Business Associate Agreement

Preamble

This Business Associate Agreement ("Agreement" or "BAA") is entered into by and between the Covered Entity (the healthcare organization using AveeCare's platform) and AveeCare, LLC ("Business Associate" or "AveeCare").

Covered Entity and Business Associate are each referred to herein as a "Party" and collectively as the "Parties."

Recitals

WHEREAS, Covered Entity is a home health agency, hospice, or other healthcare provider that qualifies as a "Covered Entity" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations (collectively, the "HIPAA Rules");

WHEREAS, Business Associate provides a cloud-based home healthcare management platform known as "AveeCare" that enables Covered Entity to manage patient care, caregiver scheduling, visit documentation, messaging, and other healthcare operations;

WHEREAS, in connection with providing the Services, Business Associate will Create, Receive, Maintain, or Transmit Protected Health Information ("PHI") on behalf of Covered Entity;

WHEREAS, the HIPAA Rules require Covered Entity to obtain satisfactory assurances from Business Associate that Business Associate will appropriately safeguard PHI;

WHEREAS, under the HITECH Act, Business Associate is directly liable for compliance with certain provisions of the HIPAA Rules;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

Article I - Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

Section 1.1 - Regulatory Definitions

• "Breach" shall have the meaning given to such term under 45 CFR Section 164.402.
• "Designated Record Set" shall have the meaning given to such term under 45 CFR Section 164.501.
• "Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under 45 CFR Section 160.103, limited to information that Business Associate Creates, Receives, Maintains, or Transmits on behalf of Covered Entity.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended by the HITECH Act and any subsequent amendments.
• "Individual" shall have the meaning given to such term under 45 CFR Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).
• "Protected Health Information" or "PHI" shall have the meaning given to such term under 45 CFR Section 160.103, limited to information Created, Received, Maintained, or Transmitted by Business Associate on behalf of Covered Entity.
• "Security Incident" shall have the meaning given to such term under 45 CFR Section 164.304.
• "Subcontractor" shall have the meaning given to such term under 45 CFR Section 160.103.
• "Unsecured Protected Health Information" shall have the meaning given to such term under 45 CFR Section 164.402.

Section 1.2 - Agreement-Specific Definitions

• "AveeCare Platform" or "Platform" means the cloud-based home healthcare management software application provided by Business Associate, including all associated mobile applications, web interfaces, APIs, and related services.
• "Services" means the home healthcare management services provided by Business Associate to Covered Entity through the AveeCare Platform.
• "Service Agreement" means any master services agreement, subscription agreement, terms of service, or other agreement between the Parties governing Business Associate's provision of the Services to Covered Entity.

Article II - Obligations and Activities of Business Associate

Section 2.1 - Permitted Uses and Disclosures

Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Law. Specifically, Business Associate may:

1. Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement;
2. Use PHI for the proper management and administration of Business Associate;
3. Disclose PHI for the proper management and administration of Business Associate, provided the Disclosure is Required By Law or Business Associate obtains reasonable assurances from the recipient;
4. Use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, if specifically authorized;
5. De-identify PHI in accordance with 45 CFR Section 164.514(a)-(c).

Section 2.2 - Minimum Necessary Standard

Business Associate agrees to make reasonable efforts to Use, Disclose, and Request only the minimum amount of PHI necessary to accomplish the intended purpose.

Section 2.3 - Prohibited Uses and Disclosures

Business Associate shall NOT:

1. Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity;
2. Use or Disclose PHI for fundraising or marketing purposes without authorization;
3. Sell PHI without prior written authorization;
4. Use or Disclose PHI for underwriting purposes;
5. Use or Disclose genetic information for underwriting purposes in violation of GINA.

Section 2.4 - Safeguards

Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including:

Section 2.5 - Subcontractors

Business Associate agrees to ensure that any Subcontractor that Creates, Receives, Maintains, or Transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate. Business Associate remains responsible for the acts and omissions of its Subcontractors.

Section 2.6 - Reporting Requirements

Business Associate agrees to report to Covered Entity:

• Breach Notification: Within thirty (30) calendar days of Discovery of a Breach of Unsecured PHI, including description, types of PHI involved, affected individuals, investigation status, and mitigation measures.
• Security Incidents: Any Security Incident of which it becomes aware, with summary reports provided monthly or as agreed.
• Unsuccessful Security Incidents: Not required to report unsuccessful incidents but will maintain logs available upon request.

Section 2.7 - Access to PHI

Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity or to an Individual as directed, within fifteen (15) business days of a request. If PHI is maintained electronically, access will be provided in the electronic form and format requested if readily producible.

Section 2.8 - Amendment of PHI

Business Associate agrees to make PHI available for amendment and incorporate amendments within fifteen (15) business days of receiving instructions from Covered Entity.

Section 2.9 - Accounting of Disclosures

Business Associate agrees to document Disclosures of PHI and provide information to Covered Entity within fifteen (15) business days of a request. Accounting information will be available for at least six (6) years prior to the request date.

Section 2.10 - Availability of Books and Records

Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining HIPAA compliance, with ten (10) business days prior notice to Covered Entity.

Section 2.11 - Administrative Access and Platform Operations

Covered Entity acknowledges and agrees that Business Associate's authorized administrators ("AveeCare Administrators") may access Covered Entity's PHI and ePHI, including by authenticating as or on behalf of Covered Entity's users within the Platform, for the following purposes:

1. System Maintenance and Debugging: Diagnosing, troubleshooting, and resolving software defects, errors, or performance issues that affect Covered Entity's use of the Platform;
2. System Failure Recovery: Restoring access to, integrity of, or availability of PHI and Platform functionality following system outages, data corruption, infrastructure failures, or other service disruptions;
3. Client-Requested Assistance: Performing actions at Covered Entity's express or implied request, including but not limited to data export, data correction, configuration changes, user account support, and other operational tasks that require access to Covered Entity's data or user accounts;
4. Platform Operations: Any other access reasonably necessary, at Business Associate's sole discretion, for the proper operation, security, improvement, or administration of the Platform and Services, provided such access is purpose-bound as described below.

All administrative access under this Section shall be subject to the following safeguards:

1. Purpose-Bound Access: Each instance of administrative access shall be associated with a documented business purpose. AveeCare Administrators shall not access PHI absent an identifiable operational, technical, or client-driven reason.
2. Internal Documentation: Business Associate shall maintain internal logs of administrative access events, including the identity of the administrator, the date and time of access, the Covered Entity tenant accessed, and the stated purpose. Such logs shall be retained for a minimum of six (6) years.
3. Minimum Necessary: Administrative access shall be limited to the minimum scope of PHI necessary to accomplish the stated purpose, consistent with Section 2.2 of this Agreement.
4. Audit Trail: All administrative access shall be recorded in Business Associate's audit logging infrastructure, including any actions taken while authenticated as or on behalf of a Covered Entity user.
5. Transparency Reports: Upon written request by Covered Entity, Business Associate shall provide a transparency report detailing administrative access events pertaining to Covered Entity's data within thirty (30) calendar days. Covered Entity may submit such requests no more than once per calendar quarter, unless Covered Entity has a good-faith basis to believe unauthorized access has occurred, in which case additional requests shall be accommodated.

Article III - Obligations of Covered Entity

Section 3.1 - Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes that may affect Business Associate's obligations.

Section 3.2 - Changes in Authorization

Covered Entity shall notify Business Associate of any changes in or revocation of Individual permission to Use or Disclose PHI.

Section 3.3 - Notification of Restrictions

Covered Entity shall notify Business Associate of any restrictions on the Use or Disclosure of PHI that may affect Business Associate's permitted activities.

Section 3.4 - Permissible Requests

Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules.

Article IV - Term and Termination

Section 4.1 - Term

This Agreement shall become effective on the Effective Date and shall remain in effect until the earlier of: (a) Termination of the Service Agreement; (b) Termination of this Agreement; or (c) The date on which Business Associate no longer maintains any PHI.

Section 4.2 - Termination for Cause

Either Party may terminate this Agreement if the other Party materially breaches and fails to cure within thirty (30) calendar days of written notice, or if the breach cannot reasonably be cured.

Section 4.3 - Termination for Convenience

Either Party may terminate this Agreement upon ninety (90) calendar days prior written notice.

Section 4.4 - Effect of Termination

Upon termination:

• Return or Destruction: Business Associate shall, at Covered Entity's election, return or destroy all PHI.
• Infeasibility: If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures.
• Data Export: Upon request within thirty (30) days of termination, Business Associate shall provide a data export in a commonly used electronic format.

Article V - Liability and Indemnification

Section 5.1 - HITECH Direct Liability

The Parties acknowledge that, pursuant to the HITECH Act, Business Associate is directly liable for violations of the HIPAA Security Rule and certain provisions of the HIPAA Privacy Rule.

Section 5.2 - Indemnification by Business Associate

Business Associate shall indemnify, defend, and hold harmless Covered Entity from claims arising out of Breaches caused by Business Associate, violations of this Agreement or HIPAA Rules, or negligent acts or omissions.

Section 5.3 - Indemnification by Covered Entity

Covered Entity shall indemnify, defend, and hold harmless Business Associate from claims arising out of violations by Covered Entity, failure to obtain required authorizations, or non-compliant instructions.

Section 5.4 - Insurance

Business Associate shall maintain:

• Commercial General Liability insurance ($1,000,000 per occurrence)
• Professional Liability insurance ($1,000,000 per claim)
• Cyber Liability insurance ($1,000,000 per claim)

Article VI - General Provisions

Section 6.1 - Regulatory References

References to HIPAA Rules mean the sections as in effect or amended. This Agreement shall be interpreted in accordance with the HIPAA Rules.

Section 6.2 - Amendment

The Parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules. No amendment shall be effective unless in writing and signed by both Parties.

Section 6.3 - Interpretation

Any ambiguity shall be interpreted to permit HIPAA compliance. In case of conflict with the Service Agreement regarding PHI, this Agreement shall control.

Section 6.4 - No Third-Party Beneficiaries

Nothing in this Agreement shall confer rights upon any person other than the Parties. Individuals whose PHI is subject to this Agreement are not third-party beneficiaries.

Section 6.5 - Severability

If any provision is held invalid, the remaining provisions shall continue in full force and effect.

Exhibits