Consulting Agreement

This consulting agreement (the “Agreement”), effective 8^th day of August, 2019 (“Effective Date”) by and between Sharon A. Virag (“Consultant”), an individual whose address is XXXXXX and NeoGenomics Laboratories, Inc., a Florida corporation with its principal office located at 12701 Commonwealth Drive, Suite 9, Fort Myers, FL 33913 together with its affiliates and subsidiaries (“NeoGenomics” or the “Company”).

WHEREAS, NeoGenomics operates several clinical laboratories, licensed in accordance with the Clinical laboratory Improvement Amendments of 1988 (42 U.S.C. §263a) and the regulations adopted pursuant thereto (“CLIA”) (each individually, the “Laboratory” and collectively, the “Laboratories”), in which it performs certain high-complexity pathology tests (“Diagnostic Tests”), and

WHEREAS, Consultant is a finance executive and professional with specific expertise and experience pertaining to strategic financial and accounting advisory services in the clinical laboratory industry; and

WHEREAS, Consultant is willing to provide the professional expertise and experience in those areas required or desired by NeoGenomics; and

WHEREAS, NeoGenomics desires to contract with Consultant for the rendition and performance of such professional services, as more fully described in this Agreement, and Consultant agrees to render and perform such services on an independent contractor basis to NeoGenomics, on the terms and conditions set forth in this Agreement; and

NOW, THEREFORE, in consideration of the foregoing recitals, which are hereby incorporated into this Agreement as an integral part hereof, and the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, NeoGenomics and Consultant, intending to be legally bound, hereby agree as follows:

1. Term of Engagement. The Agreement shall be effective for a period of one (1) year, commencing on the Effective Date of this Agreement (the “Term”).

2. Services. During the Term, Consultant will be responsible for providing professional strategic, financial and accounting advisory consulting services (collectively, the “Services”), as more fully described in Exhibit A attached hereto.

3. Agreements of NeoGenomics. Pursuant to this Agreement, NeoGenomics agrees to the following:

a.Provide such information that may be necessary for the provision of the Services by Consultant; and

a.Provide such other support as Consultant may reasonably request in order for Consultant to perform his duties as outlined in paragraph 2 of the Agreement and Exhibit A attached hereto.

4. Compensation and Expenses. In consideration for the Services rendered by Consultant to NeoGenomics throughout the Term of Engagement, the Company shall compensate Consultant in accordance with the terms set forth in Exhibit B attached hereto.

5. Arm’s-length Compensation. The parties hereto agree that the compensation provided herein has been determined in arm’s-length bargaining and is consistent with fair market value in arm’s-length transactions. Furthermore, the compensation is not and has not been determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part under Medicare or any other federal or state health care program or any other third party payor program.

6. Termination. This Agreement shall terminate upon the one-year anniversary of the Effective Date (the “Termination Date”). Consultant shall have the right to terminate this Agreement at any time during the Term by giving written notice to the Company at least thirty (30) days prior to the date of such termination. During the Term of this Agreement, in the event Consultant breaches this Agreement, the Company shall have the right to terminate this Agreement by giving written notice to Consultant at least thirty (30) days prior to the date of such termination. Upon any termination, Consultant agrees to cease all representation on behalf of the Company, including, but not limited to representations to the Company’s clients that Consultant is acting on behalf of the Company in any capacity; provided, however the Consultant agrees to answer any reasonable follow-up inquiries from clients or the Company for matters on which she has previously reported or been involved.

7. Confidentiality and Non-Disclosure Agreement.

a) The term “Confidential Information” as used herein shall include all testing recipes, formulas, business practices, methods, techniques, or processes that: (i) derives independent economic value, actual or potential, from not being generally known to or not available to the public, and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Confidential Information also includes, but is not limited to, Marketing Information, Marketing Strategy, Pricing Information, Product Plans, Business Plans, Financial Plans, Compliance Plans, Forms, Customer Lists, Salary and Other Personnel Information, Training Manuals, Training Tapes, Third Party Contract Terms and other business information of a similar nature, including information about the Company itself, which Consultant acknowledges and agrees has been compiled by the Company's expenditure of a great amount of time, money and effort, and that contains detailed information that could not be created independently from public sources. Further, all data, spreadsheets, reports, records, know-how, verbal communication, proprietary and technical

information and/or other confidential materials of similar kind transmitted by the Company to Consultant are expressly included within the definition of “Confidential Information.” The parties further agree that the fact the Company may be seeking to complete a business transaction is “Confidential Information” within the meaning of this Agreement, as well as all notes, analysis, work product or other material derived from Confidential Information. The parties agree that the following information is not “Confidential Information” as that term is used herein: (i) information that was or becomes generally available to the public, (ii) technical and scientific information and know-how available in published literature or that can be obtained by hire or purchase from another business entity, or (iii) information that was or becomes available to Consultant on a non-confidential basis from an independent source.

b) In the event that Consultant is requested or required (by oral questions, interrogatories, requests for information or documents, subpoenas, civil investigative demands or similar processes) to disclose or produce any Confidential Information furnished in the course of its dealings with the other party or its affiliates, advisors or Representatives, it is agreed that the Consultant will (i) provide the Company with prompt notice thereof and copies, if possible, and, if not, a description, of the Confidential Information requested or required to be disclosed or produced so that the Company may seek an appropriate protective order or waive compliance with the provisions of this Agreement and (ii) consult with the Company as to the advisability of the Consultant taking of legally available steps to resist or narrow such request. It is further agreed that, if in the absence of a protective order or the receipt of a waiver hereunder the Consultant is nonetheless, in the written opinion of its legal counsel, compelled to disclose or produce Confidential Information concerning the Company to any tribunal or to stand liable for contempt or suffer other censure or penalty, the Consultant may disclose or produce such Confidential Information to such tribunal without liability hereunder; provided, however, that the Consultant shall give the Company written notice of the Confidential Information to be so disclosed or produced as far in advance of its disclosure or production as is practicable and shall use its best efforts to obtain, to the greatest extent practicable, an order or other reliable assurance that confidential treatment will be accorded to such Confidential Information so required to be disclosed or produced.

c) Consultant acknowledge(s) that this "Confidential Information" is of value to the Company by providing it with a competitive advantage over its competitors, is not generally known to competitors of the Company, is not information easily available to the public, and is not intended by the Company for general dissemination. Consultant acknowledges that this "Confidential Information" derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of reasonable efforts to maintain its secrecy. Therefore, the parties agree that all "Confidential Information" under this Agreement constitutes “Trade Secrets” under the law of any state in which the Consultant provides services to the Company or, in the absence of any such definition, as defined in the Uniform Trade Secrets Act.

d) Duty of Confidentiality. All Confidential Information is considered highly sensitive and strictly confidential. Accordingly, upon receiving any Confidential Information, Consultant agrees that he/she shall maintain and preserve such Confidential Information and prevent its disclosure to any third party unless otherwise expressly authorized by the Company. Consultant shall not use or disclose, directly or indirectly, as an individual or as a partner, joint

venturer, employee, agent, salesman, contractor, officer, director or otherwise, for the benefit of himself or herself or any other person, partnership, firm, corporation, association or other legal entity, any Confidential Information, unless expressly permitted by this Agreement.

8. Agreement Not To Solicit. Consultant agrees and acknowledges that for a period of twenty four (24) months after the effective Termination Date (see section 6 for definition of the Termination Date), she will not, directly or indirectly, in one or a series of transactions, as an individual or as a partner, joint venturer, employee, agent, salesman, contractor, officer, director or otherwise, for the benefit of himself or herself or any other person, partnership, firm, corporation, association or other legal entity: (a) recruit, solicit or otherwise induce or influence any proprietor, partner, stockholder, lender, director, officer, employee, sales agent, joint venturer, investor, lessor, supplier, customer, agent, representative or any other person which has a business relationship with the Company to discontinue, reduce or modify such employment, agency or business relationship with the Company, or (b) employ or seek to employ any person or agent who is then (or was at any time within twelve (12) months prior to the date Consultant or such entity employs or seeks to employ such person) employed or retained by the Company. Any such solicitation shall constitute a material breach of this Agreement and will cause irreparable harm and loss to the Company for which monetary damages will be an insufficient remedy. Therefore, the parties agree that in addition to any other remedy available, the Company will be entitled to temporary and permanent injunctive relief, without the necessity of posting bond, restraining Consultant from any actual or threatened unauthorized solicitation by Consultant. The spirit of this non-solicit section is to prevent Consultant from leaving the Company and taking any Company personnel or customers of the Company for a period of two years after the date of Termination.

9. Return of Property. Upon the termination of this Agreement, regardless of why the Agreement terminates, Consultant shall return to the Company and/or certify that it has been deleted from Consultant’s computer all property owned by the Company and all Confidential Information indicated by the Company as well as any other Confidential Information that Consultant is aware that he has, in whatever form it exists, including all copies thereof. The Company agrees that so long as Consultant has made a good faith effort to return all such property and Confidential Information, Consultant shall be deemed to have complied with these provisions. The Company may at anytime call to Consultant’s attention that it has not yet received certain additional Confidential Information and Consultant shall promptly search for such additional Confidential Information and return it to the Company. The Company agrees that Consultant may delete any information that is proprietary to Consultant that may be contained within the Company’s Confidential Information prior to Consultant returning it to the Company.

10. Privacy and Security. The parties shall protect the privacy and confidentiality and provide for the security of all protected health information (“PHI”), as that term is defined in and in accordance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the privacy and security regulations promulgated thereunder at 45 C.F.R. parts 160 through 164 (“HIPAA”), and all other applicable federal and state laws and regulations. Notwithstanding the foregoing, each party shall provide the other party with such information as reasonably necessary to perform their respective obligations under this Agreement. In addition, as the Company is a “covered entity,” as that term is defined under HIPAA and, as PHI may be

exchanged between the parties under this Agreement, Consultant agrees to be bound by and comply with the separate Business Associate Agreement attached hereto as Exhibit C and incorporated herein by reference (“Business Associate Agreement”).

11. Change of Control. In the event that the Company undergoes a Change of Control during the Term of this Agreement, this Agreement shall survive until termination of the Term. The term “Change of Control” for purposes of this Agreement means the occurrence of any of the following events: (a) any “person” or “group” (as defined in Section 13(d) and 14(d) of the Exchange Act) together with their affiliates become the ultimate “beneficial owner” (as defined in Rule 13d-3 of the Exchange Act) of voting stock of the Company representing more than fifty percent (50%) of the voting power of the total voting stock of the Company, or (b) the consummation of a merger or consolidation of the Company with any other corporation or entity regardless of which entity is the survivor, other than a merger or a consolidation which would result in the voting stock of the Company outstanding immediately prior thereto continuing to represent (either by remaining outstanding or being converted into voting securities of the surviving entity or the parent thereof) at least fifty percent (50%) of the combined voting power of the voting securities of the Company or such surviving entity or the parent thereof, outstanding immediately after such merger or consolidation, or (c) the stockholders of the Company approve a plan of complete liquidation or winding up of the Company or an agreement for the sale or disposition by the Company of all or substantially all of the Company’s assets, or (d) during any period of two (2) consecutive years, individuals who at the beginning of such period constitute the Board, and any new member of the Board (other than a member of the Board designated by a person who has entered into an agreement with the Company to effect a transaction described in subsections (a), (b), or (c) of this Section 11 whose election by the Company’s shareholders was approved by a vote of at least two-thirds (2/3) of the members of the Board at the beginning of the period or whose election or nomination for election was previously so approved, cease for any reason to constitute at least a majority thereof.

12. Miscellaneous.

a) With the exception of the Separation Agreement and General Release of Claims dated August 8, 2019 (attached hereto as Exhibit D) and the Confidentiality, Non-solicitation and Non-compete Agreement dated March 14, 2018 (attached hereto as Exhibit E) executed between the Consultant and the Company, this Agreement supersedes all prior agreements and understandings between the parties and may not be modified or terminated orally. Except as otherwise provided in this paragraph, the Consultant hereby waives any claims that it might have under any previous oral or other contract. No modification or attempted waiver of this Agreement will be valid unless in writing and signed by the party against whom the same is sought to be enforced.

b) The provisions of this Agreement are separate and severable, and if any of them is declared invalid and/or unenforceable by a court of competent jurisdiction or an arbitrator, the remaining provisions shall not be affected.

c) If a court of competent jurisdiction determines that any of the restrictions against disclosure of Confidential Information, and/or solicitation contained in this Agreement are invalid in whole or in part due to over breadth, whether geographically, temporally, or otherwise, such court is specifically authorized and requested to reform such provision by modifying it to the smallest extent necessary to render it valid and enforceable, and to enforce the provision as modified.

d) This Agreement is the joint product of the Company and the Consultant and each provision hereof has been subject to the mutual consultation, negotiation and agreement of the Company and the Consultant and shall not be construed for or against either party hereto.

e) This Agreement will be governed by, and construed in accordance with the provisions of the law of the State of Florida, without reference to provisions that refer a matter to the law of any other jurisdiction. Each party hereto hereby irrevocably submits itself to the exclusive personal jurisdiction of the federal and state courts sitting in Lee County, Florida; accordingly, any matters involving the Company and the Consultant with respect to this Agreement may be adjudicated only in a federal or state court sitting in Lee County, Florida.

f) All notices and other communications required or permitted under this Agreement shall be in writing, and shall be deemed properly given if delivered personally, mailed by registered or certified mail in the United States mail, postage prepaid, return receipt requested, sent by facsimile, or sent by Express Mail, Federal Express or nationally recognized express delivery service, as follows:

(i) If to the Company, at the address listed at the preamble to this Agreement or its then primary executive offices to the attention of the General Counsel; and

(ii) If to the Consultant, at the address listed at the preamble to this Agreement or the Consultant’s primary legal residence which is listed at the signature block of this agreement. Should this address change, the Consultant agrees to promptly notify the Company of such change.

Notice given by hand, certified or registered mail, or by Express Mail, Federal Express or other such express delivery service, shall be effective upon actual receipt. Notice given by facsimile transmission shall be effective upon telephonic confirmation of receipt by the party to whom it is addressed. All notices by facsimile transmission shall be followed up promptly after transmission by delivering an original copy by hand, certified or registered mail, or by Express Mail, Federal Express or other such delivery service. Any party may change any address to which notice is to be given to it by giving notice as provided above of such change of address.

g) The parties agree that the Consultant is acting as an independent contract under current Internal Revenue Service guidelines in the provision of services under this Agreement and that the Consultant shall be solely responsible for paying all taxes due on any Compensation hereunder. The Consultant understands and acknowledges that all Compensation hereunder is taxable to the Consultant and the Company has an affirmative obligation to report such amounts of Compensation on Form 1099 to the Internal Revenue Service each year. The Consultant agrees to provide its tax identification number in the signature block below.

h) It is understood by and between the parties hereto that the covenants set forth in paragraphs 7 and 8 are essential elements of this Agreement. Such covenants by Consultant shall be construed as agreements independent of any other provision of this Agreement. The existence of any claim or cause of action of Consultant against the Company, whether predicated on this Agreement or otherwise, shall not constitute a defense to the enforcement by the Company of such covenants.

i) This Agreement may be signed in counterparts, and by fax or Adobe Acrobat PDF file, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument.

IN WITNESS WHEREOF, the parties have executed this Agreement on the day and year first set forth above.

By: /s/ Douglas M. VanOort By: /s/ Sharon A. Virag

Legal Residence: XXXXXX

XXXXXX

Phone: XXXXXX

In accordance with the terms and conditions of the Consulting Agreement between Sharon A. Virag (”Consultant”) and NeoGenomics Laboratories, Inc. and its affiliates (”Company”) and Section 2 therein, this Exhibit A describes the duties and services (the “Services”) the Consultant shall perform under the Agreement.

1.Provide professional strategic, financial and accounting advisory consulting services to the Company and the Company’s Finance Department under the direction of the Company’s Chief Executive Officer (“CEO”) and Chairman.

2.Participate in meetings and telephone conferences, as needed, with the CEO, Finance Department and other Company personnel to facilitate the provision of Services.

3.Such other activities as may be needed by the CEO at the expense of the Company. The spirit of this section is to try and account for other activities or issues that have not been addressed or identified in paragraphs (1) through (2) above.

In accordance with the terms and conditions of the Consulting Agreement between Sharon A. Virag (”Consultant”) and NeoGenomics Laboratories, Inc. and its affiliates (”Company”) and Section 4 therein, this Exhibit B sets forth the compensation to be by the Company to the Consultant for the provision of the Services described in Exhibit A and Section 2 of the Agreement.

1.The Company agrees to pay Consultant $34,167.00 per month for the provision of Services set forth in Section 2 of the Agreement and Exhibit A attached hereto. Such payments will be made monthly within thirty (30) days of the end of the month for which Services were provided. Consultant agrees to prepare an invoice periodically, no more frequently than monthly, for all Services rendered on behalf of the Company during any given month of providing such Services.

2.In addition to any compensation payable hereunder, the Company shall also reimburse Consultant for all expenses reasonably incurred by her in connection with the Services performed on behalf of the Company under the Agreement including, but not limited to, airfare, hotel, rental car, food, and associated expenses, upon providing the original receipts and an expense report for such expenses in accordance with the Company’s standard expense reimbursement policy then in effect. Consultant agrees to seek prior written approval from NeoGenomics before incurring expenses in excess of $1000.00 in any given month.

3.Except as may be set forth in this Exhibit B and the Agreement, each party shall be responsible for its own costs and expenses incurred in connection with this Agreement. Each party shall also bear and be responsible for paying any sales, use, or other federal, state, or local taxes it incurs as a direct or indirect result of entering into this Agreement.

This Business Associate Agreement (“Agreement”), effective on the 8^th day of August, 2019 (“Effective Date”), is entered into by and between NeoGenomics Laboratories, Inc., a Florida corporation (“NeoGenomics” or “Covered Entity”), on behalf of itself and its affiliates, and Sharon A. Virag (“Consultant”), an individual whose address is XX (“Business Associate”), (each a “Party” and collectively the “Parties”).

1.BACKGROUND AND PURPOSE. The Parties have entered into, and may in the future enter into, one or more agreements (the “Underlying Contract(s)”), that require Business Associate to perform a service, function or activity involving the Use or Disclosure of PHI (as defined in Section 2.3), that is pursuant to this Agreement and subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), and the privacy and security regulations promulgated thereunder (45 C.F.R. Parts 160 and 164) (the “Privacy Regulations” and the “Security Regulations”); and the requirements of Subtitle D (Privacy) of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and the implementing regulations, that apply to covered entities and business associates (“HITECH”), beginning on the date each applicable provision is specified to take effect. These laws and regulations shall collectively be referred to the as “Privacy Obligations”. This Agreement shall supplement and/or amend each of the Underlying Contract(s) only with respect to Business Associate’s receipt, Use, Disclosure, and creation of PHI under the Underlying Contract(s) to allow both Parties to comply with the Privacy Obligations and other laws applicable to the privacy and security of health information.

2.DEFINITIONS. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Privacy Obligations in effect or as amended.

2.1 “EPHI” means PHI (as defined in Section 2.3) transmitted by or maintained in Electronic Media.

2.2 “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to information created or received by Business Associate from or on behalf of Covered Entity, including, but not limited to EPHI.

3.OBLIGATIONS OF BUSINESS ASSOCIATE. To assure that the Covered Entity and Business Associate may achieve and maintain compliance with the requirements of the Privacy Obligations, Business Associate agrees to:

3.1 Not use or Disclose PHI received from Covered Entity in any manner that would constitute a violation of the Privacy Regulations if done by Covered Entity. No other Use or Disclosure of PHI by Business Associate is permissible, unless approved in

writing by Covered Entity. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI received from or on behalf of Covered Entity, except as permitted by HITECH § 13405(d) and any implementing regulations that may be promulgated or revised from time to time, including, but not limited to, 45 C.F.R. §§ 164.502(a)(5)(ii) and 164.508(a)(4).

3.2 Not Use or Disclose PHI other than as permitted or required by this Agreement, the Underlying Contract(s) or as Required by Law. Business Associate may: (1) Use and Disclose PHI as permitted or required to perform its obligations as set forth in the Underlying Contract(s); (2) Use PHI for its proper management and administration; and (3) Use PHI to carry out its legal responsibilities.

3.3 Limit, to the extent practicable and except as permitted by 45 C.F.R. § 164.502(b)(2), its Use, Disclosure, and requests of PHI under the Agreement to a Limited Data Set or, if needed by Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure or request.

3.4 Use reasonable and appropriate safeguards and comply, where applicable, with the Security Regulations with respect to EPHI, to prevent Use or Disclosure of PHI, other than as provided for by this Agreement. Business Associate shall also mitigate, to the extent practicable, any harmful effects of any violation of this Agreement of which it becomes aware.

3.5 Use reasonable and appropriate administrative, physical and technical safeguards to protect the Confidentiality, Integrity and Availability of EPHI that it receives, maintains, creates, or transmits to or on behalf of Covered Entity, as required by 45 C.F.R. § 164.314(a) and in compliance with the Privacy Obligations, including but not limited to 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316. This includes adhering to applicable guidance published by the U.S. Department of Health and Human Services (“HHS”) on appropriate safeguards.

3.6 Implement reasonable systems for the discovery and reporting of any breach of or Security Incident involving individually identifiable information (including, but not limited to, PHI) that, if misused, disclosed, lost or stolen, Covered Entity believes would trigger an obligation under the Privacy Obligations, or one or more State data breach notification laws, to notify the individuals who are the subject of the information. Such systems must allow for the discovery and reporting of any such breaches or Security Incidents within the time frames specified under this Agreement.

3.7 Maintain policies and procedures governing the protection of PHI and provide, upon Covered Entity’s request, access to and copies of any such policies and procedures.

3.8 If Business Associate becomes aware of any Use or Disclosure of PHI in violation of this Agreement, report any such Use or Disclosure to the designated privacy contact of Covered Entity in accordance with this Agreement.

3.9 Report to Covered Entity any Security Incident of which Business Associate becomes aware in the following manner: (a) any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay and in no case later than three (3) calendar days, and (b) any attempted, unsuccessful Security Incident will be reported to Covered Entity in writing (i) if the incident reflects an unusual pattern or practice, or (ii) upon request by Covered Entity. For purposes of this Agreement, an “unsuccessful Security Incident” includes activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, routine unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such event may reasonably result in a compromise to the information system, tools, hardware, conduit, technology, and/or unauthorized access, Use or Disclosure of EPHI. If the Security Regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.

3.10 Business Associate shall notify Covered Entity, in writing, immediately and in no event later than three (3) business days upon Discovery of a Breach of Unsecured PHI (as those terms are defined below).

“Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in the guidance issued under Section 13402(h)(2) of HITECH on the HHS website.

“Breach” as used in this Agreement shall have the meaning given such term under 45 C.F.R. § 164.402 as such regulation is revised from time to time.

Such notice must include, to the extent possible:

a.the date and description of the Breach of Unsecured PHI (as governed by 45 C.F.R. § 164.404);

b.the date of the Discovery of the Breach of Unsecured PHI (which shall be deemed to have occurred as of the first day on which such Breach is known to Business Associate (including any person, other than the individual committing the Breach, who is an employee, officer, or other agent of the Business Associate, as determined in accordance with the federal common law of agency) or, by exercising reasonable diligence, should reasonably have been known to Business Associate);

c.a description of the types of Unsecured PHI that were involved (e.g., name, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnostic and/or billing codes and similar information);

d.the name and contact information (e.g., mailing address, street address, phone number, email address) of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;

e.a brief description of what the Business Associate has done or is doing to investigate the Breach of Unsecured PHI, mitigate harm to the Individual(s) impacted by the Breach, and protect against future Breaches; and

f.any other details requested by Covered Entity for purposes of, including without limitation, completing an assessment of the risk of harm to the Individual and/or complying with 45 C.F.R. § 164.410.

Business Associate shall also provide, to the extent possible, Covered Entity with any other available information that Covered Entity is required to include in the notification to Individuals under 45 C.F.R. § 164.404(c) or any applicable State data breach notification law at the time of Business Associate’s notification to Covered Entity or promptly thereafter as such information becomes available.

Following a Breach of Unsecured PHI, Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches in the time and manner reasonably requested by Covered Entity. Business Associate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Breach of Unsecured PHI, including but not limited to the information described in Sections 3.10(a)-(f) above. Business Associate shall also appoint a liaison and provide contact information for same so that Covered Entity may ask questions or learn additional information concerning the Breach of Unsecured PHI.

Business Associate shall, at the written request of Covered Entity, be responsible for the notifications to third parties (e.g., Individuals, the Secretary, the media) related to a Breach of Unsecured PHI by Business Associate. These notices shall be furnished at no additional charge to Covered Entity, and a copy of any notice shall be submitted to Covered Entity in advance for approval.

Business Associate shall document each risk assessment analysis it undertakes upon Discovery of a potential Breach of Unsecured Protected Health Information, and shall retain such analysis for six (6) years. Business Associate shall make such analyses available to Covered Entity within ten (10) business days of a Covered Entity request.

Business Associate agrees to pay actual costs for any associated mitigation incurred by Covered Entity, including the costs associated with making any notifications including, but not limited to, notifications conducted by Covered Entity, as a result of a Breach of Unsecured PHI by Business Associate (or an agent or contractor), such as credit monitoring and the cost of furnishing third-party notices, if Covered Entity determines that the Breach is significant enough to warrant such measures.

In the event of any conflict between this Section 3.10 and the Privacy Obligations, the more stringent requirements shall govern.

3.11 In the event any individually identifiable information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws (“State Breach”), Business Associate shall promptly: (a) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach; (b) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (c) comply with Covered Entity’s determinations regarding Covered Entity’s and Business Associate’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; (d) assist with the implementation of any decision by Covered Entity or any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach, and (e) provide any other assistance or take any other actions that may be required to satisfy the requirements of any State data breach notification laws.

3.12 Subject to Covered Entity’s prior written approval of any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate in the course of performing the obligations set forth in the Underlying Contract(s), obtain and maintain a written agreement with such agent or subcontractor, pursuant to which such agent or subcontractor agrees to be bound by the same restrictions, terms and conditions that apply to Business Associate pursuant to this Agreement with respect to such PHI, including but not limited to the requirement that the agent or subcontractor implement reasonable and appropriate safeguards to protect any EPHI that is disclosed to it by Business Associate and that the agent or subcontractor report any Use or Disclosure of PHI in violation of this Agreement within a timeframe that permits Business Associate to comply with its reporting obligations under Sections 3.9 and 3.10 of this Agreement.

3.13 Make internal practices, policies, and procedures, books, agreements, and records relating to the Use or Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary and Covered Entity, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Regulations. Business Associate shall promptly notify Covered Entity of any Secretary request and provide copies of any materials provided to the Secretary by Business Associate.

3.14 Document such Disclosures of PHI and information related to such Disclosures as would be required by Covered Entity to respond to a request for an accounting of Disclosures to an Individual in accordance with 45 C.F.R. § 164.528 (including, without limitation, a disclosure permitted under 45 C.F.R. § 164.512). Following notice by Covered Entity to Business Associate that it has received a request for an accounting of Disclosures of PHI, Business Associate shall make available such information as is in Business Associate’s possession to Covered Entity within ten (10) calendar days. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) calendar days.

3.15 If, and to the extent that, Business Associate maintains a Designated Record Set of Covered Entity, within fifteen (15) calendar days of receipt of a request by Covered Entity for access to PHI about an Individual contained in the Designated Record Set, make available to Covered Entity such PHI in accordance with 45 C.F.R. § 164.524 for so long as Business Associate maintains such information in the Designated Record Set. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) calendar days. Any denials of access to the PHI requested shall be the responsibility of Covered Entity.

3.16 If, and to the extent that, Business Associate maintains a Designated Record Set of Covered Entity, within fifteen (15) calendar days from the receipt of a request from Covered Entity for the amendment of an Individual’s PHI contained in the Designated Record Set, provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526 for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall directly forward such request to Covered Entity within five (5) calendar days.

3.17 If Business Associate receives a request directly from an Individual to restrict disclosures of PHI pursuant to HITECH § 13405(a), directly forward such request to Covered Entity within five (5) calendar days. Business Associate shall comply with those restrictions that Covered Entity may direct.

3.18 To the extent Business Associate is engaged by Covered Entity to carry out one or more of Covered Entity’s obligation(s) under the Privacy Regulations, comply with the requirements of the Privacy Regulations that apply to Covered Entity in the performance of such obligation(s).

4.Obligations of Covered Entity.

4.1 Covered Entity agrees to timely notify Business Associate, in writing, of any arrangements between Covered Entity and the Individual that is the subject of PHI that may impact in any manner the Use and/or Disclosure of that PHI by Business Associate under this Agreement.

4.2 Covered Entity shall notify Business Associate, in writing, of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.

4.3 Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Obligations if done by Covered Entity.

4.4 Covered Entity shall limit, to the extent practicable and except as permitted by 45 C.F.R. § 164.502(b)(2), its Use, Disclosure, and requests of PHI under

the Agreement to a Limited Data Set or, if needed, to the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure or request.

a. Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement (and any Underlying Contract(s)) if Business Associate does not cure the breach or end the violation within ten (10) days; or

b. Immediately terminate this Agreement (and any Underlying Contract(s)) if cure is not feasible.

5.2 In the event Covered Entity determines that Business Associate has committed a material breach of any term of this Agreement, Business Associate agrees that Covered Entity has a right to obtain injunctive relief to prevent further Use or Disclosure of PHI by Business Associate. In addition to injunctive relief, Covered Entity also shall have a right to pursue any other remedy provided by law or equity.

5.3 This Agreement shall automatically terminate with respect to any Underlying Contract(s) without any further action by the Parties when all of the PHI obtained from Covered Entity or created or obtained by Business Associate on behalf of Covered Entity in connection with that Underlying Contract is destroyed or returned to Covered Entity.

5.4 Notwithstanding anything herein to the contrary, this Agreement shall terminate when Business Associate has completed performance of the Underlying Contract(s), subject, however, to Sections 5.5 and 5.6 regarding the return and destruction of PHI.

5.5 Upon termination of the Underlying Contract(s), Business Associate shall either return or destroy, if feasible, any and all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity pursuant to that Underlying Contract that Business Associate still maintains in any form, and shall cause any subcontractors and agents to do the same. Upon termination of this Agreement, Business Associate shall either return or destroy, if feasible, any and all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall cause subcontractors and agents to do the same. For purposes of this Agreement, destruction shall include, without limitation, destroying all backup tapes and permanently deleting all EPHI, and shall utilize techniques that meet or exceed guidance from HHS. Business Associate, and its subcontractors and agents, shall not retain any copies of such PHI.

Within thirty (30) days from the date of termination or other expiration of this Agreement, an authorized representative of Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed as provided above and that Business Associate, and its

subcontractors or agents, no longer retain any such PHI in any form. Notwithstanding the foregoing, to the extent that it is not feasible for Business Associate, or its agents or subcontractors, to return or destroy such PHI, Business Associate shall provide to Covered Entity a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Upon mutual agreement by the Parties that return or destruction of the PHI is not feasible, Business Associate, and its agents and subcontractors, shall extend the protections of this Agreement to such PHI, and such PHI shall be Used or Disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI, for so long as Business Associate maintains the PHI.

NeoGenomics Laboratories, Inc.

6.4 Interpretation. In the event of a conflict between this Agreement and the Underlying Contract(s), this Agreement shall prevail to the extent necessary to allow the Covered Entity and Business Associate to comply with the Privacy Obligations. Except as supplemented and/or amended by this Agreement, the terms of the Underlying Contract(s) shall continue unchanged and shall apply with full force and effect to govern the matters addressed in the Underlying Contract(s).

6.5 Survival. Notwithstanding any other provision of this Agreement to the contrary, the terms of Sections 3, 5, and 6.11 of this Agreement shall survive termination

of this Agreement and continue indefinitely solely with respect to PHI Business Associate retains in accordance with this Agreement.

6.6 Amendment. The Parties mutually agree to enter into good faith negotiations to amend this Agreement from time to time in order for Covered Entity or Business Associate to comply with the requirements of the Privacy Obligations, as they may be amended from time to time, and any implementing regulations thereto that may be promulgated or revised from time to time.

6.7 No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

6.8 Independent Contractors. None of the provisions of this Agreement are intended to create, nor will be deemed to create, any relationship between the Parties other than that of independent contracting parties with each other solely for the purposes of affecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.

6.9 Compliance with Law. Parties agree to comply with all applicable federal and State laws and regulations governing the confidentiality and security of PHI and individually identifiable information provided by Covered Entity to Business Associate as permitted or required by this Agreement.

6.10 Governing Law. This Agreement is governed by, and shall be construed in accordance with, applicable federal law and the internal laws of the State of Florida without regard to choice of law principles.

6.11 Indemnification. Business Associate agrees to indemnify, defend and hold harmless Covered Entity, and its respective owners, employees, directors, officers, subcontractors, agents or other members of its workforce, (each of the foregoing hereinafter referred to as “Indemnified Party”) against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with any breach of this Agreement or from any acts or omissions related to this Agreement, including, without limitation, losses related to a Breach of Unsecured PHI or breach of individually identifiable information, by Business Associate or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, Business Associate shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from Business Associate’s acts or omissions hereunder. Business Associate’s obligation to indemnify any Indemnified Party shall survive the expiration or termination of this Agreement.

6.12 Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument.

BUSINESS ASSOCIATE: NEOGENOMICS LABORATORIES, INC.:

(on behalf of itself and its affiliates)

By:/s/ Sharon A. Virag   By: /s/ Douglas M. VanOort

Name: Sharon A. Virag Name: Douglas M. VanOort

Title: Consultant Title: Chief Executive Officer and Chairman

Date: August 8, 2019 Date: August 8, 2019