This Software Subscription Agreement ("Agreement") is a legal agreement between you and DrugPak, LLC, a Tennessee limited liability company and its successors and assigns ("DrugPak").

If you do not agree to the terms of this Agreement, then you must promptly stop using DPWeb (defined below).

The parties agree as follows:

1. Definitions.

1.1. "Collected Data" means any and all information, including your Personally Identifiable Information, used, collected, maintained and/or stored in or by DPWeb, including, without limitation, (i) information you enter into DPWeb, (ii) the number of drug tests that have been entered into DPWeb over a specified period of time; (iii) the types of drug tests entered in DPWeb and geographic areas where the tests were performed; and (iv) information concerning collection sites used by you including the name of the collection site, address, phone number, and contact person for the collection site.

1.2. "DPWeb" means any and all programs and modules that make up DPWeb, including any and all upgrades, modifications, updates, additions, or patches, to any such program or module, and any accompanying written materials, including instructions for use.

1.3. "Personally Identifiable Information" means information that is personally identifiable in nature such as name, address, phone number, email address, or social security number or employer identification number.

1.4. "Services" means the services provided by DrugPak through DPWeb to you, including but not limited to, access to Collected Data.

1.5. "Term" means the amount of time that you have agreed to use DPWeb during the registration process or any subsequent renewal term.

1.6. "Use" means the ability to access, execute, and display DPWeb through a web browser.

2. Use. Subject to the provisions of this Agreement, DrugPak grants to the original purchaser of DPWeb, for the Term, a nonexclusive, non-transferrable, revocable, limited, non-sublicenseable, personal, right to (i) Use DPWeb, and (ii) subject to the number of simultaneous user licenses purchased from DrugPak, allow users to access DPWeb.

3. Subscription. You are allowed to Use DPWeb on a subscription basis. During the registration process you selected the modules you are subscribing to use in DPWeb, the number of users that will use DPWeb, the length of your subscription, the number of texts or faxes allowed, and other options offered during the registration process (collectively, "Options"). You agree to pay the subscription fees, setup fees, and other costs ("Fees") for Options in DPWeb that you agreed to for the Term you agreed to in the registration process. Your subscription automatically renews for the same length of time as your original Term unless you cancel the subscription as provided in this Agreement. When your subscription renews you owe the Fees for the new Term. During the Term you may add additional Options which will increase the subscription fees for the entire Term. Options may only be removed at the end of the Term.

4. Payment. If you have been sold the subscription to DPWeb through a reseller then (i) you will provide payment to the reseller instead of DrugPak as provided in this Section, and (ii) you are still liable to DrugPak for the payment and DrugPak may enforce its rights under this Agreement if DrugPak does not receive payment. You will provide to DrugPak a valid credit card number, ACH information, or eCheck information, or other payment information as allowed by DrugPak (collectively, "Payment Device"). Along with the Payment Device you will provide all information necessary to use the Payment Device such as the expiration date for the credit card and other information requested by DrugPak, and you hereby authorize DrugPak to charge to the Payment Device all Fees applicable to your purchase of the subscription to DPWeb. All Fees for a Term are owed at the beginning of a Term. DrugPak may allow you to pay the Fees owed for a Term throughout the Term on a monthly, semi-annual, or other payment cycle you select that is allowed by DrugPak ("Payment Cycle"). The portion of the Fees owed for a Payment Cycle will be charged at the beginning of the Payment Cycle. Upon cancellation, expiration, or any change to the Payment Device, you will immediately provide a new Payment Device and other information requested by DrugPak. If you have provided a Payment Device for another agreement between you and DrugPak, you authorize DrugPak to charge such other Payment Device for any Fees owed under this Agreement in the event the Payment Device you provided for this Agreement does not work. If you do not pay the portion of the Fees due for a Payment Cycle when due, then all of the Fees owed for a Term become immediately due and payable, at DrugPak’s option, without demand or notice. Payments made under another agreement between you and DrugPak do not apply to Fees owed under this Agreement and vice versa. For convenience, DrugPak may provide you with an invoice, at DrugPak’s discretion. You are required to pay all Fees regardless of whether you receive an invoice. If you have not paid all sums due DrugPak in accordance with the terms of this Agreement, a monthly finance charge equal to the lesser of (a) 1.5% per month, or (b) the highest amount permitted by law, shall accrue and be payable each month until paid in full. Furthermore, upon your failure to make payment in accordance with the terms hereof, a late fee of ten percent (10%) of the amount past due shall be due and payable by you with respect to each such late payment. The waiver of a finance charge, late fee or any portion thereof shall not be deemed to be a waiver of any future finance charges or late fees. You shall be liable to DrugPak for any and all costs and expenses incurred by DrugPak, including without limitation attorneys’ fees and expenses, in collection of any past due amounts hereunder.

5. Rollover. Unused Options such as texts or faxes will accumulate during a Term, and will rollover to a renewal Term. When the Agreement expires or is terminated all Options are deleted and you are not entitled to any refund for amounts paid for unused Options. Notwithstanding the foregoing, if your subscription to DPWeb lapses for 30 days or less then upon renewal of your subscription the Options available when the subscription lapsed will continue to be available.

6. Suspension. If you do not pay the Fees owed under this Agreement or any amounts owed under another agreement between you and DrugPak when due or if you are paying a reseller and DrugPak does not receive payment for all fees owed by the reseller for any of the reseller’s customers then your use of DPWeb may be suspended by DrugPak until the Fees or other amounts are paid in full. If your use of DPWeb is suspended, you still owe all Fees you committed to during the registration process.

7. Ownership. This Agreement is not a sale of DPWeb and DrugPak retains title and ownership of DPWeb and all subsequent copies, including the intellectual property rights therein, regardless of the form or media in or on which DPWeb or subsequent copies exist.

8. Feedback. DrugPak has not agreed to and does not agree to treat as confidential any Feedback (as defined below) you provide to DrugPak, and nothing in this Agreement or in the parties’ dealings arising out of or related to this Agreement will restrict DrugPak’s right to use, profit from, disclose, publish, keep secret, or otherwise exploit Feedback, without compensating or crediting you. ("Feedback" means any suggestion or idea for improving or otherwise modifying DPWeb.)

9. Copy Restrictions. DPWeb is copyrighted. Unauthorized copying of DPWeb or any accompanying written materials is expressly forbidden. You may be held legally responsible for any copyright infringement that is caused or encouraged by your failure to abide by the terms of this Agreement.

10. Use Restrictions. You may not allow third parties to Use DPWeb unless such Use is expressly authorized by DrugPak. You may not wrap the DPWeb interface in another interface. You may not use any third-party program to access or link to the data used, collected, maintained, and/or stored in or by DPWeb without the express written consent of DrugPak. You may not sell or license access to DPWeb by itself or as a part of a service or product.

11. Upgrades. If you are upgrading from the DrugPak Software Suite you understand that once your data from the DrugPak Software Suite is imported into DPWeb during the upgrade process the data cannot be used in the DrugPak Software Suite. You are responsible for maintaining a backup of the data from the DrugPak Software Suite. DrugPak may provide a migration tool that allows the data in the DrugPak Software Suite to be transferred to DPWeb. The migration tool only works with the latest release of the DrugPak Software Suite. Data cannot be transferred from DPWeb to the DrugPak Software Suite.

12. Website. You acknowledge and agree that DPWeb is provided by DrugPak in part through the DrugPak website. You accept and agree to comply with the Terms of Service, Privacy Policy, and copyright and trademark notices of DrugPak posted on the website and in effect from time to time. You acknowledge and agree that, because DPWeb is provided in part through the website, it is necessary for you to have computer equipment and an internet connection that meets minimum specifications published by DrugPak from time to time on the website, and you acknowledge and agree to periodically update your computer equipment or internet connection to meet such minimum specifications. You acknowledge that DPWeb may be interrupted due to (a) website downtime for scheduled maintenance at DrugPak’s sole discretion, or (b) interruptions in internet connectivity or other website downtime caused by circumstances beyond DrugPak’s control, including, without limitation, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems, computer or telecommunications failures, delays involving hardware or software not within DrugPak’s control, network intrusions or denial of service attacks. You agree that DrugPak shall not, in any way, be liable for, or have responsibility with respect to, any such interruptions.

13. Third Party Software. DPWeb interacts with various third-party software applications such as Microsoft office, email programs, pdf readers, and other applications ("Third-Party Software"). DrugPak does not provide, update, or maintain any Third-Party Software. You acknowledge that you are responsible for obtaining licenses for any Third-Party Software you need to use with DPWeb. DrugPak does not provide any support for Third-Party Software and you acknowledge that you must obtain support from your IT vendor or the maker of the Third Party Software.

14. User Name and Password. During the registration process for DPWeb you created a user name and password that allows you to have access to DPWeb through the website. You have also created user accounts to allow the number of users allowed under your subscription to access DPWeb. The additional users must be within your company. You will not provide your user name or password to access DPWeb to any other person or entity, or allow any other person or entity to access DPWeb under your user name and password. You agree that you are solely responsible for any actions that occur under your user name and password or the user accounts you have created. In the event that any of the user names and password you created become known by a third party you agree to take all available precautions to prevent the userid and password from being used by an unauthorized individual, including, but not limited to, disabling the userid, and you agree to notify DrugPak immediately.

15. Updates. DrugPak may create, from time-to-time, upgrades, modifications, updates, additions, and/or patches to DPWeb, which may be made available to you while you have a current and valid subscription to Use DPWeb.

16. Privacy.

16.1. Authorization to Collect and Use Data. You authorize DrugPak to collect the Collected Data for so long as you continue to Use DPWeb and to forever store and use such Collected Data for purposes of providing the Services, market research and marketing, software development and support, licensing and billing, generating reports, and establishing or improving resources, benefits, product features and/or services to DPWeb users. Such purposes will likely include, without limitation, the use of Collected Data, except for Personally Identifiable Information, by DrugPak to conduct test trends analysis and publish the results of such analysis for the use and benefit of DrugPak customers.

16.2. Disclosure of Data to Third Parties. You further authorize DrugPak to disclose any and all Collected Data, except for Personally Identifiable Information, to third-party recipients where such third-party recipients enter into data use agreements providing appropriate safeguards, as determined by DrugPak in its reasonable discretion, on the use and further disclosure of the Collected Data.

16.3. Protected Health Information. Except as allowed by law, DrugPak will not disclose to any third party "Protected Health Information" as defined in 45 CFR § 160.103, or any other data or information the disclosure of which by DrugPak is prohibited by law. If you are a Covered Entity or Business Associate, as defined in 45 CFR § 160.103, using DPWeb to store Protected Health Information, you agree to the terms and conditions of the Business Associate Agreement attached as Exhibit A and Exhibit A is incorporated into this Agreement by reference.

16.4. Release. You hereby release, hold harmless from, and agree not to sue DrugPak, and its officers, managers, members, employees, agents, or independent contractors from any and all rights, claims, demands, actions, liabilities and causes of action, whether accrued or unaccrued, fixed or contingent, legal or equitable, and which in any manner relate to or arise out of DrugPak’s collection, storage, use or disclosure of the Collected Data in accordance with this Agreement.

17. Reports. DPWeb provides two methods for you to receive reports: (1) all reports generated by you through DPWeb are made available for download through Screenhubb ("Screenhubb Reports"), and (2) you may elect to email ("Email") the report to an email that you choose. DrugPak recommends that you always download the Screenhubb Reports because the Screenhubb Reports are more secure than Email. You acknowledge that Email is unencrypted which is unsecure and a third party may intercept the Email and read the contents. Your use of Email is at your own risk and DrugPak provides no guarantee that Email will be transmitted securely. The report attached to the Email will be protected by a password. The password is used to encrypt the report and you agree not to take any steps to disable any such encryption. You also agree to protect the password that is used to encrypt the attachment and notify DrugPak immediately if the password becomes known by a third party. The Email itself will not contain any Protected Health Information.

18. Limited Warranty. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND EXCEPT AS EXPRESSLY SET FORTH HEREIN DPWEB IS PROVIDED "AS IS", AND DRUGPAK AND ITS SUPPLIERS AND LICENSORS DO NOT MAKE AND SPECIFICALLY DISCLAIM, ALL EXPRESS AND IMPLIED WARRANTIES OF EVERY KIND RELATING TO DPWEB (INCLUDING, WITHOUT LIMITATION, ACTUAL AND IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT), AS WELL AS ANY WARRANTIES THAT DPWEB (OR ANY ELEMENTS THEREOF) WILL ACHIEVE A PARTICULAR RESULT, OR WILL BE UNINTERRUPTED OR ERROR-FREE.

19. Support. DrugPak provides you with Support for all Support issues related to DPWeb during the Term according to the DrugPak Technical Support Policy ("Policy"), incorporated into this Agreement by reference, which is available on the DrugPak website at https://support.screenhubb.com/policy. The Policy may be updated by DrugPak from time to time, in its sole discretion. End-User Training, Consultation & Data Analysis, and Custom Programming & Data Manipulation are not included in Support but are provided by DrugPak for additional fees. Support, End-User Training, Consultation & Data Analysis, and Custom Programming & Data Manipulation are defined in the Policy. While DrugPak works cooperatively with you to determine whether an issue is a Support issue and the severity of the issue, DrugPak makes the final determination, in its sole discretion, of whether an issue is classified as a Support issue and the severity of that issue.

20. No Legal Advice. DrugPak does not provide legal advice and the information or reports obtained from DPWeb may not be construed as legal advice. You acknowledge that you should seek the advice of an attorney to understand the interaction of the information or reports DPWeb generates and drug testing laws and regulations. DrugPak, its employees, or agents do not provide legal advice and if you have a question of a legal nature you should seek legal counsel.

21. Indemnification. You agree to indemnify, defend and hold harmless DrugPak and its officers, directors, employees, agents and contractors from any loss, cost, expense (including attorney’s fees and expenses), demand, claim, liability, damages or cause of action of any kind or, in any manner arising out of or relating to (i) any violation or breach by you of any provision of this Agreement; (ii) your storage of Protected Health Information in DPWeb without notifying DrugPak, (iii) use of Email, or (iv) your negligence, recklessness or intentional misconduct.

22. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL DRUGPAK BE LIABLE UNDER ANY THEORY OF LIABILITY FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DAMAGES ARISING FROM LOSS OF PROFITS, REVENUE, DATA OR USE, OR FROM INTERRUPTED COMMUNICATIONS OR DAMAGED DATA, OR FROM ANY DEFECT OR ERROR OR IN CONNECTION WITH YOUR ACQUISITION OF SUBSTITUTE GOODS OR SERVICES OR MALFUNCTION OF DPWEB, OR ANY SUCH DAMAGES ARISING FROM BREACH OF CONTRACT OR WARRANTY OR FROM NEGLIGENCE OR STRICT LIABILITY, EVEN IF DRUGPAK OR ANY OTHER PERSON HAS BEEN ADVISED OR SHOULD KNOW OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ANY REMEDY TO ACHIEVE ITS INTENDED PURPOSE. WITHOUT LIMITING THE FOREGOING OR ANY OTHER LIMITATION OF LIABILITY HEREIN, REGARDLESS OF THE FORM OF ACTION, WHETHER FOR BREACH OF CONTRACT, WARRANTY, NEGLIGENCE, STRICT LIABILITY IN TORT OR OTHERWISE, YOUR EXCLUSIVE REMEDY AND THE TOTAL LIABILITY OF DRUGPAK OR ANY SUPPLIER OF SERVICES TO DRUGPAK FOR ANY CLAIMS ARISING IN ANY WAY IN CONNECTION WITH OR RELATED TO THIS AGREEMENT, FOR ANY CAUSE WHATSOEVER, INCLUDING BUT NOT LIMITED TO ANY FAILURE OR DISRUPTION OF THE USE OF DPWEB, SHALL NOT EXCEED THE FEES PAID TO DRUGPAK IN THE SIX MONTH PERIOD PROCEEDING THE CLAIM. DRUGPAK SHALL HAVE NO LIABILITY WHATSOEVER TO YOU FOR ANY CLAIMS OF PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT INFRINGEMENT OR MISAPPROPRIATION OF TRADE SECRETS, MADE AGAINST YOU INCIDENT TO THE USE OF DPWEB.

23. Termination.

23.1. By You. You may terminate this Agreement by providing notice in writing to DrugPak at least fifteen (15) days prior to the end of the current Term.

23.2. By DrugPak. DrugPak may terminate this Agreement by providing notice in writing to you at least fifteen (15) days prior to the end of the current subscription Term. DrugPak may also terminate this Agreement if you fail to comply with the provisions of this Agreement. If the Agreement is terminated, then your right to use DPWeb automatically terminates. The termination of this Agreement does not relieve you of the obligation to pay for the entire subscription Term.

23.3. Effect of Termination. Upon termination of this Agreement, DrugPak may return, destroy, or deidentify your Protected Health Information. If you request that DrugPak return, destroy, or deidentify your Protected Health Information, then DrugPak may charge you for its reasonable time to return, destroy, or deidentify your Protected Health Information.

24. Choice of Law. This Agreement is governed by the laws of the State of Tennessee, without regard to choice of law provisions to the contrary. The exclusive jurisdiction and venue for any actions concerning the enforcement, construction, or interpretation of this Agreement shall be in the Chancery or Circuit Courts of Knox County, Tennessee, or in the Federal District Court for the Eastern District of Tennessee, Northern Division, sitting in Knoxville, Tennessee.

25. Attorney’s Fees. The prevailing party in any action filed under this Agreement or related to DPWeb is entitled to reasonable attorney’s fees and costs.

26. Headings. The headings of the sections of this Agreement are for convenience only, and in no way limit or affect the terms and conditions or the meaning or interpretation of this Agreement.

27. Severability. If any provision of this Agreement is held to be invalid or unenforceable then that provision will be altered or limited such that it is enforceable and corresponds to the original provision as closely as possible. An invalid or unenforceable provision of this Agreement shall not affect the validity of the remaining provisions of this Agreement.

28. Waiver. Waiver by either party of a breach of any provision contained in this Agreement shall not constitute or be construed as a waiver of any succeeding breach of such provision or a waiver of the provision itself.

29. Time To File Lawsuit Or Other Action. You agree to file any lawsuit or other action you may have against DrugPak or its agents, employees, subsidiaries, affiliates or parent companies within one (1) year from the date of the event that caused the loss, damage or liability or be forever barred.

30. Completeness. This Agreement sets forth the entire understanding between you and DrugPak with respect to the matters set forth herein and supersedes all previous agreements and representations with respect to DPWeb.

31. Assignment. Neither party shall assign or otherwise transfer or purport to assign or otherwise transfer this Agreement or any of its rights or obligations hereunder or any part thereof without the prior written consent of the other party, except that DrugPak may assign any of its rights or obligations to any successor-in-interest or to an entity that acquires all or substantially all of its assets, all or a majority of its equity in any form, or to an entity into which such party is merged; provided, however, that the entity to whom the rights and obligations of a party are assigned (the "Successor") shall execute a written instrument whereby the Successor agrees to accept all of the rights and obligations of the assigning party under this Agreement. Any assignment in violation of this Section is null and void.

If you have questions about this Agreement you may contact DrugPak at support@drugpak.com.






EXHIBIT A

BUSINESS ASSOCIATE AGREEMENT


THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is made as of the day you accept the Software Subscription Agreement and is between DrugPak, LLC ("Business Associate") and you ("Covered Entity").

R E C I T A L S:

WHEREAS Covered Entity and Business Associate have entered into a Software Subscription Agreement, pursuant to which Business Associate provides certain services to Covered Entity (individually or collectively, the "Services Agreement"), pursuant to which Business Associate may be considered a "business associate" of Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including all pertinent regulations issued by the U.S. Department of Health and Human Services (45 C.F.R. Parts 160 and 164), as amended by the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively, "HIPAA Law");

WHEREAS to carry out its obligations under the Services Agreement, Business Associate may create, maintain, transmit, or receive, on behalf of Covered Entity, Individually Identifiable Health Information, as such term is defined in 45 C.F.R. Part 160 and Subparts A and E of Part 164 (the "Privacy Rule");

WHEREAS the Privacy Rule and 45 C.F.R. Parts 160 and Subparts A and C of Part 164 (the "Security Rule") obligate Covered Entity to enter into a contract with Business Associate to ensure that Business Associate appropriately safeguards such information; and

WHEREAS Covered Entity and Business Associate desire to enter into this Agreement in addition to the Services Agreement in order to enable Covered Entity to satisfy its obligations under the HIPAA Law.

NOW, THEREFORE, for and in consideration of the mutual promises contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

I. DEFINITIONS

1.1 "Breach" shall have the same meaning as the term "breach" in 45 C.F.R. Part 164, Subpart D (the "Breach Notification Rule").

1.2 "Data Aggregation" shall have the same meaning as the term "data aggregation" in the Privacy Rule.

1.3 "Designated Record Set" shall have the same meaning as the term "designated record set" in the Privacy Rule.

1.4 "Disclosure" shall have the same meaning as the term "disclosure" in the Privacy Rule.

1.5 "Discovery" shall have the same meaning as the term "discovery" in 45 C.F.R. § 164.410(a)(2).

1.6 "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" in the Security Rule.

1.7 "Health Care Operations" shall have the same meaning as the term "health care operations" in the Privacy Rule.

1.8 "Individual" shall have the same meaning as the term "individual" in the Privacy Rule and shall include a person who qualifies as a personal representative in accordance with the Privacy Rule.

1.9 "Minimum Necessary" shall have the same meaning as the term "minimum necessary" in the Privacy Rule.

1.10 "Notice of Privacy Practices" shall have the same meaning as the term "notice of privacy practices" in the Privacy Rule.

1.11 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in the Privacy Rule, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

1.12 "Required by Law" shall have the same meaning as the term "required by law" in the Privacy Rule.

1.13 "Secretary" shall mean the Secretary of the United States Department of Health and Human Services ("HHS").

1.14 "Security Incident" shall have the same meaning as the term "security incident" in the Security Rule.

1.15 "Transaction" shall have the same meaning as the term "transaction" in 45 C.F.R. Parts 160 and 162 (the "Transactions Rule").

1.16 "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" in the Breach Notification Rule.

II. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 Confidentiality. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law.

2.2 Safeguards. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent the use or disclosure of the Protected Health Information other than as provided for by this Agreement.

2.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

2.4 Reporting. Business Associate agrees to promptly report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured Protected Health Information as required by 45 C.F.R. § 164.410.

2.5 Agents and Subcontractors. Business Associate agrees to ensure, in accordance with 45 C.F.R. § 164.502(e)(1)(ii), that any agents, including without limitation subcontractors, that create, receive, maintain or transmit protected health information on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such information.

2.6 Access and Amendment. Business Associate agrees to provide access, within five (5) days of receiving a written request from Covered Entity, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 within five (5) days of receiving written notice from Covered Entity. In the event an Individual requests such access or amendment directly from Business Associate, Business Associate shall promptly forward such request to Covered Entity within five (5) days.

2.7 Performing Obligations of Covered Entity. To the extent that Business Associate is to carry out any obligation of Covered Entity under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.

2.8 Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information available to (i) Covered Entity, upon written request, and (ii) the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s and/or Business Associate’s compliance with the Privacy Rule. If the Secretary requests such access, Business Associate shall promptly notify Covered Entity and shall consult and cooperate with Covered Entity concerning the proper response to such request. Notwithstanding the foregoing, nothing in this section shall impose upon Covered Entity any obligation to review Business Associate’s practices, books or records.

2.9 Accounting. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. Business Associate agrees to provide to Covered Entity, within fifteen (15) days of receiving a written request from Covered Entity, information collected in accordance with this section to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. In the event an Individual requests an accounting of disclosures of Protected Health Information directly from Business Associate, Business Associate will forward such request to Covered Entity within five (5) days.

2.10 Uses and Disclosures Required by Law. Except to the extent prohibited by law, Business Associate shall immediately notify Covered Entity if it receives a request for disclosure of Protected Health Information with which Business Associate believes it is Required by Law to comply and disclose pursuant to which would not otherwise be permitted by this Agreement. Business Associate shall provide Covered Entity with a copy of such request, shall consult and cooperate with Covered Entity concerning the proper response to such request.

2.11 Electronic Protected Health Information. With regard to Protected Health Information which is Electronic Protected Health Information (as defined in the Security Rule), Business Associate shall: (i) comply with the applicable requirements of the Security Rule and develop, document, implement, maintain, and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of such information; (ii) in accordance with 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit Electronic Protected Health Information on behalf of Business Associate agree to comply with the applicable requirement of the Security Rule by entering into a contract or other arrangement that complies with 45 C.F.R. § 164.314; and (iii) report to Covered Entity any Security Incident of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required by 45 C.F.R. § 164.410. Business Associate’s obligations under this Section are in addition to its other obligations set forth in Section 2 of this Agreement.

2.12 Reporting.

(a) Within two (2) business days of Discovery, Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s PHI that is not permitted by this Agreement. Without unreasonable delay, and in any event no later than five (5) days after Discovery, Business Associate shall provide Covered Entity with written notification that includes: (i) a description of the Breach, (ii) to the extent possible, the identification of each Individual whose Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, and (iii) any other available information that Covered Entity is required to include in notifications to Individuals under 45 C.F.R. § 164.404(c) at the time of the written notification or promptly thereafter as information becomes available. Further, Business Associate will provide Covered Entity any additional information required under the HITECH Act and its implementing regulations, as amended from time to time.

(b) Immediately following Discovery, but in no event later than two (2) business days, Business Associate will report to Covered Entity any suspected or actual Breach of Unsecured Protected Health Information, any suspected or actual disclosure or inappropriate access of Covered Entity’s information, or any Security Incident.

2.13 HITECH Act. Business Associate and Covered Entity agree that to the extent not incorporated or referenced in this Agreement, other requirements under the HITECH Act (as well as any other requirements under HIPAA) that apply to business associates and that are required to be incorporated by reference in a business associate agreement are incorporated into this Agreement as if set forth in this Agreement in their entirety and are effective as of the applicable date for each such requirement on which HHS will require business associates to comply with such requirement. Business Associate shall comply with the obligations of a business associate as prescribed by the HIPAA Law and the HITECH Act, commencing on such applicable date of each such requirement.

III. PERMITTED USES AND DISCLOSURES

3.1 Use or Disclosure to Provide Services Under the Services Agreement. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

3.2 Use or Disclosure for Business Associate’s Management and Administration. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for its proper management and administration or to carry out its legal responsibilities. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for its proper management and administration, provided that such disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.3 Use or Disclosure to Provide Data Aggregation Services. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).

3.4 De-Identification of Protected Health Information. Business Associate may de-identify any and all Protected Health Information provided that de-identification conforms to the requirements of the Privacy Rule. The parties acknowledge and agree that data that is de-identified in accordance with the Privacy Rule is not Protected Health Information under the terms of this Agreement. Business Associate shall not sell any Protected Health Information without the express consent of Covered Entity. Deidentification consists of removing the following information from Protected Health Information:

(a) Names;

(b) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(c) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(d) Telephone numbers;

(e) Fax numbers;

(f) Electronic mail addresses;

(g) Social security numbers;

(h) Medical record numbers;

(i) Health plan beneficiary numbers;

(j) Account numbers;

(k) Certificate/license numbers;

(l) Vehicle identifiers and serial numbers, including license plate numbers;

(m) Device identifiers and serial numbers;

(n) Web Universal Resource Locators (URLs);

(o) Internet Protocol (IP) address numbers;

(p) Biometric identifiers, including finger and voice prints;

(q) Full face photographic images and any comparable images; and

(r) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section. 45 C.F.R. § 164.514(b)(2).

3.5 Minimum Necessary Uses, Disclosures and Requests. Subject to the exceptions described in 45 C.F.R. §164.502(b)(2), Business Associate must make reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of a use, disclosure or request otherwise permitted by this Agreement, as required by the Privacy Rule.

IV. RESPONSIBILITIES OF COVERED ENTITY

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) of which it is aware in the notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

4.2 Change or Revocation of Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information of which Covered Entity is aware, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

4.3 Restrictions on Use or Disclosure. Covered Entity shall notify Business Associate of any restriction, of which Covered Entity is aware, to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

V. IMPERMISSIBLE REQUESTS BY COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

VI. TERM AND TERMINATION

6.1 Term. The term of this Agreement shall be effective as of the date of the Services Agreement and shall expire when all of the Protected Health Information is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in Section 6.3 of this Agreement.

6.2 termination. Upon Covered Entity’s knowledge of a material breach or violation of this Agreement by Business Associate, Covered Entity may either: (i) provide an opportunity for Business Associate to cure the breach or end the violation and terminate, without penalty, this Agreement and the Services Agreement if Business Associate does not cure the breach or end the violation within forty-five (45) days of receiving notice of such breach or violation from Covered Entity; or (ii) immediately terminate, without penalty, this Agreement and the Services Agreement if Business Associate has breached or violated a material term of this Agreement and Covered Entity reasonably determines that cure is not feasible.

6.3 Return or Destruction of Protected Health Information Upon Termination.

(a) Except as provided in (b) below, upon termination for any reason of this Agreement, Business Associate shall return or destroy all Protected Health Information, including such information in the possession of subcontractors or agents of Business Associate, and shall certify to Covered Entity in writing and provide satisfactory evidence that Business Associate has fully accomplished the same. Business Associate shall retain no copies of the Protected Health Information.

(b) In the event Business Associate determines that returning or destroying such Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall then extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

VII. MODIFICATIONS TO COMPLY WITH STANDARDS

Covered Entity and Business Associate agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Law, the HITECH Act, and any other applicable law.

VIII. MISCELLANEOUS

8.1 Organizational Representations. Each party represents and warrants to the other party that:

(a) It is duly organized, validly existing and in good standing under the laws of the jurisdiction in which it is organized or licensed;

(b) It has the full power to enter into this Agreement and to perform its obligations described in this Agreement;

(c) The performance by it of its obligations hereunder have been duly authorized by all necessary corporate or other actions and will not violate any provision of any charter or bylaws or similar organizational or governing document;

(d) Neither the execution of this Agreement by such party nor its performance hereunder will directly or indirectly violate or interfere with the terms of any other agreement to which it is a party or give any governmental entity the right to suspend, terminate or modify any of its governmental authorizations or assets required for its performance;

(e) Its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this Agreement, are or shall be appropriately informed of the terms of this Agreement and are under legal obligations, by contract or otherwise, sufficient to enable such party to fully comply with all provisions of this Agreement; and

(f) It will reasonably cooperate with the other party in the performance of the mutual obligations under this Agreement.

8.2 Regulatory References. A reference in this Agreement to a section in the Privacy Rule, the Security Rule, the HITECH Act, or any other section promulgated under HIPAA means the section as in effect or as amended.

8.3 Survival. Any provision of this Agreement which by its terms imposes an obligation which continues following termination of this Agreement shall survive the termination of this Agreement and shall continue to be binding on the parties.

8.4 Injunctive Relief. Business Associate understands and acknowledges that any use or disclosure of Protected Health Information in violation of this Agreement will cause Covered Entity irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further use or disclosure and for such other relief as Covered Entity shall deem appropriate. Such right of Covered Entity is to be in addition to the remedies otherwise available to Covered Entity at law or in equity. Business Associate expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by Covered Entity.

8.5 Interpretation; Entire Agreement; Amendment; Waiver. The headings of sections in this Agreement are for reference only and shall not affect the meaning of this Agreement. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA and/or the HITECH Act. With respect to the subject matter of this Agreement, this Agreement supersedes all previous contracts by and between the parties and, together with the Services Agreement, constitutes the entire agreement between the parties. In the event that a provision of this Agreement conflicts with a provision of the Services Agreement, the provision of this Agreement shall control; provided, however, that to the extent that any provision within the Services Agreement imposes more stringent requirements than that required in the Agreement, the parties agree to adhere to the terms of the Services Agreement. Otherwise, this Agreement shall be construed under, and in accordance with, the terms of the Services Agreement. This Agreement may be amended only by written agreement between the parties. The failure of either party to enforce at any time any provision of this Agreement shall not be construed as a waiver of such provision, nor in any way affect the validity of this Agreement or the right of either party thereafter to enforce each as every such provision. Waiver of a breach of any provision of this Agreement shall not be deemed a waiver of any other breach of the same or any different provision.

8.6 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and assigns of the parties any rights, remedies, obligations, or liabilities whatsoever.

8.7 Notices. Any notice required or permitted under this Agreement shall be given in writing and delivered by electronic mail or facsimile with confirmation of receipt, by hand, by nationally recognized overnight delivery service or by registered or certified mail, postage pre-paid and return receipt requested, to the following:

Covered Entity: Address provided when registering

Business Associate:
DrugPak, LLC
P.O. Box 51174
Knoxville, Tennessee 37950


Notice of a change in address of one of the parties shall be given in writing to the other party as provided above. All notices shall be effective upon receipt.

8.8 Assignment; Binding Effect. No assignment of the rights or obligations of either party under this Agreement shall be made without the express written consent of the other party, which consent shall not be unreasonably withheld. This Agreement shall be binding upon and shall inure to the benefit of the parties, their respective successors and permitted assignees.

8.9 Severability. If any provision of this Agreement is rendered invalid or unenforceable by the decision of any court, arbitrator or administrative body, such invalid or unenforceable provision shall be severed from this Agreement and all other provisions of this Agreement shall remain in full force and effect.