Business Associate Agreement

This Business Associate Agreement (the “BAA”) is made and entered into as of the date of acceptance identified below (the “Effective Date”), by and between the customer identified in the acceptance process or signature block below (“Covered Entity”) and Alpyne Labs, Inc., a Delaware corporation (“Business Associate”).

Covered Entity and Business Associate are each referred to herein as a “Party” and collectively as the “Parties.”

Background

I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA's provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

II. The Parties have entered into or will enter into a Master Services Agreement under which Business Associate provides or will provide certain specified services to Covered Entity (the “Agreement”);

III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;

IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;

V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and

VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA, and other applicable laws.

Agreement

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions

For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

“Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.

“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR Section 164.402.

“Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

“Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the business associate of Covered Entity, the combining of such PHI by Business Associate with PHI received by Business Associate from other covered entities, for the purpose of permitting data analyses that relate to the Health Care Operations of the respective covered entities or for Business Associate's own business purposes as permitted under the Master Services Agreement, including product improvement, research, and analytics. Data Aggregation may include de-identification of aggregated datasets in accordance with Section 2.E. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.

“Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR Section 164.501.

“De-Identify” or “De-Identification” means to alter PHI such that the resulting information meets the requirements described in 45 CFR Sections 164.514(a) and (b), rendering it no longer Protected Health Information under HIPAA.

“Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR Section 160.103.

“Health Care Operations” has the meaning given to that term in 45 CFR Section 164.501.

“HHS” means the U.S. Department of Health and Human Services.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

“Individual” has the same meaning given to that term in 45 CFR Sections 164.501 and 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).

“Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

“Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR Sections 164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

“Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

“Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 and Part 164, Subparts A and C.

“Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR Sections 164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC Section 17932(h).

2. Use and Disclosure of PHI

2.A. Permitted Uses and Disclosures

Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.

2.B. Management and Administration

Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate's business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party: (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party; and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.

2.C. Minimum Necessary and Limited Data Set

Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC Section 17935(b)) and any of the act's implementing regulations adopted by HHS, for each use or disclosure of PHI.

2.D. De-Identification and Research

Business Associate may de-identify PHI in accordance with 45 CFR Section 164.514 for purposes of creating de-identified datasets that Business Associate may use for research, product development, quality improvement, artificial intelligence model training, and other business purposes as described in the Master Services Agreement.

Covered Entity acknowledges and agrees that once PHI has been properly de-identified in accordance with HIPAA standards, such de-identified data is no longer Protected Health Information and is not subject to the restrictions of this BAA. Business Associate may use such de-identified data for Business Associate's business purposes as set forth in the Master Services Agreement, including but not limited to product improvement, analytics, research, and training of artificial intelligence models and algorithms.

Business Associate will implement and maintain appropriate processes, controls, and safeguards to ensure that de-identified data cannot reasonably be re-identified.

2.E. Availability of PHI

Upon request, Business Associate will make available to Covered Entity any of Covered Entity's PHI that Business Associate or any of its agents or subcontractors have in their possession.

2.F. Reporting Violations

Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j)(1).

3. Safeguards Against Misuse of PHI

Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA.

Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the requirements of the HIPAA Security Rule.

Such safeguards shall include, at a minimum:

Encryption of all PHI at rest using AES-256 encryption or equivalent industry-standard encryption
Encryption of all PHI in transit using TLS 1.2 or higher
Secure authentication and access controls limiting PHI access to authorized personnel with a need to know
Role-based access controls ensuring personnel can only access PHI necessary to perform their job functions
Regular security monitoring, logging, and periodic security assessments
Workforce training on HIPAA requirements and data security practices

Business Associate agrees to take reasonable steps, including providing adequate training to its employees, to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.

4. Reporting Disclosures of PHI and Security Incidents

Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware.

Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware.

Business Associate agrees to report any such event within five (5) business days of becoming aware of the event.

5. Reporting Breaches of Unsecured PHI

Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR Section 164.410, but in no case later than thirty (30) calendar days after discovery of a Breach.

Business Associate will reimburse Covered Entity for reasonable and documented costs incurred by Covered Entity in complying with the breach notification requirements of 45 CFR Sections 164.404 through 164.408 that are directly caused by a breach committed by Business Associate, provided that:

(a) Business Associate's liability under this Section 5 shall not exceed one hundred thousand dollars ($100,000) per breach incident, except in cases of Business Associate's gross negligence, willful misconduct, or material violation of Section 3 (Safeguards Against Misuse of PHI) of this BAA, for which there shall be no cap on liability;

(b) Covered Entity provides Business Associate with reasonable documentation of costs incurred within ninety (90) days of incurring such costs;

(d) Business Associate shall have no liability for costs incurred as a result of Covered Entity's failure to maintain its own required safeguards or Covered Entity's unreasonable delay in implementing breach notification.

6. Mitigation of Disclosures of PHI

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

7. Agreements with Agents or Subcontractors

Business Associate will ensure that any agents, subcontractors, or other parties that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to terms that:

(a) Impose restrictions and obligations on the subcontractor that are at least as protective as those imposed on Business Associate under this BAA;

(b) Require the subcontractor to implement appropriate administrative, physical, and technical safeguards to protect PHI;

(d) Authorize termination of the subcontract if the subcontractor violates such terms; and

(e) Ensure compliance with the HIPAA Privacy Rule and Security Rule.

Business Associate will maintain a current list of all subcontractors with access to PHI, which shall be made available to Covered Entity upon reasonable written request. Business Associate will provide Covered Entity with reasonable advance written notice of the addition of any new subcontractor that will have access to PHI, and Covered Entity may object to such subcontractor on reasonable grounds related to privacy or security concerns.

Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security protection as this BAA.

8. Audit Rights

Business Associate will make available to Covered Entity, upon reasonable advance written request and no more than once per twelve (12) month period, documentation of Business Associate's HIPAA security and privacy practices, which may include:

(a) Security policies and procedures;

(b) Risk assessment summaries (with confidential information redacted as appropriate);

(d) Incident response procedures; and

(e) Independent security audit reports, if available (e.g., SOC 2 Type II, HITRUST CSF certification, or AT-C 315 examination report).

Business Associate is not required to have obtained independent third-party security certification, but will work toward obtaining appropriate security certification as the business scales and resources permit.

If Covered Entity has reasonable concerns about Business Associate's HIPAA compliance based on review of provided documentation, the Parties will work together in good faith to address such concerns, and Business Associate will provide reasonable additional information or implement reasonable additional safeguards as may be necessary to demonstrate compliance.

Covered Entity agrees not to re-disclose Business Associate's audit reports or confidential security documentation without Business Associate's prior written consent.

9. Access to PHI by Individuals

9.A. Providing Access

Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual's request for access to PHI under 45 CFR Section 164.524.

9.B. Direct Requests

In the event any Individual or personal representative requests access to the Individual's PHI directly from Business Associate, Business Associate within ten (10) business days will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual's right to obtain access to PHI shall be the sole responsibility of Covered Entity.

10. Amendment of PHI

10.A. Making Amendments

Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR Section 164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within fifteen (15) business days of Covered Entity's request.

10.B. Direct Amendment Requests

In the event that any Individual requests that Business Associate amend such Individual's PHI or record in a Designated Record Set, Business Associate within ten (10) business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual's right to request an amendment of PHI will be the sole responsibility of Covered Entity.

11. Accounting of Disclosures

11.A. Documentation and Information

Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR Section 164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR Section 164.528.

At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.

11.B. Providing Accounting

Business Associate will furnish to Covered Entity information collected in accordance with this Section 11, within ten (10) business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR Section 164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.

11.C. Direct Accounting Requests

In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten (10) business days forward such request to Covered Entity.

12. Availability of Books and Records

Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS or the Secretary's designee for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA and this BAA.

13. Responsibilities of Covered Entity

With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:

(a) Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

(b) Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

(c) Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

(d) Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

14. Data Ownership

Business Associate's data stewardship does not confer data ownership rights on Business Associate with respect to any PHI or other data shared with it under the Agreement, including any and all forms thereof.

As between the Parties, Covered Entity retains all ownership rights in and to PHI. Business Associate's rights to use PHI are limited to those expressly granted in this BAA and the Master Services Agreement.

15. Term and Termination

15.A. Term

This BAA will become effective on the Effective Date, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA, or until terminated in accordance with this Section 15.

15.B. Termination by Covered Entity

Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity's reasonable satisfaction, within thirty (30) days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.

15.C. Termination by Business Associate

If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with thirty (30) days to cure the breach. Covered Entity's failure to cure the breach within the thirty (30) day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.

15.D. Effect of Termination; Return or Destruction of PHI

Upon termination of the Agreement or this BAA for any reason:

(a) Business Associate will return to Covered Entity or destroy all PHI in Business Associate's possession or control, except as provided in subsection (b) below;

(b) Business Associate may retain PHI to the extent required by federal or state law, including but not limited to medical billing and healthcare record retention requirements, which may require retention for up to seven (7) years or longer. Business Associate will provide Covered Entity with written certification identifying the PHI retained and the legal basis for retention;

(c) PHI retained pursuant to subsection (b) shall continue to be subject to all protections, restrictions, and obligations of this BAA for the duration of such retention;

(d) Business Associate will delete PHI from active production systems within sixty (60) days of termination, subject to the retention requirements in subsection (b). PHI may remain in backup systems during the legally required retention period;

(e) If return or destruction of PHI is not feasible, in Business Associate's reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.

This provision will apply to PHI in the possession of Business Associate's agents and subcontractors.

The Parties understand that this Section 15.D will survive any termination of this BAA.

15.E. Force Majeure

Neither Party shall be liable for failure to perform its obligations under this BAA to the extent such failure is caused by circumstances beyond its reasonable control, including but not limited to: acts of God, natural disasters, pandemics, epidemics, war, terrorism, civil unrest, governmental actions or orders, utility or telecommunications failures, internet service disruptions, or failures of third-party cloud hosting providers or other service providers.

The Party affected by such circumstances shall promptly notify the other Party in writing of the force majeure event, providing details of the event and its anticipated impact on performance, and shall use commercially reasonable efforts to resume performance as promptly as practicable.

If such circumstances continue for more than thirty (30) consecutive days and materially affect Business Associate's ability to safeguard PHI or perform its obligations under this BAA, either Party may terminate this BAA and the underlying Agreement upon written notice to the other Party.

16. Effect of BAA

16.A. Relationship to Agreement

This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement with respect to the handling of Protected Health Information, the terms of this BAA will govern.

16.B. No Third-Party Beneficiaries

Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.

17. Regulatory References

A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

18. Notices

All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party's address given below:

Attn: Justin Ith
Alpyne Labs, Inc.
Email: info@alpynelabs.com
Address: King County, Washington, United States

19. Amendments and Waiver

This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

20. HITECH Act Compliance

The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance.

Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act.

The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective. In the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon thirty (30) days' prior written notice to the other Party.

21. Compliance with State Law

In addition to HIPAA and the HITECH Act, the Parties shall comply with applicable state laws governing the privacy and security of health information, including state-specific protections for mental health and behavioral health records. To the extent that state law provides greater protections or imposes stricter requirements than HIPAA, such state law shall apply.

22. Acceptance and Execution

This BAA may be accepted and executed in one of the following ways:

(a) Manual or Electronic Signature: By execution of the signature blocks below; or

(b) Electronic Acceptance via Master Services Agreement: By electronic acceptance through the Master Services Agreement acceptance process (whether via clickthrough, checkbox acceptance, or similar mechanism), in which case Customer's acceptance of the Master Services Agreement constitutes simultaneous acceptance and agreement to this BAA.

Both methods of acceptance create a legally binding agreement between the Parties with the same force and effect.