Special Advisor Agreement
This special advisor agreement (the “Agreement”), effective April 1, 2025 (“Effective Date”) by and between Christopher Smith (“Advisor”), an individual whose address is 17409 Via Lugano Court, Miramar Lakes, Florida 33913 and NeoGenomics Laboratories, Inc., a Florida corporation with its principal office located at 9490 NeoGenomics Way, Fort Myers, FL 33912 together with its affiliates, including NeoGenomics, Inc., and subsidiaries (“NeoGenomics” or the “Company”).
RECITALS
WHEREAS, NeoGenomics provides a wide range of oncology diagnostic testing and consultative services which includes technical laboratory services and professional interpretation of laboratory test results by licensed physicians who specialize in pathology and oncology (collectively, the “Business”), and
WHEREAS, Advisor is an executive and professional with specialized knowledge regarding the Company, its business, and its industry; and
WHEREAS, Advisor is willing to provide his professional expertise and knowledge in those areas required or desired by NeoGenomics; and
WHEREAS, NeoGenomics desires to contract with Advisor for the rendition and performance of such professional services, as more fully described in this Agreement, and Advisor agrees to render and perform such services on an independent contractor basis to NeoGenomics, on the terms and conditions set forth in this Agreement; and
NOW, THEREFORE, in consideration of the foregoing recitals, which are hereby incorporated into this Agreement as an integral part hereof, and the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, NeoGenomics and Advisor, intending to be legally bound, hereby agree as follows:
1. Term of Engagement. The Agreement shall commence on the Effective Date of this Agreement and continue until February 26, 2027 (the “Term”).
2. Services. During the Term, Advisor will be responsible for providing professional strategic advisory consulting services (collectively, the “Services”), as more fully described in Exhibit A attached hereto.
3. Agreements of NeoGenomics. Pursuant to this Agreement, NeoGenomics agrees to the following:
a.Provide such information that may be necessary for the provision of the Services by Advisor; and
b.Provide such other support as Advisor may reasonably request in order for Advisor to perform his duties as outlined in paragraph 2 of the Agreement and Exhibit A attached hereto.
4. Compensation and Expenses. In consideration for the Services rendered by Advisor to NeoGenomics throughout the Term, the Company shall compensate Advisor in accordance with the terms set forth in Exhibit B attached hereto.
5. Arm’s-length Compensation. The parties hereto agree that the compensation provided herein has been determined in arm’s-length bargaining and is consistent with fair market value in arm’s-length transactions. Furthermore, the compensation is not and has not been determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part under Medicare or any other federal or state health care program or any other third party payor program.
6. Termination. This Agreement shall terminate on February 26, 2027 (the “Termination Date”). Advisor shall have the right to terminate this Agreement at any time during the Term by giving written notice to the Company at least thirty (30) days prior to the date of such termination. During the Term of this Agreement, in the event Advisor materially breaches Section 7 of this Agreement and after providing written notice thereof to the Advisor and allowing the Advisor thirty (30) days to cure such breach, if so curable, the Company shall have the right to terminate this Agreement by giving written notice to Advisor at least thirty (30) days prior to the date of such termination. Upon any termination, Advisor agrees to cease all representation on behalf of the Company, including, but not limited to representations to the Company’s customers that Advisor is acting on behalf of the Company in any capacity; provided, however the Advisor agrees to answer any reasonable follow-up inquiries from customers or the Company for matters on which he has previously reported or been involved.
7. Confidentiality and Non-Disclosure Agreement.
a) The term “Confidential Information” as used herein shall mean any and all information of the Company that is not generally available to the public, including (i) any information regarding customer lists and prospective customer lists; specific information on customers and prospective customers (including information on preferences, credit information, and pricing); customer contracts; other corporate contracts; marketing strategies, programs, plans and methods; promotional programs, plans, and methods; pricing policies, product strategies and methods of operation and other business methods; expansion plans, including existing and entry into new geographic and/or product markets; business policies and strategies; business forecasts, financial data, costs, sales and revenue reports, and any analyses not publicly disclosed; confidential information about employees, officers, directors and other representatives of the Company; other information which enables the Company to compete successfully; terms and conditions under which the Company deals with vendors and suppliers or prospective vendors or suppliers; Personal Information and Protected Health Information; the Company’s billing rates, pricing lists (including item and customer specific pricing information); facilities information, designs, trademarks, graphics, insignia, fascia, slogans, drawings, or other commercial symbols; trade secrets; license agreements; proprietary sales and utilization methods and techniques; proprietary compositions, ideas and improvements; pricing methods and strategies; computer programs, computer systems, computer data, system documentation, special hardware, product hardware, related software development and computer software design and/or improvements, computer disks or other computer storage medium, data, models or any other photographic or other tangible materials; market feasibility studies; documentation, marketing, and business needs of customers, potential and/or vendors; inventions; future the Company business plans; project files; design systems; information on current and potential vendors including, but not
limited to, their identity, pricing, and purchasing information not generally known; correspondence, letters, notes, notebooks, reports, flowcharts, proposals, processes, spreadsheets, memoranda, files; and/or all other confidential or proprietary information belonging to the Company or relating to the Company’s business and/or affairs; (ii) any information that is of value or significance to the Company that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, including information not generally known to the competitors of the Company nor intended by the Company for general dissemination; and (iii) any information received by the Company from any Person with any understanding, express or implied, that it will not be disclosed. Confidential Information shall not include any information that enters the public domain, other than as a result of unauthorized disclosure by Advisor or otherwise through a breach of Advisor’s obligations under this Agreement.
b) In the event that Advisor is requested or required (by oral questions, interrogatories, requests for information or documents, subpoenas, civil investigative demands or similar processes) to disclose or produce any Confidential Information furnished in the course of its dealings with the other party or its affiliates, advisors or representatives, it is agreed that the Advisor will (i) provide the Company with prompt notice thereof and copies, if possible, and, if not, a description, of the Confidential Information requested or required to be disclosed or produced so that the Company may seek an appropriate protective order or waive compliance with the provisions of this Agreement and (ii) consult with the Company as to the advisability of the Advisor taking of legally available steps to resist or narrow such request. It is further agreed that, if in the absence of a protective order or the receipt of a waiver hereunder the Advisor is nonetheless, in the written opinion of its legal counsel, compelled to disclose or produce Confidential Information concerning the Company to any tribunal or to stand liable for contempt or suffer other censure or penalty, the Advisor may disclose or produce such Confidential Information to such tribunal without liability hereunder; provided, however, that the Advisor shall give the Company written notice of the Confidential Information to be so disclosed or produced as far in advance of its disclosure or production as is practicable and shall use its best efforts to obtain, to the greatest extent practicable, an order or other reliable assurance that confidential treatment will be accorded to such Confidential Information so required to be disclosed or produced.
c) Advisor acknowledge(s) that this "Confidential Information" is of value to the Company by providing it with a competitive advantage over its competitors, is not generally known to competitors of the Company, is not information easily available to the public, and is not intended by the Company for general dissemination. Advisor acknowledges that this "Confidential Information" derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use and is the subject of reasonable efforts to maintain its secrecy. Therefore, the parties agree that all "Confidential Information" under this Agreement constitutes “Trade Secrets” under the law of any state in which the Advisor provides services to the Company or, in the absence of any such definition, as defined in the Uniform Trade Secrets Act.
d) Duty of Confidentiality. All Confidential Information is considered highly sensitive and strictly confidential. Accordingly, upon receiving any Confidential Information, Advisor agrees that all Confidential Information which Advisor will create or to which Advisor has access as a result of Advisor’s provision of the Services and other associations with the Company is and will remain the sole and exclusive property of the Company. Advisor agrees that, except
as required for the performance of the Services, as expressly authorized in writing in advance by a duly authorized officer of the Company, or as required by applicable law, Advisor will never at any time, either during or after the Term of this Agreement, directly or indirectly, use, publish, disseminate, distribute or otherwise disclose any Confidential Information to any other person or entity. Advisor agrees to take all steps necessary, and all steps requested by the Company, to ensure that the Confidential Information is kept secret and confidential and for the sole use and benefit of the Company and to comply with all applicable policies and procedures of the Company regarding the storage and security of all Confidential Information whether in hard copy form or stored on computer disks or other electronic media. Such policies and procedures may include, but not be limited to, a prohibition against Advisor sending any Company document to a personal e-mail account or using any removable media, such as a flash or external drive, absent explicit written permission from the Company. Advisor acknowledges that Advisor shall bear all costs, losses, and damages resulting from any intentional breach of this Section 7, to the fullest extent permitted by applicable law.
8. Return of Property. Upon the termination of this Agreement, regardless of why the Agreement terminates, Advisor shall return to the Company and/or certify that it has been deleted from Advisor’s computer all property owned by the Company and all Confidential Information indicated by the Company as well as any other Confidential Information that Advisor is aware that he has, in whatever form it exists, including all copies thereof. The Company agrees that so long as Advisor has made a good faith effort to return all such property and Confidential Information, Advisor shall be deemed to have complied with these provisions. The Company may at anytime call to Advisor’s attention that it has not yet received certain additional Confidential Information and Advisor shall promptly search for such additional Confidential Information and return it to the Company. The Company agrees that Advisor may delete any information that is proprietary to Advisor that may be contained within the Company’s Confidential Information prior to Advisor returning it to the Company.
9. Privacy and Security. The parties shall protect the privacy and confidentiality and provide for the security of all protected health information (“PHI”), as that term is defined in and in accordance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the privacy and security regulations promulgated thereunder at 45 C.F.R. parts 160 through 164 (“HIPAA”), and all other applicable federal and state laws and regulations. Notwithstanding the foregoing, each party shall provide the other party with such information as reasonably necessary to perform their respective obligations under this Agreement. In addition, as the Company is a “covered entity,” as that term is defined under HIPAA and, as PHI may be exchanged between the parties under this Agreement, Advisor agrees to be bound by and comply with the separate Business Associate Agreement attached hereto as Exhibit C and incorporated herein by reference (“Business Associate Agreement”).
10. Change of Control. In the event that the Company undergoes a Change of Control during the Term of this Agreement, this Agreement shall survive until termination of the Term. The term “Change of Control” for purposes of this Agreement means the occurrence of any of the following events: (a) any “person” or “group” (as defined in Section 13(d) and 14(d) of the Exchange Act) together with their affiliates become the ultimate “beneficial owner” (as defined in Rule 13d-3 of the Exchange Act) of voting stock of the Company representing more than fifty percent (50%) of the voting power of the total voting stock of the Company, or (b) the consummation of a merger or consolidation of the Company with any other corporation or entity regardless of which entity is the survivor, other than a merger or a consolidation which would result in the voting stock of the Company outstanding immediately prior thereto continuing to represent (either by remaining outstanding or being converted into voting securities of the
surviving entity or the parent thereof) at least fifty percent (50%) of the combined voting power of the voting securities of the Company or such surviving entity or the parent thereof, outstanding immediately after such merger or consolidation, or (c) the stockholders of the Company approve a plan of complete liquidation or winding up of the Company or an agreement for the sale or disposition by the Company of all or substantially all of the Company’s assets, or (d) during any period of two (2) consecutive years, individuals who at the beginning of such period constitute the Board, and any new member of the Board (other than a member of the Board designated by a person who has entered into an agreement with the Company to effect a transaction described in subsections (a), (b), or (c) of this Section 13 whose election by the Company’s shareholders was approved by a vote of at least two-thirds (2/3) of the members of the Board at the beginning of the period or whose election or nomination for election was previously so approved, cease for any reason to constitute at least a majority thereof.
11. Miscellaneous.
a) With the exception of the Retirement Agreement and General Release of Claims dated January 8, 2025 (attached hereto as Exhibit D) and the Confidentiality, Non-solicitation and Non-compete Agreement dated August 15, 2022 (attached hereto as Exhibit E) executed between the Advisor and the Company, this Agreement supersedes all prior agreements and understandings between the parties and may not be modified or terminated orally. Except as otherwise provided in this paragraph, the Advisor hereby waives any claims that it might have under any previous oral or other contract. No modification or attempted waiver of this Agreement will be valid unless in writing and signed by the party against whom the same is sought to be enforced.
b) The provisions of this Agreement are separate and severable, and if any of them is declared invalid and/or unenforceable by a court of competent jurisdiction or an arbitrator, the remaining provisions shall not be affected.
c) If a court of competent jurisdiction determines that any of the restrictions against disclosure of Confidential Information, and/or solicitation contained in this Agreement are invalid in whole or in part due to over breadth, whether geographically, temporally, or otherwise, such court is specifically authorized and requested to reform such provision by modifying it to the smallest extent necessary to render it valid and enforceable, and to enforce the provision as modified.
d) This Agreement is the joint product of the Company and the Advisor, and each provision hereof has been subject to the mutual consultation, negotiation and agreement of the Company and the Advisor and shall not be construed for or against either party hereto.
e) This Agreement will be governed by and construed in accordance with the provisions of the law of the State of Florida, without reference to provisions that refer a matter to the law of any other jurisdiction. Each party hereto hereby irrevocably submits itself to the exclusive personal jurisdiction of the federal and state courts sitting in Lee County, Florida; accordingly, any matters involving the Company and the Advisor with respect to this Agreement may be adjudicated only in a federal or state court sitting in Lee County, Florida.
f) All notices and other communications required or permitted under this Agreement shall be in writing, and shall be deemed properly given if delivered personally, mailed by registered or certified mail in the United States mail, postage prepaid, return receipt
requested, sent by facsimile, or sent by Express Mail, Federal Express or nationally recognized express delivery service, as follows:
(i)If to the Company, at the address listed at the preamble to this Agreement or its then primary executive offices to the attention of the General Counsel; and
(ii)If to the Advisor, at the address listed at the preamble to this Agreement or the Advisor’s primary legal residence which is listed at the signature block of this agreement. Should this address change, the Advisor agrees to promptly notify the Company of such change.
Notice given by hand, certified or registered mail, or by Express Mail, Federal Express or other such express delivery service, shall be effective upon actual receipt. Notice given by facsimile transmission shall be effective upon telephonic confirmation of receipt by the party to whom it is addressed. All notices by facsimile transmission shall be followed up promptly after transmission by delivering an original copy by hand, certified or registered mail, or by Express Mail, Federal Express or other such delivery service. Any party may change any address to which notice is to be given to it by giving notice as provided above of such change of address.
g) The parties agree that the Advisor is acting as an independent contractor under current Internal Revenue Service guidelines in the provision of services under this Agreement and that the Advisor shall be solely responsible for paying all taxes due on any Compensation hereunder. The Advisor understands and acknowledges that all Compensation hereunder is taxable to the Advisor and the Company has an affirmative obligation to report such amounts of Compensation on Form 1099 to the Internal Revenue Service each year. The Advisor agrees to provide its tax identification number in the signature block below. Advisor understands that the Company has no obligation to Advisor under state or federal laws regarding employee liability and that Advisor will have no right to any benefits provided by the Company from time to time to its employees, including medical or health benefit plans, pension, retirement, savings or similar plans or any other employee benefit plans of the Company. Advisor understands and agrees that: (a) Advisor will not be treated as an employee for purposes of the Federal Insurance Contributions Act, the Social Security Act, the Federal Unemployment Tax Act, income tax withholding and applicable state laws including those pertaining to worker’s compensation, unemployment compensation and state income tax withholding; and (b) information returns will be filed with the appropriate federal and state taxing authorities indicating Advisor’s status as an independent contractor and reporting income paid to Advisor as required by law.
h) It is understood by and between the parties hereto that the covenant set forth in Sections 7 is an essential element of this Agreement. Such covenants by Advisor shall be construed as agreements independent of any other provision of this Agreement. The existence of any claim or cause of action of Advisor against the Company, whether predicated on this Agreement or otherwise, shall not constitute a defense to the enforcement by the Company of such covenants.
i) This Agreement may be signed in counterparts, and by fax or Adobe Acrobat PDF file, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument.
IN WITNESS WHEREOF, the parties have executed this Agreement on the day and year first set forth above.
NEOGENOMICS LABORATORIES, INC.:
By: __/s/ Jeffrey Sherman___________________________
Name: Jeffrey Sherman
Title: Chief Financial Officer
ADVISOR:
_/s/ Christopher Smith_____________________
Christopher Smith
EXHIBIT A
DESCRIPTION OF DUTIES AND SERVICES
In accordance with the terms and conditions of the Special Advisor Agreement between Christopher Smith (“Advisor”) and NeoGenomics Laboratories, Inc. and its affiliates (“Company”) and Section 2 therein, this Exhibit A describes the duties and services (the “Services”) the Advisor shall perform under the Agreement.
1.Provide professional strategic, advisory services to the Company under the direction of the Company’s Chief Executive Officer (“CEO”).
2.Participate in meetings and telephone conferences, as needed, with the CEO and other Company personnel to facilitate the provision of Services.
3.Such other activities as may be needed by the CEO at the expense of the Company. The spirit of this section is to try and account for other activities or issues that have not been addressed or identified in paragraphs (1) through (2) above.
EXHIBIT B
COMPENSATION FOR SERVICES
In accordance with the terms and conditions of the Consulting Agreement between Christopher Smith (“Advisor”) and NeoGenomics Laboratories, Inc. and its affiliates (“Company”) and Section 4 therein, this Exhibit B sets forth the compensation to be by the Company to the Advisor for the provision of the Services described in Exhibit A and Section 2 of the Agreement.
1.The Company agrees to pay Advisor $23,913.04 per month for the provision of Services set forth in Section 2 of the Agreement and Exhibit A attached hereto. Such payments will be made monthly within thirty (30) days of the end of the month for which Services were provided. Advisor agrees to prepare an invoice periodically, no more frequently than monthly, for all Services rendered on behalf of the Company during any given month of providing such Services.
2.In addition to any compensation payable hereunder, the Company shall also reimburse Advisor for all expenses reasonably incurred by her in connection with the Services performed on behalf of the Company under the Agreement including, but not limited to, airfare, hotel, rental car, food, and associated expenses, upon providing the original receipts and an expense report for such expenses in accordance with the Company’s standard expense reimbursement policy then in effect. Advisor agrees to seek prior written approval from NeoGenomics before incurring expenses in excess of $1,000.00 in any given month.
3.Except as may be set forth in this Exhibit B and the Agreement, each party shall be responsible for its own costs and expenses incurred in connection with this Agreement. Each party shall also bear and be responsible for paying any sales, use, or other federal, state, or local taxes it incurs as a direct or indirect result of entering into this Agreement.
EXHIBIT C
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”), effective on the last signature date below, is entered into by and between NeoGenomics Laboratories, Inc., a Florida corporation (“Covered Entity”), on behalf of itself and its affiliates with a principal place of business at 9490 NeoGenomics Way, Fort Myers, Florida 33912 and
(“Business Associate”) with its principal place of business at
(each a “Party” and collectively the “Parties”).
Type of Service(s) Provided by the Business Associate:
BACKGROUND AND PURPOSE. The Parties have entered into, and may in the future enter into, one or more agreements (the “Underlying Contract(s)”), that require Business Associate to perform a service, function or activity involving the Use or Disclosure of PHI (as defined in Section 2), that is pursuant to this Agreement and subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), and the privacy and security regulations promulgated thereunder (45 C.F.R. Parts 160 and 164) (the “Privacy Regulations” and the “Security Regulations”); and the requirements of Subtitle D (Privacy) of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and the implementing regulations, that apply to covered entities and business associates (“HITECH”), beginning on the date each applicable provision is specified to take effect. These laws and regulations shall collectively be referred to the as “Privacy Obligations”. This Agreement shall supplement and/or amend each of the Underlying Contract(s) only with respect to Business Associate’s receipt, Use, Disclosure, and creation of PHI under the Underlying Contract(s) to allow both Parties to comply with the Privacy Obligations and other laws applicable to the privacy and security of health information.
DEFINITIONS. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Privacy Obligations in effect or as amended.
“ePHI” means PHI (as defined in Section 2.2) transmitted by or maintained in Electronic Media.
“PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to information created or received by Business Associate from or on behalf of Covered Entity, including, but not limited to ePHI.
OBLIGATIONS OF BUSINESS ASSOCIATE. To assure that the Covered Entity and Business Associate may achieve and maintain compliance with the requirements of the Privacy Obligations, Business Associate agrees to:
Not use or Disclose PHI received from Covered Entity in any manner that would constitute a violation of the Privacy Regulations if done by Covered Entity. No other Use or Disclosure of PHI by Business Associate is permissible, unless approved in writing by Covered Entity. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI received from or on behalf of Covered Entity, except as permitted by HITECH §
13405(d) and any implementing regulations that may be promulgated or revised from time to time, including, but not limited to, 45 C.F.R. §§ 164.502(a)(5)(ii) and 164.508(a)(4).
Not Use or Disclose PHI other than as permitted or required by this Agreement, the Underlying Contract(s) or as required by law. Business Associate may: (1) Use and Disclose PHI as permitted or required to perform its obligations as set forth in the Underlying Contract(s); (2) Use PHI for its proper management and administration; and (3) Use PHI to carry out its legal responsibilities.
Limit, to the extent practicable and except as permitted by 45 C.F.R. § 164.502(b)(2), its Use, Disclosure, and requests of PHI under the Agreement to a Limited Data Set or, if needed by Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure or request.
Use reasonable and appropriate safeguards and comply, where applicable, with the Security Regulations with respect to ePHI, to prevent Use or Disclosure of PHI, other than as provided for by this Agreement. Business Associate shall also mitigate, to the extent practicable, any harmful effects of any violation of this Agreement of which it becomes aware.
Use reasonable and appropriate administrative, physical and technical safeguards to protect the Confidentiality, Integrity and Availability of ePHI that it receives, maintains, creates, or transmits to or on behalf of Covered Entity, as required by 45 C.F.R. § 164.314(a) and in compliance with the Privacy Obligations, including but not limited to 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316. This includes adhering to applicable guidance published by the U.S. Department of Health and Human Services (“HHS”) on appropriate safeguards.
Implement reasonable systems for the discovery and reporting of any breach of or Security Incident involving individually identifiable information (including, but not limited to, PHI) that, if misused, disclosed, lost or stolen, Covered Entity believes would trigger an obligation under the Privacy Obligations, or one or more State data breach notification laws, to notify the individuals who are the subject of the information. Such systems must allow for the discovery and reporting of any such breaches or Security Incidents within the time frames specified under this Agreement.
Maintain policies and procedures governing the protection of PHI and provide, upon Covered Entity’s request, access to and copies of any such policies and procedures.
If Business Associate becomes aware of any Use or Disclosure of PHI in violation of this Agreement, report any such Use or Disclosure to the designated privacy contact of Covered Entity in accordance with this Agreement.
Report to Covered Entity any Security Incident of which Business Associate becomes aware in the following manner: (a) any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay and in no case later than three (3) calendar days, and (b) any attempted, unsuccessful Security Incident will be reported to Covered Entity in writing (i) if the incident reflects an unusual pattern or practice, or (ii) upon request by Covered Entity. For purposes of this Agreement, an “unsuccessful Security Incident” includes activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, routine unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such event may reasonably result in a compromise to the information system, tools, hardware, conduit, technology, and/or unauthorized access, Use or Disclosure of ePHI. If the Security
Regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.
Business Associate shall notify Covered Entity, in writing, immediately and in no event later than three (3) business days upon Discovery of a Breach of Unsecured PHI (as those terms are defined below).
i. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in the guidance issued under Section 13402(h)(2) of HITECH on the HHS website.
ii. “Breach” as used in this Agreement shall have the meaning given such term under 45 C.F.R. § 164.402 as such regulation is revised from time to time.
Such notice must include, to the extent possible:
the date and description of the Breach of Unsecured PHI (as governed by 45 C.F.R. § 164.404);
the date of the Discovery of the Breach of Unsecured PHI (which shall be deemed to have occurred as of the first day on which such Breach is known to Business Associate (including any person, other than the individual committing the Breach, who is an employee, officer, or other agent of the Business Associate, as determined in accordance with the federal common law of agency) or, by exercising reasonable diligence, should reasonably have been known to Business Associate);
a description of the types of Unsecured PHI that were involved (e.g., name, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnostic and/or billing codes and similar information);
the name and contact information (e.g., mailing address, street address, phone number, email address) of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
a brief description of what the Business Associate has done or is doing to investigate the Breach of Unsecured PHI, mitigate harm to the Individual(s) impacted by the Breach, and protect against future Breaches; and
any other details requested by Covered Entity for purposes of, including without limitation, completing an assessment of the risk of harm to the Individual and/or complying with 45 C.F.R. § 164.410.
Business Associate shall also provide, to the extent possible, Covered Entity with any other available information that Covered Entity is required to include in the notification to Individuals under 45 C.F.R. § 164.404(c) or any applicable State data breach notification law at the time of Business Associate’s notification to Covered Entity or promptly thereafter as such information becomes available.
Following a Breach of Unsecured PHI, Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches in the time and manner reasonably requested by Covered Entity. Business Associate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Breach of Unsecured PHI, including but not limited to the information described in Sections 3.10(a)-(f)
above. Business Associate shall also appoint a liaison and provide contact information for same so that Covered Entity may ask questions or learn additional information concerning the Breach of Unsecured PHI.
Business Associate shall, at the written request of Covered Entity, be responsible for the notifications to third parties (e.g., Individuals, the Secretary, the media) related to a Breach of Unsecured PHI by Business Associate. These notices shall be furnished at no additional charge to Covered Entity, and a copy of any notice shall be submitted to Covered Entity in advance for approval.
Business Associate shall document each risk assessment analysis it undertakes upon Discovery of a potential Breach of Unsecured Protected Health Information, and shall retain such analysis for six (6) years. Business Associate shall make such analyses available to Covered Entity within ten (10) business days of a Covered Entity request.
Business Associate agrees to pay actual costs for any associated mitigation incurred by Covered Entity, including the costs associated with making any notifications including, but not limited to, notifications conducted by Covered Entity, as a result of a Breach of Unsecured PHI by Business Associate (or an agent or contractor), such as credit monitoring and the cost of furnishing third-party notices, if Covered Entity determines that the Breach is significant enough to warrant such measures.
In the event of any conflict between this Section 3.10 and the Privacy Obligations, the more stringent requirements shall govern.
In the event any individually identifiable information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws (“State Breach”), Business Associate shall promptly: (a) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach; (b) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (c) comply with Covered Entity’s determinations regarding Covered Entity’s and Business Associate’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; (d) assist with the implementation of any decision by Covered Entity or any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach, and (e) provide any other assistance or take any other actions that may be required to satisfy the requirements of any State data breach notification laws.
Subject to Covered Entity’s prior written approval of any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate in the course of performing the obligations set forth in the Underlying Contract(s), obtain and maintain a written agreement with such agent or subcontractor, pursuant to which such agent or subcontractor agrees to be bound by the same restrictions, terms and conditions that apply to Business Associate pursuant to this Agreement with respect to such PHI, including but not limited to the requirement that the agent or subcontractor implement reasonable and appropriate safeguards to protect any ePHI that is disclosed to it by Business Associate and that the agent or subcontractor report any Use or Disclosure of PHI in violation of this Agreement within a timeframe that permits Business Associate to comply with its reporting obligations under Sections 3.9 and 3.10 of this Agreement.
Make internal practices, policies, and procedures, books, agreements, and records relating to the Use or Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary and Covered Entity, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Regulations. Business Associate shall promptly notify Covered Entity of any Secretary request and provide copies of any materials provided to the Secretary by Business Associate.
Document such Disclosures of PHI and information related to such Disclosures as would be required by Covered Entity to respond to a request for an accounting of Disclosures to an Individual in accordance with 45 C.F.R. § 164.528 (including, without limitation, a disclosure permitted under 45 C.F.R. § 164.512). Following notice by Covered Entity to Business Associate that it has received a request for an accounting of Disclosures of PHI, Business Associate shall make available such information as is in Business Associate’s possession to Covered Entity within ten (10) calendar days. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) calendar days.
If, and to the extent that, Business Associate maintains a Designated Record Set of Covered Entity, within fifteen (15) calendar days of receipt of a request by Covered Entity for access to PHI about an Individual contained in the Designated Record Set, make available to Covered Entity such PHI in accordance with 45 C.F.R. § 164.524 for so long as Business Associate maintains such information in the Designated Record Set. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) calendar days. Any denials of access to the PHI requested shall be the responsibility of Covered Entity.
If, and to the extent that, Business Associate maintains a Designated Record Set of Covered Entity, within fifteen (15) calendar days from the receipt of a request from Covered Entity for the amendment of an Individual’s PHI contained in the Designated Record Set, provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526 for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall directly forward such request to Covered Entity within five (5) calendar days.
If Business Associate receives a request directly from an Individual to restrict disclosures of PHI pursuant to HITECH § 13405(a), directly forward such request to Covered Entity within five (5) calendar days. Business Associate shall comply with those restrictions that Covered Entity may direct.
OBLIGATIONS OF COVERED ENTITY.
Covered Entity agrees to timely notify Business Associate, in writing, of any arrangements between Covered Entity and the Individual that is the subject of PHI that may impact in any manner the Use and/or Disclosure of that PHI by Business Associate under this Agreement.
Covered Entity shall notify Business Associate, in writing, of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Obligations if done by Covered Entity.
Covered Entity shall limit, to the extent practicable and except as permitted by 45 C.F.R. § 164.502(b)(2), its Use, Disclosure, and requests of PHI under the Agreement to a Limited Data Set or, if needed, to the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure or request.
TERMINATION.
Upon Covered Entity’s knowledge of a material breach of the terms of this Agreement by Business Associate, Covered Entity may, at its discretion:
a. Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement (and any Underlying Contract(s)) if Business Associate does not cure the breach or end the violation within ten (10) days; or
b. Immediately terminate this Agreement (and any Underlying Contract(s)) if cure is not feasible.
In the event Covered Entity determines that Business Associate has committed a material breach of any term of this Agreement, Business Associate agrees that Covered Entity has a right to obtain injunctive relief to prevent further Use or Disclosure of PHI by Business Associate. In addition to injunctive relief, Covered Entity also shall have a right to pursue any other remedy provided by law or equity.
This Agreement shall automatically terminate with respect to any Underlying Contract(s) without any further action by the Parties when all of the PHI obtained from Covered Entity or created or obtained by Business Associate on behalf of Covered Entity in connection with that Underlying Contract is destroyed or returned to Covered Entity.
Notwithstanding anything herein to the contrary, this Agreement shall terminate when Business Associate has completed performance of the Underlying Contract(s), subject, however, to Sections 5.5 and 5.6 regarding the return and destruction of PHI.
Upon termination of the Underlying Contract(s), Business Associate shall either return or destroy, if feasible, any and all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity pursuant to that Underlying Contract that Business Associate still maintains in any form, and shall cause any subcontractors and agents to do the same. Upon termination of this Agreement, Business Associate shall either return or destroy, if feasible, any and all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall cause subcontractors and agents to do the same. For purposes of this Agreement, destruction shall include, without limitation, destroying all backup tapes and permanently deleting all ePHI, and shall utilize techniques that meet or exceed guidance from HHS. Business Associate, and its subcontractors and agents, shall not retain any copies of such PHI.
Within thirty (30) days from the date of termination or other expiration of this Agreement, an authorized representative of Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed as provided above and that Business Associate, and its
subcontractors or agents, no longer retain any such PHI in any form. Notwithstanding the foregoing, to the extent that it is not feasible for Business Associate, or its agents or subcontractors, to return or destroy such PHI, Business Associate shall provide to Covered Entity a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Upon mutual agreement by the Parties that return or destruction of the PHI is not feasible, Business Associate, and its agents and subcontractors, shall extend the protections of this Agreement to such PHI, and such PHI shall be Used or Disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI, for so long as Business Associate maintains the PHI.
The obligations of Business Associate under Section 5 shall survive termination of this Agreement.
MISCELLANEOUS.
Audits, Inspection, and Enforcement. Upon reasonable notice, Covered Entity or its agents may inspect the facilities, systems, books, and records of Business Associate to monitor compliance with this Agreement. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate’s facilities, systems, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity’s (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate’s remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of Covered Entity’s enforcement rights under this Agreement.
Subpoenas. Business Associate agrees to provide written notice to Covered Entity of any subpoena or other legal process seeking PHI received from or created on behalf of Covered Entity, or otherwise relating to Business Associate’s services, duties and obligations under the Agreement. Such notice shall be provided within forty-eight (48) hours of Business Associate’s receipt of such subpoena or legal process.
Notice. Any notice to Covered Entity required by this Agreement shall be sent via private courier service (e.g., Federal Express, United Parcel Service) to:
Attn: Chief Compliance Officer
NeoGenomics Laboratories, Inc.
9490 NeoGenomics Way
Fort Myers, FL 33912
Interpretation. In the event of a conflict between this Agreement and the Underlying Contract(s), this Agreement shall prevail to the extent necessary to allow the Covered Entity and Business Associate to comply with the Privacy Obligations. Except as supplemented and/or amended by this Agreement, the terms of the Underlying Contract(s) shall continue unchanged and shall apply with full force and effect to govern the matters addressed in the Underlying Contract(s).
Survival. Notwithstanding any other provision of this Agreement to the contrary, the terms of Sections 3, 5, and 6.11 of this Agreement shall survive termination of this Agreement and continue indefinitely solely with respect to PHI Business Associate retains in accordance with this Agreement.
Amendment. The Parties mutually agree to enter into good faith negotiations to amend this Agreement from time to time in order for Covered Entity or Business Associate to comply with the requirements of the Privacy Obligations, as they may be amended from time to time, and any implementing regulations thereto that may be promulgated or revised from time to time.
No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
Independent Contractors. None of the provisions of this Agreement are intended to create, nor will be deemed to create, any relationship between the Parties other than that of independent contracting parties with each other solely for the purposes of affecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.
Compliance with Law. Parties agree to comply with all applicable federal and State laws and regulations governing the confidentiality and security of PHI and individually identifiable information provided by Covered Entity to Business Associate as permitted or required by this Agreement.
Governing Law. This Agreement is governed by, and shall be construed in accordance with, applicable federal law and the internal laws of the State of Florida without regard to choice of law principles.
Indemnification. Business Associate agrees to indemnify, defend and hold harmless Covered Entity, and its respective owners, employees, directors, officers, subcontractors, agents or other members of its workforce, (each of the foregoing hereinafter referred to as “Indemnified Party”) against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with any breach of this Agreement or from any acts or omissions related to this Agreement, including, without limitation, losses related to a Breach of Unsecured PHI or breach of individually identifiable information, by Business Associate or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, Business Associate shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from Business Associate’s acts or omissions hereunder. Business Associate’s obligation to indemnify any Indemnified Party shall survive the expiration or termination of this Agreement.
Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument.
[Signatures Appear on the Following Page.]
IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf.
BUSINESS ASSOCIATE: COVERED ENTITY:
NEOGENOMICS LABORATORIES, INC.
By: By:
Name: Name:
Title: Title:
Date: Date:
EXHIBIT D
Retirement Agreement and General Release of Claims
EXHIBIT E
Confidentiality, Non-solicitation and Non-compete Agreement
