Business Associate Agreement

Upheal, Inc.

Effective July 26, 2023

THIS BUSINESS ASSOCIATE AGREEMENT (the “Agreement” or “BAA”) is an agreement between Upheal, Inc. (“Upheal”), a HIPAA Business Associate, and the entity using the Upheal Platform and Services (“Customer”), a HIPAA Covered Entity; each a Party, and together the Parties.

WHEREAS, the Parties agree that Upheal may have access to PHI (as defined below) in order to perform Upheal’s obligations and services to or on behalf of Customer;

WHEREAS, the Parties desire to comply with the Health Insurance Portability and Accountability Act 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder (collectively, “HIPAA”), as applicable to Upheal’s relationship with the Customer;

The terms used in this BAA have the meanings set forth in this BAA. Capitalized terms not otherwise defined herein and that are also not defined in the HIPAA have the meaning given to them in the Agreement, if applicable and as defined below;

This Agreement takes effect on the date (the “Agreement Effective Date”) when you click the “Accept Upheal Business Associate Agreement” button (or other electronic means made available by Upheal for such purpose) presented with this Agreement (an “Accept Button”). You represent to Upheal that you are lawfully able to enter into contracts, and if you are entering into this Agreement for an entity, such as the company you work for, you represent to Upheal that you have legal authority to bind that entity.

NOW THEREFORE, the parties agree as follows:

Definitions

Catch-all definition:

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Upheal.

(b)  Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean you or the entity you represent.

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

(d) Secretary. “Secretary” means the Secretary of Health and Human Services (HHS) or any other officer or employee of HHS to whom the authority involved has been delegated.

Obligations and Activities of Upheal as the Business Associate

(a) Not use or disclose sensitive information other than (i) as permitted or required by the BAAs and other agreements between the Parties or this BAA or (ii) as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to sensitive information, to prevent use or disclosure of sensitive information other than as provided for by this Agreement;

(c) Report to Covered Entity any use or disclosure of sensitive information not provided for by the Agreement of which Upheal becomes aware, including breaches of unsecured sensitive information as required at 45 CFR 164.410, and any security incident of which Upheal becomes aware;

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit sensitive information on behalf of Upheal agree to the same restrictions, conditions, and requirements that apply to Upheal with respect to such information;

(e) Make available sensitive information in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;

(f) Make any amendment(s) to sensitive information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;

(g) Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;

(h) To the extent Upheal is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s);

(i) Without limiting any other express provision in this BAA, Upheal acknowledges and agrees that, with respect to Electronic PHI, Upheal shall comply with applicable provisions of the HIPAA Security Rule, as amended from time to time by the Secretary. Upheal agrees to use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of Electronic PHI other than as provided for by this BAA.

(j) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules promptly following receipt of a written request to do so.

k) If the Customer’s use of the Upheal Platform and Services exceeds 6 years, by default, Upheal will delete all relevant HIPAA log files older than 6 years. If the Customer, in order to fulfill its obligations, must retain these log files for a longer period, the Customer is responsible for notifying Upheal of this need.

Permitted Uses and Disclosures by Upheal

(a) Upheal may only use or disclose sensitive information as necessary to perform the services set forth in the Service Agreement and according to the terms and conditions of the use of Upheal’s services.

(b) Upheal may use or disclose sensitive information only as required by law.

(c) Upheal agrees to make uses, disclosures and requests for sensitive information consistent with Covered Entity’s minimum necessary policies and procedures.

(d) Upheal may not use or disclose sensitive information in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.

(e) Except as otherwise limited in this Agreement, Upheal may use sensitive information to provide Data Aggregation services to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

(f) Upheal will not receive direct or indirect remuneration in exchange for any sensitive information under any circumstances.

(g) Upheal will use only de-identified, aggregated, anonymous  information to improve the application.

Permitted Uses and Disclosures by Upheal

(a) Upheal may only use or disclose sensitive information as necessary to perform the services set forth in the Service Agreement and according to the terms and conditions of the use of Upheal’s services.

(b) Upheal may use or disclose sensitive information only as required by law.

(c) Upheal agrees to make uses, disclosures and requests for sensitive information consistent with Covered Entity’s minimum necessary policies and procedures.

(d) Upheal may not use or disclose sensitive information in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.

(e) Except as otherwise limited in this Agreement, Upheal may use sensitive information to provide Data Aggregation services to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

(f) Upheal will not receive direct or indirect remuneration in exchange for any sensitive information under any circumstances.

(g) Upheal will use only de-identified, aggregated, anonymous  information to improve the application.

Obligations of Customer

(a) Customer undertakes to comply with its obligations under HIPAA.

(b) Customer shall notify Upheal of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Upheal’s use or disclosure of sensitive information.

(c) Customer shall notify Upheal of any changes in, or revocation of, the permission by an individual to use or disclose their sensitive information, to the extent that such changes may affect Upheal’s use or disclosure of sensitive information.

(d) Customer shall notify Upheal of any restriction on the use or disclosure of sensitive information that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Upheal’s use or disclosure of sensitive information.

(e) Customer shall determine the retention period of the PHI and is responsible to comply with the data retention period provided by the applicable law.

Safeguards, Reporting, Mitigation, and Enforcement

(a) Safeguards. Upheal shall use any and all appropriate administrative, physical, and technical safeguards to (i) prevent use or disclosure of Covered Entity’s sensitive information otherwise than as provided by this Agreement and (ii) protect the confidentiality, integrity, and availability of any sensitive information. Upheal's uses the measures to maintain the security of sensitive information found here.

(b) Upheal’s Agents. Upheal shall ensure that any agents, including subcontractors, to whom it provides sensitive information agree in writing to be bound by the same restrictions and conditions that apply to Upheal with respect to such sensitive information.

(c) Reporting. Upheal shall report to Covered Entity as soon as practicable any use or disclosure of Covered Entity’s sensitive information in violation of this Agreement or applicable law that Upheal becomes aware of. Upheal shall also report to Covered Entity within the same time frame any Security Incident of which it becomes aware.

(d) Mitigation. Upheal shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of Covered Entity’s sensitive information in violation of this Agreement or applicable law.

(e) Sanctions. Upheal shall have and apply appropriate sanctions against any employee, subcontractor, or agent who uses or discloses Covered Entity’s sensitive information in violation of this Agreement or applicable law.

Term and Termination

(a) The Term of this BAA shall be effective as of the Agreement Effective Date, and shall terminate at the termination  of the Service Agreement.

(b) Except as provided in paragraph (c) of this Section, upon termination of the Service Agreement for any reason, Upheal shall return or destroy all PHI received from Customer, or created or received by Upheal on behalf of Customer at the choice of Customer. This provision shall apply to PHI that is in the possession of Subcontractors of Upheal.

(c) In the event that Upheal must maintain the PHI as it is required to do so by law or compelled by court, government or administrative agency of competent jurisdiction ), Upheal shall provide to Customer notification of the conditions that make return or destruction infeasible. Until the PHI is deleted, Upheal shall continue to ensure compliance with this BAA and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.

Limitation of Liability

Upheal’s liability to Customer under or in connection with this BAA (including, without limitation, for any breach of this BAA or of HIPAA) shall be subject to the limitations of liability set out in this Agreement.

Miscellaneous

(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

(b) Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

(c) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

(d) Entire Agreement. This BAA constitutes the entire agreement and understanding between the Parties in respect of the matters dealt with herein and supersedes any previous agreement between the Parties relating to such matters. Each of the Parties acknowledges and agrees that in entering into this BAA it does not rely on, and shall have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) other than as expressly set out in this BAA. The only remedy available to any Party in respect of any such statement, representation, warranty or understanding shall be for breach of contract under the terms of this BAA. Nothing in this clause shall operate to exclude or limit any liability for fraud or fraudulent misrepresentation.