213 - Sample Data Use Agreement

DATA USE AGREEMENT

For Limited Data Sets

Version: 05-Jun-2023

This Data Use Agreement (“Agreement”), effective after developing a Researcher account (“Effective Date”), is entered into by and between Geno.Me users (“Recipient”) and Geno.Me, Inc. (“Covered Entity”). The purpose of this Agreement is to provide Recipient with access to a Limited Data Set (“LDS”) for use in the following titled research project: Researching population health data in accord with HIPAA Regulations.

1. Definitions. Unless otherwise specified in this Agreement, all capitalized terms used in this Agreement not otherwise defined have the meaning established for purposes of the “HIPAA Regulations” codified at Title 45 parts 160 through 164 of the United States Code of Federal Regulations, as amended from time to time.

2. Preparation of the LDS. Covered Entity shall prepare and furnish to Recipient a LDS in accord with the HIPAA Regulations. NOTICE: This agreement is valid only if the Data do not include any of the following “Prohibited Identifiers”: Names; postal address information other than town, cities, states and zip codes; telephone and fax numbers; email addresses, URLs and IP addresses; social security numbers; certificate and license numbers; vehicle identification numbers; device identifiers and serial numbers; biometric identifiers (such as voice and fingerprints); and full face photographs or comparable images.

3. Minimum Necessary Data Fields in the LDS. In preparing the LDS, Covered Entity or its Business Associate shall include the data fields specified by the parties from time to time, which are the minimum necessary to accomplish the purposes set forth in Section 5 of this Agreement.

4. Responsibilities of Recipient.

Recipient agrees to:

a. Use or disclose the LDS only as permitted by this Agreement or as required by law;

b. Use appropriate safeguards to prevent use or disclosure of the LDS other than as permitted by this Agreement or required by law;

c. Report to Covered Entity any use or disclosure of the LDS of which it becomes aware that is not permitted by this Agreement or required by law, including the presence of prohibited identifiers in the LDS;

d. Require any of its subcontractors or agents that receive or have access to the LDS to agree to the same restrictions and conditions on the use and/or disclosure of the LDS that apply to Recipient under this Agreement; and

e. Not use the information in the LDS, alone or in combination to identify or contact the individuals who are data subjects.

5. Permitted Uses and Disclosures of the LDS. Recipient may use and/or disclose the LDS only for the Research described in this Agreement or as required by law.

6. Term and Termination.

a. Term. The term of this Agreement shall commence as of the Effective Date and terminate 5 years from Effective Date. Should the Recipient desire to keep the LDS for a longer period, a justification in writing should be made to the Covered Entity.

b. Termination by Recipient. Recipient may terminate this agreement at any time by notifying the Covered Entity and returning or destroying the LDS.

c. Termination by Covered Entity. Covered Entity may terminate this agreement at any time by providing thirty (30) days prior written notice to Recipient.

d. For Breach. Covered Entity shall provide written notice to Recipient within ten (10) days of any determination that Recipient has breached a material term of this Agreement. Covered Entity shall afford Recipient an opportunity to cure said alleged material breach upon mutually agreeable terms. Failure to agree on mutually agreeable terms for cure within thirty (30) days shall be grounds for the immediate termination of this Agreement by Covered Entity.

e. Effect of Termination. Sections 1, 4, 5, 6(e) and 7 of this Agreement shall survive any termination of this Agreement under subsections c or d.

7. Miscellaneous.

a. Change in Law. The parties agree to negotiate in good faith to amend this Agreement to comport with changes in federal law that materially alter either or both parties’ obligations under this Agreement. Provided however, that if the parties are unable to agree to mutually acceptable amendment(s) by the compliance date of the change in applicable law or regulations, either Party may terminate this Agreement as provided in section 6.

b. Construction of Terms. The terms of this Agreement shall be construed to give effect to applicable federal interpretative guidance regarding the HIPAA Regulations.

c. No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

d. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

e. Trademarks. Information provided by Covered Entity is property of Geno.Me, Inc. and is not permitted for resell. Covered Entity agrees to not retaliate against Covered Entity

IN WITNESS WHEREOF, each of the consenting parties has caused this Agreement to be duly executed in its name and on its behalf.

Additional Terms and Conditions:

1. The Data is Protected Health Information (“PHI”) as that term is defined by HIPAA, in 45 C.F.R. §160.103 (and not a Limited Data Set).

Since checked, the Data is covered under a Certificate of Confidentiality, which must be asserted against compulsory legal demands, such as court orders and subpoenas for identifying information or characteristics of a research participant.

2. Nothing herein will authorize the Recipient to use or further disclose the Data in a manner that would violate the requirements applicable to the Provider under 45 CFR 164.514.

3. Notwithstanding any term to the contrary in this Agreement, the Provider has full authority to share the Data with the Recipient and has confirmed that the Project is consistent with such consents or authorizations, if any, that the Provider has obtained from individuals who are the subjects of the Data.

4. Unless otherwise required by law or legal process, the Recipient will not use or further disclose the Data other than as permitted by this Agreement. If the Recipient believes it is required by law or legal process to use or disclose the Data, it will promptly notify the Provider, to the extent allowed by law, prior to such use or disclosure and will disclose the least possible amount of the Data necessary to fulfill its legal obligations.

5. The Recipient will not use the Data, either alone or in concert with any other information, to make any effort to contact individuals who are the subjects of the Data without appropriate IRB approval, specific written approval from the Provider, and informed consent and authorization from the subject or a waiver, if required.

6. The Recipient will implement reasonable safeguards, sufficient to meet the standards of 45 CFR§164.530(c), to limit incidental, and avoid prohibited, uses and disclosures of the Data, and to ensure that only Authorized Persons have access to the Data.

7. The Recipient agrees to remove and securely destroy or return, as directed by the Provider in Attachment 1, the part or parts of the Data that identifies the individual who is the subject of the Data at the earliest time at which removal and destruction or return can be accomplished, consistent with the purpose of the Project.

8. By acknowledging this Agreement, the Recipient provides assurance that its relevant institutional policies and applicable federal, state, or local laws and regulations (if any) have been followed, including the completion of any IRB review or approval that may be required prior to the Recipient’s use of the Data. Upon the Provider’s written request to the Recipient’s Contact for Formal Notices identified in the signature block of this Agreement, the Recipient will provide documentation of its IRB approved Protocol.