enable access and use of the MedBot Marketplace through the Healthcare Provider Hub. Practice is responsible to ensure that its Authorized Users securely guard their passwords to prevent unauthorized use, and to fully comply with all data security terms of its EHR and other technology systems to help ensure security of the MedBot Marketplace.

(b) Documentation License. Subject to the terms and conditions contained in this Agreement, MedBot hereby grants to Practice a non-exclusive, non-sublicensable, non-transferable (except in compliance with Section 13(g)) license to use the Documentation during the Term solely for Practice's internal business purposes in connection with its use of the MedBot Marketplace.



(c) Use Restrictions. Practice shall not use the MedBot Marketplace for any purposes beyond the scope of the access granted in this Agreement. Practice shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the MedBot Software or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the MedBot Software or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any component of the MedBot Software, in whole or in part; (iv) remove any proprietary notices from the MedBot Marketplace or Documentation; or (v) use the MedBot Marketplace or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.

(d) Reservation of Rights. MedBot reserves all rights not expressly granted to Practice in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Practice or any third party any intellectual property rights or other right, title, or interest in or to the MedBot IP.

(e) Service Suspension. Notwithstanding anything to the contrary in this Agreement, MedBot may temporarily suspend Practice's and any Authorized User's access to any portion or all of the MedBot Marketplace if: (i) MedBot determines that (A) there is a threat or attack on any of the MedBot IP; (B) Practice's or any Authorized User’s use of the MedBot IP disrupts or poses a security risk to the MedBot IP or to any Practice, Product Provider, Patient or vendor of MedBot; (C) Practice, or any Authorized User, is using the MedBot IP for fraudulent or illegal activities; (D) subject to applicable law, Practice has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) MedBot’s provision of the Services to Practice or any Authorized User is prohibited by applicable law or agency guidance; or (ii) any vendor of MedBot has suspended or terminated MedBot’s access to or use of any third-party services or products required to enable Practice to access the MedBot Marketplace; or (iii) Medtrix has any other good faith grounds to temporarily suspend services (any such suspension described in subclause (i), (ii), or (iii) a “Service Suspension”). MedBot shall use reasonable efforts to provide written notice of any Service Suspension to Practice and to resume Services following Practice’s cure of the event that gave rise to the Service Suspension. MedBot shall have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Practice or any Authorized User may incur as a result of a Service Suspension.

(f) Aggregated Statistics. Notwithstanding anything to the contrary in this Agreement, MedBot may monitor Practice's use of the MedBot Marketplace and collect and compile Aggregated Statistics. As between MedBot and Practice, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by MedBot. Practice acknowledges that MedBot may compile Aggregated Statistics based on Practice Data, Sales Data, Financial Data and other data generated by the MedBot Marketplace. Practice agrees that MedBot may (i) make Aggregated Statistics publicly available in compliance with applicable law, including, without limitation, the HIPAA Privacy Rule’s de-identification standard at 45 CFR § 164.514(a)-(c) and 45 CFR § 164.502(d), and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided that such Aggregated Statistics do not identify Patients, Practice, Practice Providers, are not PHI, and do not violate the BAA attached hereto and incorporated herein.

(g) Practice Revenue. Practice shall be entitled to Practice Revenue, in accordance with the terms of Exhibit B.

3. Practice’s Responsibilities.
(a) General. Practice is responsible and liable for all uses of the Services and Documentation resulting from access provided to Persons by Practice, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Practice is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Practice will be deemed a breach of this Agreement by Practice. Practice shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services, and shall cause Authorized Users to comply with such provisions.

(b) Selection of Products. MedBot Marketplace will make Products available to Practice in the form of a digitized catalog from which Practice Providers can select which Products to offer to Patients using Medbots. If an Authorized User orders any Medbot(s) to be created for a Practice Provider or many Practice Providers, the Practice is responsible for the associated MedBot Fees. Practice and Practice Providers are completely and solely in control of which Products from the digitized catalog are recommended to each Patient. If Practice does not wish to select and sell through Medbots any Products, then Practice should not use the MedBot Marketplace.

(c) Professional Responsibility; Product Selections and Recommendations; Indemnification by Practice. Practice acknowledges that the professional duty to its Patients in providing healthcare services, product recommendations, and product sales lies solely with the Practice and its Practice Providers. MedBot Marketplace does not manufacturer the Products, does not take possession of the Products, does not select the Products for resale by Practice, does not make Product recommendations to Patients, and accordingly does not assume any responsibility for any damages to any Persons or property related to or associated with the Products, including but not limited to claims related to the labeling or packaging thereof by Product Providers. The Practice has responsibility for all decisions associated with Products selected by the Practice or Practice Providers to offer and sell to Patients and for ensuring that all recommended Products are appropriate for each Patient for which the Product is recommended, and that all Product Bundles are safe to be used or taken together by the Patient to whom the Product Bundle is recommended. Medbot Marketplace does not input or in any manner alter or update any data in the Practice EHR; therefore, if Practice wants the Practice EHR to include any information about the Products ordered through Medbots by each Patient it must enter that data into its EHR itself. The acts or omissions of Practice, Practice Providers, or their Affiliates or Agents which may result in any liability or damages due to malpractice, product defects, improper labeling, false claims, failure to warn, negligence, illegal activity, or any other act or omission that results in damages to Persons, including but not limited to Patient-Buyers, or to property, shall result in an obligation of Practice to indemnify, defend and hold harmless MedBot and its Affiliates and Agents.

(d) Compliance; Regulatory and Tax. Practice is solely responsible for ensuring that its business and its offering of the Products for resale to Patient-Buyers comply with all applicable laws and regulations and that the Products the Practice selects for resale can be legally offered for resale and marketed to patients via text and email in all states and territories in which such sales are being made using the MedBot Marketplace. PRACTICE ACKNOWLEDGES THAT IT IS SOLELY RESPONSIBLE FOR ENSURING THAT ITS USE OF MEDBOT MARKETPLACE IS IN COMPLIANCE WITH ALL APPLICABLE PROFESSIONAL ETHICAL STANDARDS, AS WELL AS FEDERAL, STATE AND LOCAL LAWS AND REGULATIONS RELATED TO THE MARKETING OF PRODUCTS FOR SALE AND RELATED COMMUNICATIONS VIA TEXT AND EMAIL WITH THE PRACTICE’S PATIENTS (INCLUDING COMPLIANCE WITH HIPAA, THE TELEPHONE CONSUMER PROTECTION ACT (TCPA) AND THE CAN-SPAM ACT), AND RELATED TO REMUNERATION OR OTHER PAYMENTS OR ITEMS OF VALUE RECEIVED BY PRACTICE, ITS EMPLOYEES OR CONTRACTORS, INCLUDING, BUT NOT LIMITED TO,(I) THE FEDERAL ANTI-KICKBACK STATUTE (42 U.S.C. § 1320A-7B(B)) AND THE ASSOCIATED SAFE HARBOR REGULATIONS; AND (II) THE LIMITATION ON CERTAIN PHYSICIAN REFERRALS (STARK LAW) (42 U.S.C. § 1395NN). While MedBot will collect and remit sales tax through the MedBot Marketplace, Practice shall cooperate in a timely manner with MedBot, as needed, to comply with sales tax requirements and Practice shall be responsible for all sales tax filings that it is required to handle as a result of Practice being a Marketplace Seller, including but not limited to Gross Receipts Taxes. Practice shall be responsible for payment of all taxes other than (i) sales tax collected and remitted pursuant to the terms of this Agreement and (ii) tax on MedBot’s income. Practice agrees not to rely on any materials or content provided by or associated with MedBot Marketplace in determining its compliance obligations under any applicable law or regulation.

(e) Passwords and Access Credentials. Practice is responsible for keeping Practice’s Authorized Users’ passwords and access credentials confidential and for advising its Authorized Users to do the same. Practice will not sell or transfer them to any other Person. Practice will promptly notify MedBot about any unauthorized access to your passwords or access credentials.

(f) Practice EHR; Data Accuracy. Practice is responsible, at its cost, for having an active EHR in place and functioning during the Term in order to receive the Services and benefits from the MedBot Marketplace. If Practice elects to subscribe to optional EHR integration, Practice must cooperate with MedBot by authorizing the integration of the MedBot Marketplace with its EHR. The data used by MedBot Marketplace reflects the information provided to MedBot by Practice. To the extent such information is inaccurate and/or incomplete, the data used by MedBot Marketplace will also be inaccurate and/or incomplete.

4. Service Levels and Support. MedBot shall use commercially reasonable efforts to make the Services available 24/7 but there will be downtime after hours and as needed to perform maintenance and upgrades. The access rights granted hereunder entitle Practice to support services, which may be requested by email to support@medbot.com.

5. Payments to Practice Seller; Refund Policy. The Products sold by Practice to Patient-Buyers using the MedBot Marketplace are at the sole discretion of Practice and its Practice Providers. Once a Patient-Buyer has purchased a Product, MedBot Marketplace processes the purchase and the Logistics Provider will pick, pack and ship your Product(s) to the Patient-Buyer. The Patient-Buyer will have thirty (30) days from the date of delivery to request and receive a refund (“Refund Period”), with no requirement to return the Product to the Product Provider, the Logistics Provider, the Practice, or MedBot. Within thirty (30) days after the Refund Period expires, if no refund has been provided, you will receive payment of the Product Provider Price minus the MedBot Fees. If a refund was processed, Practice will not receive Practice Revenue, will not receive a refund of the applicable Credit Card Processing Fee for that Product sale, and will be charged a Refund Processing Fee, as provided in Exhibit A.

6. MedBot Fees and Payment; Taxes.

(a) MedBot Fees; Invoicing. Practice shall pay MedBot Fees without offset or deduction and shall make all payments hereunder in US dollars on or before the due date set forth in Exhibit A. The invoicing process is set forth in Exhibit A.

(b) Credit Card Authorization and ACH Authorization. Practice shall complete the MedBot Credit Card Authorization form and, if applicable, the ACH Authorization form prior to activation of Practice’s subscription to the Medbot Marketplace, which shall authorize MedBot to charge the credit card or withdraw funds via ACH for all MedBot Fees in accordance with the terms of Exhibit A. All MedBot Fees are non-refundable.

(c) Late Payments. If Practice fails to make any payment when due, without limiting MedBot’s other rights and remedies: (i) MedBot may setoff payments to Practice of the Practice Revenue due to Practice, as provided in Exhibit B; (ii) MedBot may charge interest on the past due amount at the rate of 1.0% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (iii) Practice shall reimburse MedBot for all reasonable costs incurred by MedBot in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iv) if such failure continues for ten (10) business days or more, MedBot may suspend Practice's and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full; and
(4) MedBot may offset payments due to Provider hereunder to collect on past due invoices.

(d) Taxes. All MedBot Fees and other amounts payable by Practice under this Agreement are exclusive of taxes and similar assessments. Practice is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Practice hereunder, other than any taxes imposed on MedBot's income. Practice is responsible for all Gross Receipts Taxes due on sales facilitated by MedBot Marketplace which are actually sales by Practice which is a Marketplace Seller.

(e) Sales and Use Tax. While each Practice is a Reseller and shall provide a Reseller Certificate to each Product Provider in a timely manner, MedBot Marketplace will operate as a Marketplace Facilitator for sales and use tax purposes on behalf of Practices. MedBot Marketplace will collect and remit sales tax in all states in which sales tax is required to be collected and paid. MedBot Marketplace will be considered the seller for sales and use tax purposes only.

7. Confidential Information. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, that is marked, designated, or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s Agents who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order, including a qualified protective order in accordance with HIPAA for any of Practice’s Protected Health Information; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, (i) with respect to any Confidential Information that constitutes a trade secret (as defined and determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law and (ii) with respect to any Confidential Information that constitutes Protected Health Information, such obligations of non-disclosure will survive the termination or expiration of this Agreement for so long as it is in the possession of MedBot. To the extent of a conflict between a provision of this Section 7 with respect to Protected Health Information and a provision of the BAA, the provision that provides for the greatest protection of the confidentiality, privacy and security of Protected Health Information shall control.

8. Intellectual Property Ownership; Feedback.

(a) MedBot IP. MedBot owns all right, title, and interest, including all intellectual property rights, in and to the MedBot IP.

(b) Third-Party IP. With respect to Products, the applicable third-party owns all right, title, and interest, including all intellectual property rights, in and to the Products.

(c) Practice Data. Practice owns all right, title, and interest, including all intellectual property rights, in and to the Practice Data. Practice hereby grants to MedBot a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Practice Data and perform all acts with respect to the Practice Data as may be necessary for MedBot to provide the Services to Practice, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Practice Data incorporated within the Aggregated Statistics. All use of the Practice Data shall be compliant with applicable laws.

(d) Practice IT. As between the Parties, Practice and its licensors and suppliers own all right, title, and interest, including all intellectual property rights, in and to the Practice EHR and other information technology that interfaces with MedBot IP.

(e) Feedback. If Practice, Practice Providers or their Agents or Authorized Users, send or transmit any communications or materials to MedBot by mail, email, telephone, or otherwise, suggesting or recommending changes to the MedBot IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), MedBot is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Practice hereby assigns to MedBot on Practice's behalf, and on behalf of its Agents and Authorized Users, all right, title, and interest in, and MedBot is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although MedBot is not required to use any Feedback.

9. Limited Warranty and Warranty Disclaimer.

(a) MEDBOT MAKES NO WARRANTIES REGARDING AND STRICTLY DISCLAIMS ALL WARRANTIES, WITH RESPECT TO ANY PRODUCTS AND LOGISTICS PROVIDER SERVICES OR PRODUCTS.

(b) THE MEDBOT MARKETPLACE AND ALL SERVICES ARE PROVIDED “AS IS” AND MEDBOT HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. MEDBOT SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. MEDBOT MAKES NO WARRANTY OF ANY KIND THAT THE MEDBOT MARKETPLACE, OR ANY RESULTS OF THE USE THEREOF, WILL MEET PRACTICE'S OR ANY OTHER PERSON'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT (FINANCIAL OR OTHERWISE), BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

10. Indemnification.

(a) MedBot Indemnification of Practice.

(i) MedBot shall indemnify, defend, and hold harmless Practice from and against any and all damages, liabilities, costs (including reasonable attorneys’ fees) and other losses (“Losses”) incurred by Practice resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Services, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights, provided that Practice promptly notifies MedBot in writing of the claim and cooperates with MedBot, in the defense of such Third-Party Claim in accordance with the terms set forth in Section 10(c) below.

(ii) If such a claim is made or appears possible, Practice agrees to permit MedBot, at MedBot’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing and include substantially the same functionality and capabilities, or (B) obtain the right for Practice to continue use of such Services or component part thereof. If MedBot determines that neither alternative is reasonably available, MedBot may refund all pre-paid monthly Medbot Fees, if any, for months on and after the date of termination and terminate this Agreement, effective immediately on written notice to Practice.

(iii) MedBot shall have no indemnification obligations of any kind to any Person, including Practice and Practice Providers, for any Losses resulting from the acts or omissions of any Product Provider (including product liability claims), Logistics Provider, Payment Processor, Practice EHR, Patient-Buyer, or other Person that is not MedBot.

(iv) This Section 10(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by MedBot or authorized by MedBot in writing; (B) modifications to the Services not made by MedBot or for MedBot at its direction; (C) Practice Data; or (D) Products.

(b) Practice Indemnification of MedBot. Practice shall indemnify, hold harmless, and, at MedBot’s option, defend MedBot from and against any and all losses, including legal fees and costs of defense, resulting from (i) any breaches of this Agreement by Practice, Practice Providers, Authorized Users of Practice and their Affiliates and Agents, including but not limited to use of the Services in a manner not authorized by this Agreement or by applicable law, and (ii) any Third-Party Claims based on Practice's or any of its Authorized Users’ (including Practice Providers’) negligence or willful misconduct or on their selection of Products to recommend and sell to Patients as healthcare providers and Marketplace Sellers;
(iii) use of the Services in combination with data, software, hardware, equipment, or technology not provided by MedBot or authorized by MedBot in writing; or (iv) modifications to the Services not made by MedBot.

(c) Indemnification Procedures. Whenever any Third-Party Claim shall arise for indemnification hereunder, the party entitled to indemnification (the “Indemnified Party”) shall promptly provide written notice of such claim to the other party (the “Indemnifying Party”). In connection with any Third-Party Claim, the Indemnifying Party, at its sole cost and expense and upon written notice to the Indemnified Party, may assume the defense of such Third-Party Claim with counsel reasonably satisfactory to the Indemnified Party. The Indemnified Party shall be entitled to participate in the defense of any such Third-Party Claim, with its counsel and at its own cost and expense. If the Indemnifying Party does not assume the defense of any such Third-Party Claim, the Indemnified Party may, but shall not be obligated to, defend against such Third Party Claim in such manner as it may deem appropriate, including settling such Third-Party Claim, after giving notice of it to the Indemnifying Party, on such terms as the Indemnified Party may deem appropriate and no action taken by the Indemnified Party in accordance with such defense and settlement shall relieve the Indemnifying Party of its indemnification obligations herein provided with respect to any damages resulting therefrom. The Indemnifying Party shall not settle any Third-Party Claim without the Indemnified Party’s prior written consent (which consent shall not be unreasonably withheld or delayed).

(d) Sole Remedy. THIS SECTION 10 SETS FORTH PRACTICE'S SOLE REMEDIES AND MEDBOT’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.
11. Limitations of Liability. IN NO EVENT WILL MEDBOT BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT OR THE SERVICES OFFERED BY MEDBOT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY, OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; (e) COST OF REPLACEMENT GOODS OR SERVICES; (f) LOSS OR DAMAGES TO PRODUCTS, OR (g) PRODUCT LIABILITY, IN EACH CASE REGARDLESS OF WHETHER MEDBOT WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL MEDBOT’S AGGREGATE LIABILITY, INCLUDING THE PAYMENT OF ANY ATTORNEY’S FEES AND COSTS, ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED ONE (1) TIMES THE TOTAL AMOUNT OF MEDBOT FEES PAID BY PRACTICE TO MEDBOT UNDER THIS AGREEMENT IN THE SIX (6) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR $50,000, WHICHEVER IS LESS.

12. Term and Termination.

(a) Term. The initial term of this Agreement begins on the Effective Date and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue in effect until one (1) year from such date (the “Initial Term”). This Agreement will automatically renew for additional one (1) year terms unless earlier terminated pursuant to this Agreement’s provisions or either Party gives the other Party written notice of non-renewal at least thirty (30) days prior to the expiration of the then-current term (each a “Renewal Term” and together with the Initial Term, the “Term”).

(b) Termination. In addition to any other express termination right set forth in this Agreement:

(i) PRACTICE MAY TERMINATE THIS AGREEMENT FOR ANY REASON WITH THIRTY (30) DAYS WRITTEN NOTICE TO MEDBOT.

(ii) MedBot may terminate this Agreement, effective on written notice to Practice, if Practice: (A) fails to pay any amount when due hereunder, and such failure continues more than thirty (30) days after MedBot's delivery of written notice thereof; or (B) breaches any of its obligations under Section 2(c) (Use Restrictions) or Section 7 (Confidentiality); or

(iii) either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach; or

(iv) either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business; or

(c) Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement, Practice and its Authorized Users shall immediately discontinue use of the MedBot Marketplace and, without limiting Practice's obligations under Section 6, Practice shall delete, destroy, or return all copies of the MedBot IP and, upon request, certify in writing to MedBot that the MedBot IP has been deleted or destroyed. Upon expiration or earlier termination of this Agreement, MedBot shall return or destroy all PHI in accordance with the BAA. No expiration or termination will affect Practice's obligation to pay all MedBot Fees to MedBot, or MedBot’s obligation to pay to Provider the monies owed to it pursuant to this Agreement, which were earned before such expiration or termination.
(d) Survival. This Section 12(d) and Sections 1, 2(c), 2(d), 2(f), 3, 5, 6, 7, 8, 9, 10, 11, 12 and 13 shall survive any termination or expiration of this Agreement. The BAA shall survive for so long as MedBot maintains any PHI. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.
13. Miscellaneous.

(a) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.

(b) Notices. Any notices to MedBot must be sent to our corporate headquarters address first set forth above and must be delivered either in person, by certified or registered mail, return receipt requested and postage prepaid, or by recognized overnight courier service, and are deemed given upon receipt by us. Notwithstanding the foregoing, you hereby consent to receiving electronic communications from us. These electronic communications may include notices about applicable fees and charges, transactional information, and other information concerning or related to the MedBot Marketplace. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing.

(c) Force Majeure. In no event shall either Party be liable to the other, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo. Notice shall be given of a force majeure event to the other Party as soon as it is commercially feasible to give notice, and the Parties commit to restore performance as soon as the force majeure event has been resolved.

(d) Amendment and Modification; Waiver. Upon written notice to Practice, MedBot may amend this Agreement to comply with applicable laws or to adjust its business model or MedBot Fees (“MedBot Amendment”), in which case Practice shall have thirty (30) days to give notice to terminate this Agreement if it does not accept the MedBot Amendments about which it has been given notice. Except for MedBot Amendments that are essential to be in compliance with applicable laws, the MedBot Amendments shall not apply until after the thirty (30) day period during which Practice may terminate this Agreement. Except as otherwise stated herein, no amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

(f) Governing Law; Submission to Jurisdiction; Waiver of Jury Trial. This Agreement is governed by and construed in accordance with the internal laws of the State of Florida without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Florida. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Florida in each case located in the city of Tampa and County of Hillsborough, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

(g) MUTUAL WAIVER OF JURY TRIAL. BECAUSE DISPUTES ARISING IN CONNECTION WITH COMPLEX BUSINESS ARRANGEMENTS AND SOFTWARE PLATFORMS ARE MOST QUICKLY AND ECONOMICALLY RESOLVED BY AN EXPERIENCED EXPERT AND THE PARTIES WISH APPLICABLE STATE AND FEDERAL LAWS TO APPLY (RATHER THAN ARBITRATION RULES), THE PARTIES DESIRE THAT THEIR DISPUTES BE RESOLVED BY A JUDGE APPLYING SUCH APPLICABLE LAWS. THEREFORE, TO ACHIEVE THE BEST COMBINATION OF THE BENEFITS OF THE JUDICIAL SYSTEM AND OF ARBITRATION, EACH PARTY TO THIS AGREEMENT HEREBY WAIVES ALL RIGHTS TO TRIAL BY JURY IN ANY ACTION, SUIT, OR PROCEEDING BROUGHT TO RESOLVE ANY DISPUTE BETWEEN OR AMONG ANY OF THE PARTIES HERETO, WHETHER ARISING IN CONTRACT, TORT, OR OTHERWISE, ARISING OUT OF, CONNECTED WITH, RELATED OR INCIDENTAL TO THIS AGREEMENT, THE TRANSACTIONS CONTEMPLATED HEREBY AND/OR THE RELATIONSHIP ESTABLISHED AMONG THE PARTIES HEREUNDER.

(h) Assignment. Practice may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of MedBot. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

(i) Export Regulation. Practice shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), that prohibit or restrict the export or re-export of the Services or any Practice Data outside the United States.

(j) Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section 7 (Confidentiality) or the BAA or, in the case of Practice, Section 2(c) (Use Restrictions), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

(k) Marketing. MedBot shall be permitted to identify Practice as a customer in its marketing materials and in marketing presentations.

(l) Counterparts. This Agreement may be executed simultaneously in two or more separate counterparts (including by means of electronic transmission in portable document format (pdf) or comparable electronic transmission, including any electronic signature complying with the U.S. federal ESIGN Act of 2000, e.g., www.docusign.com), any one of which need not contain the signatures of more than one party, but each of which will be an original and all of which together shall constitute one and the same agreement binding on all the parties hereto.







EXHIBIT A
MEDBOT MARKETPLACE FEES

Definitions:

“Billing Period” means the first day to the last day of each calendar month, with partial months to be pro-rated.

“Transaction” means each purchase executed by the Patient-Buyer using a credit card that results in funds entering or leaving the Medtrix Payment Processor account, such as a completed purchase or refund.

“Transaction Funds” means the total amount of funds paid by the Patient-Buyer in the Transaction, inclusive of taxes and shipping.

Fees and Invoicing: On the 1st of each month, the HealthCare Practice SaaS Platform Fee shall be charged to the Practice’s credit card or ACH on file. On the 5th of each month, MedBot shall electronically invoice Practice for the MedBot Fees incurred during the previous Billing Period, and on the 15th of each month, payment for that invoice shall be charged to the Practice’s credit card or ACH on file. Practice shall notify MedBot of a disputed Medbot Fee within thirty (30) days of receipt of an invoice or other notice from MedBot of the MedBot Fees or the MedBot Fees shall be deemed to be accurate. The Parties shall work cooperatively to resolve all disputed MedBot Fees. All of the Fees described below are exclusive of taxes, which can vary from state to state and county to county. Any taxes due and payable shall be added to the MedBot Fees when charged in accordance with Section 6 of the Agreement and this Exhibit A.

MedBot Fees:

1. Text Fees: For each text of a MedBot from a Practice Provider to a Patient, the Practice will be charged $0.08, charged monthly in arrears.

2. Email Fees: For each email of a MedBot from a Practice Provider to a Patient, the Practice will be charged $0.08, charged monthly in arrears.

3. Refund Processing Fee: If a Patient requests a refund, Practice will be charged a $4.95 refund processing fee for each processed refund.

4. Credit Card Processing Fee: 5.95% of the Transaction Funds plus $0.85 per Transaction to cover all Payment Processor Fees and associated administrative and developer work associated with transactions. If the Transaction is disputed by the Patient-Buyer (known as a “charge-back”), Medtrix may also charge a Dispute Fee of $20.00, refundable if Practice ultimately wins the dispute.

5. Monthly Provider Fee: For each Practice Provider utilizing the MedBot platform, the Practice will be charged $24.95 per Practice Provider, per month.

6. Optional EHR Integration Fees: For a more automated and integrated system, you can elect to subscribe for EHR integration, upon request. The Fees are: (a) a one-time set-up fee of $1,995.00 and (b) a monthly fee of $295.00, payable in advance on the first day of each month, pro-rated in the first month if the start date does not fall on the 1st of month.


EXHIBIT B PRACTICE REVENUE

As the Marketplace Seller, Practice sets its own prices for the Products sold to the Patient-Buyers. In the Healthcare Provider Hub, Practice will see the Product Provider Price (i.e., the wholesale price) that it is paying for each Product sold, plus the Manufacturer Recommended Retail Price and can use that information to decide how much to markup each Product the Practice chooses to sell through the MedBot Marketplace.
Practice Revenue shall be the net revenue from sales calculated as follows:
X: Practice Provider Price
minus
Y: Product Provider Price
equals
Z: Practice Revenue

Subject to offsets permitted by the Agreement, Practice Revenue will be paid to Practice on or before the last day of the month following the month in which the purchase is made.
ILLUSTRATIVE EXAMPLE:
If Practice sells 200 products in August for a Practice Provider Price of $25.00 and a Product Provider Price of $15.00, then the total Practice Revenue for the month of August would be
X: $5,000 ($25 x 200) – Y: $2,000 ($10 x 200)
= Z: $3,000 paid by Medtrix to Practice on or before September 30th
 

BUSINESS ASSOCIATE AGREEMENT


This Business Associate Agreement (this “BAA” or “Agreement”) is made effective as of the Form Submission Date, by and between Practice (“Covered Entity”), and Medtrix Technologies, LLC dba MedBot (“Business Associate”, “BA” or “MedBot”).

RECITALS

WHEREAS, Covered Entity is a “covered entity” as that term is defined in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder (“HIPAA”); and

WHEREAS, by one or more written agreements executed by the parties, Covered Entity has engaged BA to provide certain services to Covered Entity; and

WHEREAS, in conjunction with providing those services, to the extent BA receives Protected Health Information (as hereinafter defined) from Covered Entity, BA is a “business associate” as that term is defined by HIPAA, and both parties have obligations under HIPAA to protect the privacy and security of Protected Health Information as the Covered Entity.

NOW THEREFORE, in consideration of the foregoing recitals, which are hereby incorporated as an integral part of this Agreement, and of the mutual promises contained herein and other good and valuable consideration, the parties, intending to be legally bound, hereby agree as follows:

1. Definitions. In addition to any other terms whose definitions are fixed and defined by this Agreement, the Privacy Rule, or the Security Rule, each of the following defined terms, when used in this Agreement with an initial capital letter, shall have the meaning ascribed thereto by this section. Terms used, but not otherwise defined, shall have the same meaning as those terms in HIPAA.

(a) “Breach Notification Standards” shall mean the HIPAA regulations governing notification in the case of breach of unsecured Protected Health Information as set forth at 45 CFR Part 164, Subpart D, as they exist now or as they may be amended.

(b) “Designated Record Set” shall mean a group of records maintained by or for Covered Entity that is: (i) the medical records and billing records about individuals maintained by or for Covered Entity,(ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Covered Entity to make decisions about individuals. As used herein, the term “Record” means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for Covered Entity.

(c) “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the “electronic protected health information” in 45 CFR § 160.103, limited to the information created or received by BA from or on behalf of Covered Entity.

(d) “HIPAA Transaction” shall mean Transactions as defined in 45 CFR § 160.103 of the Transaction Standards.

(e) “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, found in the American Recovery and Reinvestment Act of 2009 at Division A, title XIII and Division B, Title IV.

(f) “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(g) “Minimum Necessary” shall have the meaning set forth in the HITECH Act, § 13405(b), and as further defined by regulation in the Privacy Rule.

(h) “Plans” means Health Plans as defined under HIPAA.

(i) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

(j) “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, inclusive of ePHI, limited to the information created or received by BA from or on behalf of Covered Entity.

(k) “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.

(l) “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

(m) “Security Rule” shall mean the security standards for the protection of Electronic Protected Health Information at 45 CFR part 164, subpart C.

(n) “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 CFR part 160 and part 162, as they exist now or as they may be amended.

2. Obligations and Activities of BA.

(a) Except as otherwise limited in this Agreement, BA may use or disclose PHI on behalf of, or to perform functions, activities or services to Covered Entity as specified in the Medbot Marketplace Healthcare Provider User Agreement between Covered Entity and BA (the “Services Agreement”). Notwithstanding the foregoing, BA may use and disclose PHI only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR §164.504(e) and this Agreement. To the extent BA is to carry out Covered Entity's obligation under the Privacy Rule, BA shall comply with the Privacy Rule requirements that apply to the Covered Entity in the performance of such obligation.

(b) BA agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

(c) BA agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, and agrees to mitigate, to the extent practicable, any harmful effect known to the BA that results from such use or disclosure.

(d) BA agrees to ensure, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), that any Subcontractor to whom it delegates the performance of any services for Covered Entity, and to whom BA or Covered Entity provides PHI on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to BA with respect to such PHI. If BA becomes aware of a material breach by any Subcontractor of such Subcontractor’s obligations to protect the privacy and security of PHI, BA shall either:
(i) Provide an opportunity for the Subcontractor to cure the breach or end the violation and terminate their relationship and any written agreements if the Subcontractor does not cure the breach or end the violation within the time specified by BA; or
(ii) Immediately terminate its relationship with the Subcontractor and any other written agreements if the Subcontractor has breached a material obligation and cure is not possible.

(e) BA agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by BA on behalf of Covered Entity available to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with HIPAA.

(f) To the extent BA and/or any Subcontractor of BA maintains PHI in a Designated Record Set:

(i) BA agrees to provide access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.

(ii) If BA or a Subcontractor maintains the Individual’s ePHI in an electronic Designated Record Set, and the Individual has requested a copy in a specified electronic form and format, BA will provide the requested ePHI in the requested electronic form and format, if readily producible. If the ePHI is not readily producible in the requested form and format, BA shall notify Covered Entity within five (5) business days of the request. In such event BA shall provide the ePHI in an alternative readable electronic form and format as agreed by BA and Covered Entity, within five (5) business days of notice of the alternative electronic form and format.

(iii) BA agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity, and in the time and manner designated by Covered Entity. If BA provides PHI to third parties, BA shall ensure such records are also amended.

(iv) For sake of clarification, BA shall not be considered or identified as a Covered Entity’s agent when providing access to, or otherwise responding to an Individual’s requests.

(g) BA agrees to document disclosures of PHI, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. BA agrees to implement an appropriate record keeping process that will track, at a minimum, the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.

(h) BA agrees to provide to Covered Entity or to an Individual in the time and manner reasonably designated by Covered Entity, information collected in accordance with Section 2(g) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI during the six (6) years prior to the date on which the accounting was requested, in accordance with 45 CFR § 164.528.

(i) If BA receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI, BA shall notify Covered Entity of the request as soon as reasonably practicable, but in any event within five (5) business days of receipt of such request. BA may respond as permitted by 45 CFR § 164.512(e) and (f), following consultation with Covered Entity and an opportunity for Covered Entity to negotiate or otherwise limit the scope of the subpoena, order discovery request or mandate.

(j) If, and only to the extent BA performs marketing services, with Covered Entity’s written approval, on behalf of Covered Entity and uses or discloses PHI in furtherance of those services, BA shall adopt and implement a policy and procedure for removing the names of all individuals who have expressly opted out of receiving future marketing materials from BA on Covered Entity's behalf. If Covered Entity receives information of an individual's request to opt out of future mailings, Covered Entity agrees to notify BA of such request as soon as reasonably practicable after receipt of the request.

(k) If BA will communicate with any individuals who are the subject of PHI originating from or prepared for Covered Entity, BA agrees to implement procedures to give timely effect to an individual’s request to receive communications of PHI by alternative means or at alternative locations, pursuant to 45 CFR § 164.522(b), so as to ensure that PHI will only be communicated to those individuals designated in such a request as authorized to receive the PHI. If BA provides records to Subcontractors, who may also communicate with the individual, BA shall ensure that the Individual’s request for communications by alternative means is provided to and given timely effect by such Subcontractors.

(l) BA will not disclose PHI to Plans for payment or health care operations purposes if Covered Entity has informed the BA that the patient has paid out of pocket in full for specific health care item(s) or service(s) to which the PHI/ePHI solely relates, and for which the patient has requested this special restriction.

(m) BA shall not directly or indirectly engage in the Sale of Protected Health Information (as defined in 45 CFR § 164.502(5)(ii)).

(n) Upon request from Covered Entity, BA shall permit Covered Entity to review and audit BA’s policies, procedures and practices relating to the use and protection of PHI, including the right to audit contracts and relationships with Subcontractors who have access to PHI, and upon request shall provide Covered Entity with copies of relevant documents.
(o) BA shall request from Covered Entity, and use and disclose to its Workforce, affiliates, subsidiaries, Subcontractors or other third parties, only the minimum PHI necessary to perform or fulfill a specific function required or permitted under this Agreement or as Required By Law. BA shall maintain policies and procedures for requesting, using, and disclosing only the minimum necessary PHI, determined necessary consistent with the requirements in the HITECH Act, § 13405(b), or as otherwise specified in regulations promulgated by the Secretary. To the extent practicable, BA shall utilize a Limited Data Set. Otherwise, BA may use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose, except that BA will not be obligated to comply with this minimum necessary limitation with respect to:
(i) Disclosures to, or requests by, a health care provider for treatment;
(ii) Disclosures to the individual who is the subject the PHI, or that individual’s personal representative;
(iii) Use or disclosure made pursuant to an authorization compliant with 45 C.F.R. §164.508;
(iv) Use or disclosure that is Required By Law; or

(v) Any other use or disclosure that is excepted from the Minimum Necessary limitation as specified in 45 C.F.R. §164.502(b)(2).

3. Electronic Transactions. To the extent that BA is electronically transmitting any of the HIPAA Transactions for Covered Entity, the format and structure of such transmissions shall be in compliance with the Transaction Standards. BA will require any subcontractor or agent involved with the electronic transmissions of the HIPAA Transactions to comply with each of the Transactions Standards.
4. Electronic Data Security. To the extent that BA creates, receives, maintains, or transmits ePHI, BA hereby represents and warrants that it:
(a) has implemented and documented administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of the ePHI that BA creates, receives, maintains or transmits on behalf of Covered Entity consistent with the requirements at 45 CFR §§ 164.308, 164.310, 164.312 and 164.316;
(b) will ensure that any Subcontractor, to whom BA provides ePHI agrees to implement reasonable and appropriate safeguards to protect the PHI;
(c) report to Covered Entity any successful Security Incident that BA becomes aware of with respect to ePHI; and
(d) will keep records of, and report to the Covered Entity, all successful Security Incidents involving PHI of which BA becomes aware.
(e) complies with the requirements at 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, to the extent they apply to BA, in the same manner that such sections apply to Covered Entity.

The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to covered entities shall also be applicable to BA and shall be and by this reference hereby are incorporated into this Agreement.

5. Breach Notification. BA shall at all times have reasonable policies and procedures in place to prevent and detect inappropriate acquisition, access, use or disclosure of PHI, and that it trains its work force and agents on these procedures.

(a) BA will report to Covered Entity within five (5) business days of discovering an acquisition, access, use or disclosure of PHI (that is not an Unsuccessful Security Incident, as defined in Section 5(c)) in a manner or for a purpose not permitted by this Agreement, and within thirty (30) calendar days of discovery will provide Covered Entity with the identification of each individual whose PHI has been or is reasonably believed by BA to have been acquired, accessed, used or disclosed during such incident. The report shall contain at a minimum, to the extent such information is available, the following: (i) the nature of the non- permitted acquisition, access, use or disclosure, (ii) including the date of the possible breach and when discovered, (iii) the PHI accessed, used or disclosed, and provide an exact copy or replication to the extent practicable, (iv) the identity of who caused the possible breach and who is believed to have received, accessed, or used the PHI; (v) identify the corrective action BA has taken and will take to prevent further breaches, (vi) identify what BA has done and will do to mitigate any harmful effect as a result of the possible breach; and (vii) provide such other information, including a written report, as Covered Entity may reasonably request.

(b) BA will assist Covered Entity in assessing: (1) the nature and extent of the PHI involved in the improper acquisition access, use, or disclosure, (2) to whom the disclosure was made or who used the PHI, (3) the extent to which the PHI was actually acquired or viewed, and (4) any extent to which the risk has been mitigated to determine whether there is a low probability that the PHI has been compromised, and whether the individuals whose information is involved must be notified. If Covered Entity determines that Individuals whose PHI is affected by the impermissible acquisition, access, use or disclosure must be notified pursuant to the Breach Notification Standards or other applicable law, BA will reasonably assist with providing necessary information to Covered Entity, at its own expense, without unreasonable delay and in compliance with applicable law so that Covered Entity can comply with all applicable notification requirements.

(c) Notwithstanding the foregoing, Covered Entity acknowledges and agrees that this Section 5 constitutes notice by BA to the Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to the Covered Entity by BA shall not be required unless Covered Entity makes a specific written request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on BA's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
6. Permitted Uses and Disclosures by BA.
(a) Except as otherwise limited in this Agreement, BA may use or disclose PHI as specified in this Agreement to perform functions, activities, or services for, or on behalf of, Covered Entity, under the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
(b) Except as otherwise limited in this Agreement, BA may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).
(c) BA may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).
(d) BA may use and disclose PHI for the purpose of de-identifying it in accordance with 45 CFR 164.514(b) to create Aggregated Statistics (as defined in the Services Agreement), which Aggregated Statistics may be used or disclosed by BA in accordance with the Services Agreement.
(e) BA may use PHI for the proper and necessary management and administration of Business associate or to carry out the legal responsibilities of BA.
(f) BA may disclose PHI for the proper management and administration of BA, provided that disclosures are Required By Law or BA has obtained reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the BA of any instances of which it is aware in which the confidentiality of the information has been breached.
(g) BA may use and disclose PHI as otherwise directed in writing by Covered Entity.

7. Obligations of Covered Entity.
(a) Covered Entity represents that it has obtained or will obtain all consents or authorizations that may be required by the Privacy Rule and applicable law prior to furnishing PHI to BA, and prior to marketing the sale of products or services to patients using the software of BA.
(b) Covered Entity shall not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
(c) Covered Entity will notify BA of any limitations in its Notice of Privacy Practices, to the extent such limitations affect BA’s use or disclosure of PHI or the provision of services contemplated by the parties.
(d) Covered Entity will notify BA of any restriction on use or disclosure of PHI agreed to by the Covered Entity pursuant to 45 CFR § 164.520 to the extent such restrictions affect BA’s use or disclosure of PHI or the provision of services contemplated by the parties.
(e) Covered Entity shall notify BA in writing promptly, but in no event later than two (2) business days, of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect BA’s use or disclosure of PHI pursuant to the Services Agreement.

8. Term.
(a) Term. The term of this Agreement shall be the term of the Services Agreement, and shall terminate when all of the ePHI and other PHI provided by Covered Entity to BA, or created or received by BA on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if the parties mutually agree that it is infeasible for BA to return or destroy PHI, protections are extended to such PHI in accordance with the terms of this Agreement and the Services Agreement.
(b) Termination for Breach by BA. Upon Covered Entity’s knowledge of a material breach of the terms of this Agreement by BA, Covered Entity shall either:
i. Provide an opportunity for BA to cure the breach or end the violation and terminate this Agreement and any other written agreements between the parties (including, without limitation, the Services Agreement) if BA does not cure the breach or end the violation within the time specified by Covered Entity; or
ii. Immediately terminate this Agreement and any other written agreements between the parties if BA has breached a material term of this Agreement and cure is not possible.

(c) Effect of Termination.
i. Except as provided in paragraph (ii) of this subsection, upon termination of this Agreement, for any reason, BA shall return or destroy all PHI received from Covered Entity, or created or received by BA on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors. BA shall retain no copies of PHI.
ii. In the event that BA reasonably determines that returning or destroying PHI is infeasible, BA shall provide to Covered Entity notification of the conditions that make return or destruction of PHI infeasible, and BA shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as BA maintains such PHI.
9. Miscellaneous.
(a) Ownership of PHI. Under no circumstances shall BA be deemed in any respect to be the owner of any PHI used or disclosed by or to BA pursuant to the terms of this or any underlying Services Agreement. Covered Entity shall at all times be deemed the “records owner” and retain all title and rights to the PHI, whether in the possession of BA, a subcontractor, or otherwise.
(b) Regulatory References. A reference in this Agreement to a section in the Transaction Standards, Privacy Rule or Security Rule means the section as in effect or as amended.
(c) Amendment. No amendment, change, or modification of this Agreement shall be valid unless set forth in writing and signed by the parties. The parties agree to take such action as is necessary to amend or further amend, as the case may be, this Agreement from time to time as is necessary for Covered Entity to comply with the applicable law, including but not limited to the requirements of HIPAA, the HITECH Act, and regulations promulgated thereunder. If within ninety (90) days of either party first providing written notice to the other of the need to amend this Agreement and any other written agreements between the parties to comply with applicable law, the parties, acting in good faith, are: i) unable to mutually agree upon and make amendments or alterations to this Agreement and any other written agreements between the parties to meet the requirements in question, or ii) alternatively, the parties determine in good faith that amendments or alterations to the requirements are not feasible, then either party may terminate the Agreement upon thirty (30) days written notice.
(d) No Third Party Rights. The terms of this Agreement are not intended, nor should they be construed, to grant any rights to any parties other than BA and Covered Entity.
(e) Notices. Any notice pertaining to or called for by this Agreement shall be effective if mailed by certified or registered mail, return receipt requested, or by Federal Express or other overnight mail delivery for which evidence of delivery is obtained by the sender, to the respective party at the addresses set forth in the signature block of each party, as may be amended from time to time by notice being provided in accordance with this Section 9(e).

(f) Survival. The respective rights and obligations of the parties shall survive any termination of this Agreement so long as BA is providing services to Covered Entity or otherwise maintaining PHI and/or ePHI.

(g) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the requirements of HIPAA and the HITECH Act, and other applicable law. In the case of conflict between this Agreement and any other written agreement between the parties, the language of this Agreement shall control with regard to the subject matter herein.

(h) Governing Law; Venue. This Agreement shall be governed by and construed under the laws of the State of Florida, without regard to choice of law rules. Venue shall be the state and federal courts of St. Petersburg, Florida, Pinellas County, Middle District of Florida.
(i) Entire Agreement. This Agreement and the Services Agreement constitute the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior oral or written agreements, commitments, or understandings with respect thereto as of the Effective Date.
(j) Signatures. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Counterparts may be delivered via facsimile, electronic mail (including pdf or any electronic signature complying with the U.S. federal ESIGN Act of 2000, e.g., www.docusign.com) or other transmission method and any counterpart so delivered shall be deemed to have been duly and validly delivered and be valid and effective for all purposes.