Business Associate Agreement

Practice Health AI Inc. Updated: March 20, 2025

PARTIES TO THIS AGREEMENT

This Business Associate Agreement (the "Agreement") is entered into between you (hereinafter referred to as the "Covered Entity") and Practice Health AI Inc. (hereinafter referred to as the "Business Associate") as of the date and time of your withpractice.ai account creation. Individually, each may be referred to as a "Party," and collectively as the "Parties."

PURPOSE

The purpose of this Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, the "HIPAA Rules"), as well as any applicable state laws governing the privacy and security of Protected Health Information ("PHI").

BACKGROUND

The Covered Entity is a "covered entity" as defined by the HIPAA Rules, and the Business Associate is a "business associate" as defined by the HIPAA Rules. The Parties wish to enter into this Agreement to establish the terms and conditions under which the Business Associate will use and disclose PHI in connection with the services it provides to the Covered Entity.

IN CONSIDERATION of the mutual promises and covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

SECTION 1: DEFINITIONS

Capitalized terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules, unless otherwise defined herein. The following terms shall have the following meanings:

• "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
• "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media.
• "Breach" has the meaning assigned to this term in 45 CFR § 164.402 and includes the unauthorized acquisition, access, use, or disclosure of Protected Health Information that compromises the security or privacy of such information.
• "Unsecured PHI" shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.

1.1 "Breach" has the meaning assigned to this term in 45 CFR § 164.402.

1.2 "Business Associate" shall mean Practice AI.

1.3 "Covered Entity" shall mean the healthcare provider or healthcare organization that has entered into a service agreement with Practice AI.

1.4 "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its implementing regulations, as amended from time to time.

1.5 "HITECH" shall mean the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, and its implementing regulations, as amended from time to time.

1.6 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules codified at 45 CFR Part 160 and Part 164.

1.7 "Individual" has the meaning assigned to this term in 45 CFR § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

1.8 "Platform" means the withpractice.ai software-as-a-service offering, including but not limited to its practice management solutions, physician support solutions, electronic health record access and management, scheduling features, billing services, Telehealth capabilities, patient portal, mobile applications, and any other tools or services provided by Practice AI.

1.9 "Protected Health Information" or "PHI" and "Electronic Protected Health Information" or "Electronic PHI" have the meanings assigned to these terms in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

1.10 "Platform" means the withpractice.ai software-as-a-service offering, including but not limited to its practice management solutions, physician support solutions, electronic health record access and management, scheduling features, billing services, Telehealth capabilities, patient portal, mobile applications, and any other tools or services provided by Practice AI.

1.11 "Protected Health Information" or "PHI" and "Electronic Protected Health Information" or "Electronic PHI" have the meanings assigned to these terms in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

1.12 "Public Health Activity" means the activities described in 45 CFR § 164.512(b).

1.13 "Public Health Authority" has the meaning assigned to this term in 45 CFR § 164.103.

1.14 "Required By Law" has the meaning assigned to this term in 45 CFR § 164.103.

1.15 "Secretary" means the Secretary of the Department of Health and Human Services or their designee.

1.16 "Services" means the services provided by Practice AI to Covered Entity pursuant to the Services Agreement, including but not limited to access to and use of the Platform, implementation services, training, support, and other professional services.

1.17 "Services Agreement" means the agreement between the Parties under which Business Associate provides Services to Covered Entity.

1.18 "Subcontractor" has the meaning assigned to this term in 45 CFR § 164.103.

SECTION 2: BUSINESS ASSOCIATE OBLIGATIONS

2.1 Permitted Uses and Disclosures: Business Associate will not use or disclose PHI except as permitted by this Agreement or as Required By Law.

2.2 Safeguards Implementation: Business Associate agrees to: a) Develop, implement, maintain, and use appropriate safeguards to prevent unauthorized use or disclosure of PHI; b) Establish administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity; and c) Ensure compliance with HIPAA Security Standards, the HITECH Act, and all other applicable laws, regulations, and requirements published by a federal agency authorized to issue guidance under HIPAA or HITECH.

2.3 Data Security: Business Associate shall implement industry-standard security measures for the Platform, including: a) Encryption of PHI at rest and in transit; b) Multi-factor authentication for access to the Platform; c) Role-based access controls; d) Regular security assessments and penetration testing; e) Security incident response procedures; and f) Backup and disaster recovery capabilities.

2.4 Subcontractor Agreements: Business Associate shall ensure, through written agreements, that any Subcontractor to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate with respect to such information.

2.5 PHI Amendments: Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or take other measures necessary to satisfy Covered Entity's obligations under this provision.

2.6 Compliance Documentation: Business Associate agrees to make internal practices, books, and records relating to PHI use and disclosure available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule.

2.7 Accounting of Disclosures: Business Associate agrees to maintain and make available information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528. The Platform includes functionality to assist Covered Entity in generating reports for accounting of disclosures purposes.

2.8 Remuneration for PHI: Business Associate shall not receive remuneration in exchange for any PHI unless such remuneration is both: a) Permitted under HIPAA and HITECH; and b) Authorized by Covered Entity in writing.

2.9 Workforce Training: Business Associate shall provide training to members of its workforce regarding the requirements in the Privacy and Security Standards, with periodic updates as laws and regulations evolve.

2.10 Breach Notification: Business Associate shall provide written notice to Covered Entity of any HIPAA Breach of unsecured PHI without unreasonable delay, but in any event, no more than five (5) business days after discovery of such breach. The notification shall include: a) The identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; b) A description of what happened, including the date of the breach and the date of discovery, if known; c) The type of information involved; d) Any steps the affected individuals should take to protect themselves; e) What the Business Associate is doing to investigate and mitigate the breach and protect against further breaches; and f) Contact information for the Business Associate for more information or questions.

Covered Entity, in its sole discretion, will determine which party shall be responsible for providing any notification to the patient, Secretary, or media that may be required under the HITECH Act. Business Associate shall be solely responsible for any costs and expenses incurred by Covered Entity and Business Associate related to a use or disclosure of PHI by Business Associate in violation of this Agreement. Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate resulting from a violation of this Agreement.

SECTION 3: PLATFORM SECURITY AND DATA HANDLING

3.1 Data Storage and Processing: PHI stored or processed in the Platform shall be subject to the following: a) All PHI shall be stored within the United States on secure, HIPAA-compliant servers; b) Business Associate will maintain appropriate access controls to ensure that only authorized users can access PHI; c) Business Associate will implement logging mechanisms to track access to PHI; and d) Business Associate will implement automatic timeout procedures for inactive sessions.

3.2 Backup and Recovery: Business Associate will: a) Perform regular backups of all PHI stored in the Platform; b) Implement and test disaster recovery procedures; and c) Maintain the ability to restore PHI in the event of data loss.

3.3 Platform Maintenance: Business Associate will: a) Perform regular maintenance on the Platform to ensure security and functionality; b) Apply security patches in a timely manner; c) Notify Covered Entity of scheduled maintenance that may impact service availability; and d) Conduct all maintenance activities in a manner that protects the confidentiality, integrity, and availability of PHI.

SECTION 4: AUTHORIZED USES AND DISCLOSURES

Subject to the limitations in this Agreement, Business Associate may use or disclose Protected Health Information consistent with Covered Entity's minimum necessary policies and procedures for the following purposes:

4.1 Service Performance: To perform services for, or on behalf of, the Individual, as specified in the Services Agreement between Covered Entity and Business Associate, except where such use or disclosure would violate the Privacy Rule if performed by Covered Entity. These services include: a) Practice management functions; b) Electronic health record management; c) Appointment scheduling; d) Billing and payment processing; e) Telehealth services; f) Patient engagement; g) Analytics and reporting; and h) Other services as described in the Services Agreement.

4.2 Agreement Obligations: To perform its obligations under this Agreement, except where such use or disclosure would violate the Privacy Rule if performed by Covered Entity.

4.3 Platform Improvement: To improve the Platform and Services provided to Covered Entity, provided that: a) Such use does not involve disclosure of PHI to third parties; b) Any PHI used for such purposes is de-identified in accordance with Section 5; and c) Such use is consistent with the Services Agreement.

4.4 Business Management: To conduct activities for its own proper management and administration or to fulfill its legal responsibilities, provided that any disclosure of PHI for such purpose shall be either: a) Required By Law; or b) Made after Business Associate obtains reasonable assurances from the recipient that: i. The PHI will be held confidentially and used or disclosed only for the purpose for which it was disclosed; and ii. The recipient will notify Business Associate of any instances where the confidentiality of the PHI has been breached.

For disclosures to a Subcontractor, Business Associate shall first enter into an agreement as described in Section 2.4 and require the Subcontractor to implement reasonable and appropriate safeguards to protect Electronic PHI.

4.5 Data Aggregation: To provide data aggregation services, but only to analyze data for Covered Entity's permitted health care operations, as permitted by 45 CFR § 164.504(e)(2)(i)(B).

4.6 Legal Compliance: To report violations of law in accordance with 45 CFR § 164.502(j)(1).

SECTION 5: DE-IDENTIFIED INFORMATION

5.1 Creation and Use of De-identified Information: Business Associate may create, use, and disclose de-identified PHI if: a) The de-identification complies with 45 CFR §164.502(d); and b) The de-identified PHI meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b), as may be amended from time to time.

5.2 Aggregated Data for Platform Improvement: Business Associate may use de-identified, aggregated data derived from multiple Covered Entities using the Platform for: a) Improving the Platform; b) Developing new features and functionality; c) Providing benchmarking and analytics capabilities to Covered Entities; and d) Research and development purposes.

SECTION 6: INTELLECTUAL PROPERTY AND COVERED ENTITY OBLIGATIONS

6.1 Ownership of Materials: As between Covered Entity and Practice AI, all content on the Platform and Services, including its appearance, functionality, features, code, algorithms, documentation, and look and feel, is owned by Practice AI unless otherwise expressly indicated. Covered Entity acknowledges that Practice AI and its licensors retain ownership of all intellectual property rights related to the Platform and Services, including applicable copyrights, trademarks, patents, trade secrets, and other proprietary rights.

6.2 Restrictions on Use: Covered Entity may not modify, copy, distribute, transmit, display, perform, reverse engineer, or create derivative works from the content, information, or material on the Platform or Services. Other product and company names mentioned in connection with the Platform or Services may be trademarks of their respective owners. Practice AI reserves all rights not expressly granted under the Services Agreement. Any Practice AI trademarks, trade dress, service marks, or trade names appearing on the Platform or Services are the property of Practice AI, and no license or right to use such marks, names, or dress shall be granted to any User without Practice AI's express written permission.

6.3 User Content: Covered Entity retains all rights to the PHI and other content it uploads to or creates within the Platform. Covered Entity grants Business Associate a limited license to use such content solely for the purposes outlined in this Agreement and the Services Agreement.

6.4 Privacy Practices and Restrictions: Covered Entity shall: a) Furnish Business Associate with its notice of privacy practices prepared in accordance with 45 CFR § 164.520 and any modifications that affect Business Associate's obligations; b) Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's use or disclosure of PHI; c) Notify Business Associate of all types of accountings of disclosures that it may require Business Associate to provide under 45 CFR § 164.528 or Section 13405(c) of HITECH; and d) Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 or Section 13405(a) of HITECH, to the extent such restriction may affect Business Associate's use or disclosure of PHI.

6.5 Permissible Requests: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or HITECH if done by Covered Entity. Covered Entity shall not request Business Associate to use or disclose more than the minimum PHI necessary.

6.6 User Management: Covered Entity is responsible for: a) Managing user accounts within its organization; b) Ensuring that only authorized personnel have access to the Platform; c) Promptly deactivating access for terminated employees or those who no longer require access; and d) Implementing appropriate internal policies regarding the use of the Platform.

SECTION 7: TERM AND TERMINATION

7.1 Term: This Agreement shall commence on the Effective Date and shall terminate: a) Upon termination of the Services Agreement; b) When all Protected Health Information is destroyed or returned to Covered Entity or its designee; or c) If return or destruction of PHI is infeasible, when protections are extended to such information in accordance with Section 7.3.

7.2 Termination for Cause: a) Covered Entity Authorization: Business Associate authorizes termination of this Agreement by Covered Entity if Covered Entity determines Business Associate has violated a material term of the Agreement and has not cured the breach or ended the violation within thirty (30) days after receiving written notice of such violation.

b) Pattern of Activity: If Covered Entity knows of a pattern of activity or practice by Business Associate that constitutes a material breach or violation of Business Associate's obligations, Covered Entity shall notify Business Associate of the breach and specify a period during which Business Associate may take reasonable measures to cure the breach or end the violation. If Business Associate fails to cure the breach or end the violation within that period, Covered Entity shall terminate this Agreement as soon as feasible.

7.3 Post-Termination Obligations: Upon termination of this Agreement for any reason: a) Business Associate will provide Covered Entity with the ability to export all of Covered Entity's data in a standard format (such as CSV, XML, or PDF) or in another format mutually agreed upon; b) Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity and will retain no copies, except as provided in this Section; c) This provision applies to PHI in the possession of Subcontractors of Business Associate; and d) If Business Associate determines that return or destruction of PHI is infeasible, Business Associate shall: i. Notify Covered Entity; and ii. Extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains the PHI.

SECTION 8: INDEMNIFICATION

Each party (the "Indemnifying Party") shall indemnify and hold harmless the other party and its officers, directors, employees, and agents (each an "Indemnified Party") from and against any claim, cause of action, liability, damage, cost, or expense ("Liabilities") to which the Indemnified Party becomes subject as a result of: a) Third-party claims (including reasonable attorneys' fees and court or proceeding costs) brought against the Indemnified Party; and b) Any costs or expenses (including reasonable attorneys' and consulting fees) and penalties incurred in connection with any governmental investigation, audit, breach notification, and remediation required by federal, state, or local law, which arise as a result of: a) The material breach of this Agreement by the Indemnifying Party or its Subcontractors; or b) The gross negligence or willful misconduct of the Indemnifying Party, except to the extent such Liabilities were caused by the Indemnified Party.

A party entitled to indemnification under this Section shall promptly notify the Indemnifying Party in writing of the commencement of any action, suit, or proceeding relating to a third-party claim or governmental investigation or audit for which indemnification is sought, subject to applicable confidentiality constraints. This Section 8 shall survive termination of this Agreement.

SECTION 9: MISCELLANEOUS PROVISIONS

9.1 Regulatory References: References in this Agreement to a section in HIPAA or HITECH mean the section as in effect or as redesignated after execution of this Agreement.

9.2 Amendment: The Parties agree to amend this Agreement as necessary for compliance with the requirements of HIPAA or HITECH, as each may be amended or interpreted by courts of applicable jurisdiction or the Secretary. All amendments, except those occurring by operation of law, shall be in writing and signed by both Parties.

9.3 Survival: Any provision of this Agreement which contemplates performance or observance subsequent to termination or expiration, including without limitation Sections 2, 7.3, and 8, shall survive termination or expiration and continue in full force and effect.

9.4 Governing Law: This Agreement shall be governed and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles. Any legal action arising from this Agreement shall be instituted in a federal or state court of competent jurisdiction in the State of Delaware, and each Party consents to personal jurisdiction in such court and waives any objection to venue, including any defense of forum non conveniens.

9.5 Interpretation: Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA and HITECH.

9.6 No Third-Party Beneficiaries: Nothing express or implied in this Agreement confers upon any person or Individual, other than Covered Entity, Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities.

9.7 Assignment: Neither Party shall assign rights or obligations under this Agreement without the prior written consent of the other Party; provided, however, that Business Associate may assign this Agreement to an affiliate.

9.8 Effect on Agreement: Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the underlying Services Agreement shall remain in force and effect.

9.9 Section Headings and Counterparts: The descriptive headings of the sections of this Agreement are for convenience only and do not constitute a part of this Agreement. This Agreement may be executed in any number of counterparts, including facsimile or electronic copies, each of which shall be deemed an original, and all counterparts together shall constitute one and the same document.

9.10 Contact Information: For questions regarding this Agreement or to report privacy or security concerns, Covered Entity may contact Practice AI at privacy@withpractice.ai or through the support channels provided in the Platform.