Business Associate Agreement

Last Updated: 4/22/2024

This Business Associate Agreement (this "Agreement") is entered into as of the date of last signature below (the "Effective Date") by and between Covered Entity, as identified in the signature page of this Agreement, and Advanced Therapy Systems, Inc. d/b/a Moments ("Business Associate") (each, a "Party" and collectively, the "Parties").

1. Background and Purpose

The Parties have entered into one or more agreements, written or oral, pursuant to which Business Associate performs functions or activities for, or provides services to, Covered Entity that involve the use and disclosure of Protected Health Information (as defined below) (the "Terms and Conditions"). In connection with the Terms and Conditions, the Parties wish to execute this Agreement (1) to ensure Covered Entity and Business Associate's compliance with health information privacy and security rules promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and codified at 45 C.F.R. Part 160 and Part 164, subparts A and C (the "Security Rule"), subparts A and D (the "Breach Notification Rule"), and subparts A and E (the "Privacy Rule"), all as applicable and as amended, and (2) to ensure that Business Associate protects the privacy and security of Protected Health Information as further provided herein. This Agreement is intended to apply to any existing relationships between Covered Entity and Business Associate involving the exchange of Protected Health Information.

2. Definitions

Unless otherwise defined in this Agreement, all capitalized terms used in this Agreement have the meanings ascribed to them in HIPAA, the Privacy Rule, the Security Rule, and the Breach Notification Rule; provided, however, that "Protected Health Information" or "PHI" shall mean Protected Health Information limited to the information Business Associate received from, or created, maintained, transmitted, or received on behalf of, Covered Entity.

3. Obligations of the Parties with Respect to PHI

3.1 Obligations of Business Associate

With regard to its use and disclosure of PHI, Business Associate agrees to:

• 3.1.1 not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
• 3.1.2 use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, Business Associate will: (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (or "EPHI") that it receives from, or creates, receives, maintains, or transmits on behalf of Covered Entity; (ii) ensure that any agent of Business Associate, including a subcontractor, to whom Business Associate provides such EPHI agrees, in writing, to implement substantially the same safeguards and other measures to protect such EPHI as set forth in this Agreement; and (iii) promptly report to Covered Entity any Security Incident of which Business Associate becomes aware.
• 3.1.3 report to Covered Entity any use or disclosure of PHI in violation of this Agreement, as well as any incident which, in Business Associate's view, compromises the security of PHI, of which Business Associate becomes aware.
• 3.1.4 ensure that any agent, including any subcontractor, to whom Business Associate provides PHI agrees in writing to the same restrictions and conditions on the use and disclosure of PHI that apply to Business Associate pursuant to this Agreement.
• 3.1.5 make available any and all PHI held in a designated record set required for Covered Entity to respond to an Individual's request for access to PHI about them in accordance with 45 C.F.R. § 164.524.
• 3.1.6 make available PHI held in a designated record set for amendment and incorporate any such amendment as directed by Covered Entity to allow Covered Entity to comply with 45 C.F.R. § 164.526.
• 3.1.7 document any and all disclosures of PHI by Business Associate or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for Covered Entity to respond to an Individual's request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
• 3.1.8 make available any and all information documented in accordance with subsection 3.1.g.
• 3.1.9 make available to the Secretary of the U.S. Department of Health and Human Services ("HHS") any and all internal practices, books, and records of Business Associate or its agents, including subcontractors, relating to the use and disclosure of PHI, for purposes of determining Covered Entity's compliance with the Privacy Rule.
• 3.1.10 comply with the Security Rule.
• 3.1.11 not, directly or indirectly, receive remuneration in exchange for Covered Entity's PHI without Covered Entity’s prior written approval.

• 3.1.12 to the extent Business Associate is to carry out one or more of Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule applicable to Covered Entity in the performance of such obligations.

3.2 Permitted Uses and Disclosures of PHI by Business Associate

Except as otherwise specified in this Agreement, and subject to the provisions of this Agreement, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Terms and Conditions. Unless otherwise limited by this Agreement, Business Associate may also:

• (a) use the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate;
• (b) disclose the PHI in its possession to a third party for the purpose of Business Associate's proper management and administration or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law or that Business Associate has obtained reasonable assurances from the third party to whom PHI is to be disclosed that the PHI will be held confidentially and used and further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party, and the third party has agreed to notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached;
• (c) provide Data Aggregation services relating to the Health Care Operations of Covered Entity as permitted by the Privacy Rule. So long as Business Associate complies with HIPAA's de-identification standards, Business Associate may, and may permit its agents or subcontractors to, de-identify PHI and use and disclose de-identified data derived from PHI without the prior written consent of Covered Entity for any lawful purpose. Except for uses and disclosures permitted pursuant to Sections 3.2(a), (b), and (c), Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity.

3.3 Obligations of Covered Entity

Covered Entity agrees to notify Business Associate of any restrictions on uses and disclosures of PHI to which Covered Entity agrees that will impact in any manner the use and/or disclosure of that PHI by Business Associate under this Agreement. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI that will impact in any manner the use and/or disclosure of that PHI by Business Associate under this Agreement. If applicable, Covered Entity agrees to notify Business Associate of any changes in its Notice of Privacy Practices that will impact in any manner the use and/or disclosure of PHI by Business Associate under this Agreement. Covered Entity will limit disclosure of PHI to Business Associate to the minimum necessary for Business Associate to provide services to Covered Entity pursuant to the Terms and Conditions.

3.4 Breach of Unsecured Protected Health Information

Business Associate shall maintain systems having the purpose to monitor and detect a potential Breach of Unsecured PHI, whether the Unsecured PHI is in paper or electronic form. Business Associate shall provide to Covered Entity notice of any potential Breach of Unsecured PHI within five (5) business days of the first day the potential Breach is known, or reasonably should have been known, to Business Associate, including for this purpose any employee, officer, or other agent of Business Associate (other than the individual committing the potential Breach). The notice shall include, to the extent possible, the identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, subject to the potential Breach and the circumstances of the potential Breach, as both are known to Business Associate at that time. Business Associate shall cooperate with Covered Entity with respect to Covered Entity's determination of whether the potential Breach is a Breach of Unsecured PHI requiring notifications pursuant to the Breach Notification Rule.

3.4.1 Effect of Changes to HIPAA, the Privacy Rule, Security Rule, or Breach Notification Rule

To the extent that any relevant provision of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule is amended in a manner that materially changes the obligations of Business Associate or Covered Entity that are embodied in the terms of this Agreement, the Parties agree to amend this Agreement in order to give effect to such revised obligations or, if the Parties cannot agree on an amendment to this Agreement, terminate this Agreement and the Terms and Conditions.

4. Termination

4.1 Term

The term of this Agreement shall commence on the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the provisions of Section 4.3, unless earlier terminated as provided herein.

4.2 Breach of this Agreement

Upon either Party's knowledge of a material breach of the terms of this Agreement by the other Party, the non-breaching Party shall provide the breaching Party written notice of that breach in sufficient detail to enable the breaching Party to understand the specific nature of that breach and afford the breaching Party an opportunity to cure the breach. If the breaching Party fails to cure the breach within a reasonable time as specified by the non-breaching Party, the non-breaching Party may terminate this Agreement and the Terms and Conditions upon thirty (30) days written notice or upon such lesser notice as may be required by applicable law.

4.3 Return or Destruction

Upon the termination or expiration of this Agreement for any reason, Business Associate shall, at Covered Entity's option, return to Covered Entity or destroy any and all PHI in the possession or control of Business Associate and its agents, including subcontractors, and retain no copies, if it is feasible to do so. If return or destruction of PHI is infeasible, as determined by mutual agreement of the Parties, Business Associate agrees to: (a) provide written notification to Covered Entity of the conditions that make such return or destruction infeasible; and (b) for so long as Business Associate or its agents, including subcontractors, maintain such PHI, (i) extend all protections contained in this Agreement to the use and/or disclosure of any retained PHI by Business Associate or its agents, including subcontractors, and (ii) limit any further uses and/or disclosures of such PHI by Business Associate or its agents, including subcontractors, to the purposes that make the PHI's return or destruction infeasible. At such time as Business Associate determines that return or destruction of the PHI is feasible, Business Associate shall notify Covered Entity and, at Covered Entity's option, return or destroy the PHI in accordance with Covered Entity's reasonable instructions.

5. Indemnification; Limitations of Liability

The parties agree and acknowledge that except as set forth herein, the indemnification obligations and limitations of liability contained under the Terms and Conditions shall govern each party's performance under this BAA.

6. Miscellaneous

6.1 Interpretation

The terms of this Agreement shall prevail in the case of any conflict with the terms of any Terms and Conditions to the extent necessary to allow Covered Entity and Business Associate to comply with applicable provisions of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule.

6.2 Survival

The obligations imposed on both Parties pursuant to this Agreement with respect to PHI shall survive termination of this Agreement and continue indefinitely solely with respect to PHI that Business Associate or its agents, including subcontractors, retain in accordance with Section 4.3.

6.3 No Third Party Beneficiaries

Except as may be specifically set forth in this Agreement, nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

6.4 Privileges and Protections Not Waived

Nothing herein shall be construed as waiver of applicable legal or other privileges or protections held or enjoyed by either Party.

6.5 Amendment

This Agreement shall not be amended except by the mutual written agreement of the Parties. Additionally, Business Associate may amend this Agreement with 30 days' written notice to Covered Entity. Failure of Covered Entity to object in writing during the 30 day notice period shall constitute acceptance of such amendment.

6.6 Assignment

Neither Party may assign any of its rights or obligations under this Agreement without the prior written consent of the other Party.

6.7 Notice

Any notices required hereunder shall be given as set forth in the Terms and Conditions. If the Terms and Conditions do not include a provision for notices, then any and all notices or other communications required or permitted to be given under any of the provisions of this Agreement will be made electronically to the Covered Entity contact specified on record in Covered Entity's account information.

6.8 Governing Law

This Agreement will be governed by the laws of the State of Colorado.

6.9 No Agency; Independent Contractor

Each Party is and shall be considered to be an independent contractor of the other Party. Neither Party shall be the legal agent of the other for any purpose whatsoever and neither Party has any right or authority to make or underwrite any promise, warranty or representation, to execute any contract or otherwise to assume any obligation or responsibility in the name of or on behalf of the other Party. Neither Party shall be bound by or liable to any third persons for any act or for any obligation or debt incurred by the other toward such third party, except to the extent specifically agreed to in writing by the Party so to be bound.

6.10 Counterparts, Electronic Signatures

This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals. Each party agrees that the electronic signatures, whether digital or encrypted, of the parties included in this Agreement are intended to authenticate this writing and to have the same force and effect as manual signatures. Electronic Signature means any electronic sound, symbol, or process attached to or logically associated with a record and executed and adopted by a party with the intent to sign such record, including facsimile or email electronic signatures, pursuant to the Electronic Signature Act of 1996 (§ 668.001 et seq., Fla. Stat.) and the Uniform Electronic Transaction Act (§ 668.50, Fla. Stat.) as amended from time to time.

IN WITNESS WHEREOF, the Parties hereto have caused this Agreement to be executed as of the date set forth above by their duly authorized representatives.