Business Associate Addendum

This Business Associate Addendum ("BAA") is made by and between Pi Health ("Business Associate") and Customer ("Covered Entity") pursuant to one or more service agreements entered into between the parties (collectively, the "Agreement").

Covered Entity and Business Associate mutually agree to the terms of this BAA in order to comply with the HIPAA Rules, as defined below. In the event of a conflict between the terms of this BAA and the rest of the Agreement with respect to Protected Health Information, this BAA shall control.

1. Definitions

• "Covered Entity" refers to the Customer.
• "Business Associate" refers to Pi Health.
• "Breach" shall have the same meaning as the term "Breach" in 45 CFR 164.402.
• "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the HITECH Act and the federal regulations ("HIPAA Rules") published at 45 CFR parts 160 and 164.
• "Privacy Rule" means the privacy regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E.
• "Security Rule" means the security regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and C.
• "Individual" shall have the same meaning as in 45 CFR 160.103.
• "Protected Health Information" shall have the same meaning as defined in 45 CFR 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• "Secure" shall mean to render unusable, unreadable or indecipherable to unauthorized individuals through technology or methodology specified by the Secretary.
• "Successful Security Incident" shall mean any Security Incident that results in the unauthorized use, access, disclosure, modification or destruction of electronic Protected Health Information.

2. Obligations of Business Associate

• Business Associate agrees to comply with the HIPAA Rules concerning the confidentiality, privacy, and security of Protected Health Information.
• Business Associate shall not use or disclose Protected Health Information except as permitted by this BAA or as Required by Law.
• Business Associate may use Protected Health Information for its proper management and administration or to carry out its legal responsibilities, provided disclosures are Required by Law or reasonable assurances are obtained.
• Business Associate may de-identify Protected Health Information in accordance with 45 CFR 164.514(a)-(c).
• Business Associate may provide data aggregation services relating to health care operations.
• Business Associate agrees to mitigate any harmful effect resulting from a Security Incident or any use or disclosure in violation of this BAA.
• Business Associate agrees to ensure any agent or Subcontractor agrees in writing to terms at least as protective as this BAA.
• Business Associate agrees to use only the Minimum Necessary Protected Health Information.
• Business Associate agrees to report any Potential Breach to Covered Entity within ten (10) business days of discovery.
• Business Associate shall provide access to Protected Health Information within ten (10) business days of receipt of a request from Covered Entity.
• Business Associate shall make requested amendments to Protected Health Information within ten (10) business days.

3. Obligations of Covered Entity

• Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices.
• Covered Entity shall notify Business Associate of any changes in, or revocation of, Individual authorizations.
• Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information.

4. Term and Termination

This BAA shall be effective as of the effective date of the Agreement and shall terminate when all Protected Health Information is destroyed or returned to Covered Entity. Upon termination, Business Associate shall return or destroy all Protected Health Information. If return or destruction is not feasible, protections of this BAA shall extend to such information.

5. Miscellaneous

• Regulatory References: References to HIPAA regulations mean those sections as in effect or as amended.
• Survival: Obligations under this BAA shall survive termination.
• Interpretation: Any ambiguity shall be resolved to permit compliance with the HIPAA Rules.