THIS BUSINESS ASSOCIATE AGREEMENT is made effective on the date on which the individual or entity ("Covered Entity") agrees to the Terms of Use and this BAA by creating an account or otherwise accepting the terms on the GenHealth website at https://www.genhealth.ai/terms, https://www.genhealth.ai/privacy, and https://www.genhealth.ai/baa ("Effective Date").

WHEREAS, the parties have or intend to execute one or more agreements whereby GenHealth provides certain services to Covered Entity, and GenHealth receives, has access to, or creates Protected Health Information in order to provide those services;

WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, 45 C.F.R. Parts 160 and 164, (“HIPAA”);

WHEREAS, GenHealth and its affiliates are each a Business Associate as defined by HIPAA;

WHEREAS, HIPAA and the Health Information Technology for Economic and Clinical Health Act and its implementing regulations (collectively “HITECH”), adopted as part of the American Recovery and Reinvestment Act of 2009, 42 USC §§ 17921–17953, imposes certain requirements on Business Associates;

WHEREAS, 42 C.F.R. Part 2, imposes certain requirements on Covered Entities and Business Associates of Federal Substance Use Disorder Programs; and WHEREAS, HIPAA requires Covered Entity to enter into a contract with Business Associates in order to require certain protections for the privacy and security of Health Information, and HIPAA prohibits the disclosure to or use of PHI by Business Associate if such a contract is not in place.

NOW THEREFORE, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the parties agree as follows:

1. Definitions. Terms used but not otherwise defined in this Agreement shall have the meanings given them in the Standards for Privacy and Security and HITECH. For convenience of reference, the definitions of certain terms as of the Effective Date are as follows:

   1. “Agreement” means this Business Associate Agreement.

   2. “Breach” shall have the meaning as set forth in 45 C.F.R. § 164.402.

   3. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and (i) is created or received by a healthcare provider, health plan, employer, or health care clearinghouse; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

   4. ]

   5. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

   6. “Services” means the services provided by GenHealth to the Covered Entity pursuant to the Underlying Agreement.

   7. “Standards for Privacy and Security” shall mean the provisions of the Standards for Privacy and Security of Individually Identifiable Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

   8. “Designated Record Set(s)” include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 C.F.R.  § 164.501.

   9. “Protected Health Information” or “PHI” means individually identifiable health information (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium as further defined by HIPAA in 45 C.F.R. § 160.103 and Section 13400 of Subtitle D (‘Privacy’) of HITECH. Information provided to GenHealth by Covered Entity under individual authorization made in compliance with 45 C.F.R. § 164.508 shall not be considered PHI to the extent allowed by HIPAA and any other applicable law or regulation.

   10. “Underlying Agreement” means one or more underlying agreements between GenHealth and Covered Entity for GenHealth to provide Services to Covered Entity and which require the disclosure of certain PHI to Genhealth for the purposes of providing the Services.

2. Applicability of Terms; Conflicts. This Agreement applies to, supplements, amends and is incorporated into the Underlying Agreements between GenHealth and Covered Entity, in effect on the Effective Date of this Agreement and remaining in effect until termination of this Agreement, in which Covered Entity provides any PHI to GenHealth in any form whatsoever. To the extent any provision of this Agreement relating to PHI conflicts with any provision of an Underlying Agreement, this Agreement shall govern.

3. Obligations and Activities of Business Associate.

   1. Disclosure: GenHealth may only Use or Disclose PHI consistent with the Business Associate Provisions of 45 C.F.R. § 164.504(e) and if applicable 42 C.F.R. § 2.33. GenHealth will not use or disclose PHI other than as permitted or required by this Agreement or as required by law or as otherwise authorized by Covered Entity in an Underlying Agreement, or as authorized by an individual regarding their own PHI. In disclosing PHI, GenHealth may only release the minimum necessary information to accomplish the intended purpose of the disclosure in accordance with 42 USC § 17935(b) and 45 C.F.R. § 164.502(b) and if applicable 42 C.F.R. §§ 2.33, 2.35, 2.51–2.53.

   2. Safeguards: In accordance with 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, GenHealth will use appropriate safeguards to prevent the Use or Disclosure (other than as provided for by this Agreement) of the PHI. If applicable, the Business Associate that receives patient identifying information will fully comply with the provisions of 42 C.F.R. Part 2. GenHealth will develop, implement, maintain, and use appropriate administrative, technical and physical safeguards to preserve the confidentiality, integrity, and availability of PHI, whether electronic or otherwise that is created, received, maintained, or transmitted on behalf of Covered Entity, and to prevent non-permitted use or disclosure of PHI. GenHealth shall also comply with any and all additional security requirements contained in the HITECH Act that are applicable to Business Associates. GenHealth shall encrypt all PHI stored on laptops, mobile storage devices, or other personal devices, encrypt all transmitted records and files containing PHI and/or Individually Identifiable Health Information that will travel across public networks, and encrypt all PHI and/or Individually Identifiable Health Information to be transmitted wirelessly.

   3. Mitigation: GenHealth will mitigate, to the extent practicable, any harmful effect that is known to GenHealth of a use or disclosure of PHI in violation of the requirements of this Agreement.

   4. Reporting Obligations:

      1. Reporting to GenHealth. GenHealth will report to Covered Entity, in writing, any Security Incident and/or any use and/or disclosure of PHI that is not permitted by this Agreement of which GenHealth becomes aware. Upon discovering or otherwise becoming aware of a suspected Security Incident, GenHealth will take immediate action to investigate and determine the extent of the Security Incident and whether any PHI was disclosed in a manner not permitted by this Agreement.

      2. Such report shall be made as soon as reasonably possible after discovery by GenHealth of such unauthorized use or disclosure or potential Security Incident. Each such report of a Breach will: (i) identify the nature of the non-permitted use or disclosure; (ii) identify the PHI used or disclosed; (iii) identify who made the non-permitted use or disclosure; (iv) identify who received the non-permitted use or disclosure; (v) identify what corrective action Business Associate took or will take to prevent further non-permitted uses or disclosures; (vi) identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted use or disclosure; and (vii) provide such other information as Covered Entity may reasonably request.

   5. Agents and Subcontractors: GenHealth will ensure that any and all consultants, subcontractors and other agents (“Agent”) that create, receive, maintain, or transmit PHI received from, or created or received by GenHealth on behalf of Covered Entity executes a written agreement obligating the Agent or comply with all terms of the Agreement, including but not limited to, implementation of reasonable and appropriate safeguards to protect PHI; and that all such Agents and employees that create, receive, maintain, or transmit PHI received on behalf of Covered Entity will be trained in HIPAA applicable requirements.

   6. Access: Within five (5) business days of receiving a written request from Covered Entity, GenHealth will provide Covered Entity with access to PHI from a Designated Record Set of Covered Entity, in order to meet the requirements set forth in 45 C.F.R. § 164.524. This provision does not apply if Business Associate and its employees, subcontractors and agents have no PHI from a Designated Record Set of Covered Entity.

   7. Amendments: GenHealth will make any amendment(s) to PHI in a Designated Record Set of Covered Entity that Covered Entity directs pursuant to 45 C.F.R. § 164.526. This provision does not apply if Business Associate and its employees, subcontractors and agents have no PHI from a Designated Record Set of Covered Entity.

   8. Records: At Covered Entity’s sole expense, Business Associate will make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by GenHealth, on behalf of Covered, entity available to the Secretary of Health and Human Services (the “Secretary”) during regular business hours within five (5) business days of receiving a written request from Covered Entity, or sooner if requested by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with HIPAA. Notwithstanding the above, no legal privilege, including the attorney/client privilege, shall be deemed waived by virtue of this provision. To the extent permitted by law, GenHealth will promptly notify Covered Entity of all requests served upon Business Associate by or on behalf of the Secretary for information which may be related to this Agreement. GenHealth shall provide Covered Entity with copies of all PHI, policies, procedures, or other records or documents provided to the Secretary pursuant to such request.

   9. Accounting of Disclosures: GenHealth will document disclosures by GenHealth and its employees, subcontractors and agents of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Within five (5) days of receiving a written request from Covered Entity, GenHealth will provide to Covered Entity information collected in accordance with the preceding sentence, to permit Covered Entity to respond to a request by an Individual for such an accounting of disclosures. In the event an individual delivers the initial request for an accounting directly to GenHealth, GenHealth shall immediately forward such request to Covered Entity.

   10. Alternative Communications: At Covered Entity’s request, GenHealth will implement reasonable alternative means or locations of communication with an Individual, as necessary to honor a request granted by Covered Entity pursuant to 45 C.F.R. §§ 164.522 or 164.526, respectively. Except as provided in an Underlying Agreement, in the event GenHealth receives a request for access, amendment, disclosure, accounting, or confidential communications or other similar request directly from an Individual, GenHealth will redirect the Individual to appropriate Covered Entity personnel. GenHealth will maintain records related to disclosures of PHI for at least six (6) years after the date of the disclosure.

   11. Marketing. GenHealth shall use and disclose PHI for marketing purposes only in accordance with 45 C.F.R. § 164.508.

   12. Sale of Electronic Health Records and PHI. Business Associate shall comply with the regulations and requirements on the sale of Electronic Health Records and PHI as set forth in 45 C.F.R. § 164.508.

   13. Performance of Covered Entity Obligations. To the extent GenHealth has agreed in an Underlying Agreement to carry out one or more of Covered Entity’s obligations under 45 C.F.R. Part 164, Subpart E, GenHealth shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

   14. Restrictions. GenHealth agrees to comply with any requests for restrictions on certain disclosures of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and of which GenHealth has been notified by Covered Entity, including but not limited to disclosures to a health plan if the PHI pertains solely to a health care item or service for which the individual or person other than the health plan on behalf of the individual, has paid Covered Entity in full.

4. Permitted Uses and Disclosures by Business Associate.

   1. Functions and Activities on Covered Entity’s Behalf: Except as otherwise limited in this Agreement, GenHealth may use or disclose PHI on behalf of, or to provide services to, Covered Entity only for purposes authorized by Covered Entity in an Underlying Agreement or through specific oral instruction, if such use or disclosure of PHI would not violate HIPAA if done by Covered Entity itself or permissible under 42 C.F.R. Part 2.

   2. Limited Dataset: GenHealth may, with the express written consent of Covered Entity, create a Limited Dataset as defined in 45 CFR § 164.514(e)(2), and may use such Limited Dataset only in compliance with 45 CFR § 164.514(e)(3) and subject to a Data Use Agreement between the parties which is compliant with 45 CFR § 164.514(e)(4). If GenHealth, with the consent of Covered Entity, creates a Limited Dataset, GenHealth’s rights and obligations with regard to the Limited Dataset shall be goverened by the Data Use Agreement and not this Agreement regardless of whether such Limited Dataset is PHI as defined under HIPAA enter into a Data Use Agreement

   3. Business Associate’s Operations: Except as otherwise limited in this Agreement or any other agreement between GenHealth and Covered Entity: (a) GenHealth may use PHI for GenHealth’s proper management and administration or to carry out GenHealth’s legal responsibilities; (b) GenHealth may use PHI for internal analysis, assessment, and product development, but only the extent allowed under HIPAA, and (c) GenHealth may disclose PHI for GenHealth’s proper management and administration, provided that disclosures are required by law, or GenHealth obtains reasonable assurances from the person to whom the PHI is disclosed that (i) it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and (ii) the person will notify GenHealth of any instances of which it is aware in which the confidentiality of the PHI has been breached.

5. “Trading Partner” Provisions: Use and Disclosure in Connection with Standard Transactions. If GenHealth agrees to conduct Standard Transactions (as defined in 45 C.F.R. Part 162) for or on behalf of Covered Entity in an Underlying Agreement, GenHealth will comply, and will require each subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 C.F.R. Part 162. GenHealth will not enter into, or permit its subcontractors to enter into, any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of Covered Entity that: (i) changes the definition, data condition, or use of a data element or segment in a Standard Transaction except where necessary to implement State or Federal law, or to protect against fraud and abuse; (ii) adds any data elements or segments to the maximum defined data set; (iii) uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification; or (iv) changes the meaning or intent of the Standard Transaction’s implementation specification.

6. Term and Termination.

   1. Term: This Agreement shall commence as of the Effective Date and shall remain in effect so long as the Parties have an Underlying Agreement in place.

   2. Termination for Cause: As provided in HIPAA, including 45 C.F.R. § 164.504(e)(2)(iii), upon Covered Entity’s reasonable determination that Business Associate has breached a material term of this Agreement, Covered Entity shall be entitled to do any one or more of the following:

1) Give GenHealth written notice of the existence of such breach and give GenHealth an opportunity to cure upon mutually agreeable terms. If Business Associate does not cure the breach or end the violation according to such terms, or if Covered Entity and Business Associate are unable to agree upon such terms, Covered Entity may immediately terminate any Underlying Agreement between Covered Entity and GenHealth which is the subject of such breach.

2) Immediately stop all further disclosures of PHI to GenHealth pursuant to each Underlying Agreement between Covered Entity and GenHealth which is the subject of such breach, unless the cessation of such disclosures would frustrate the purpose of the Underlying Agreement.

3. Effect of Termination: After termination or expiration of this Agreement or an Underlying Agreement, upon written demand from Covered Entity, Business Associate agrees to immediately return or destroy, except to the extent infeasible, all PHI received from, created by, or received by GenHealth on behalf of Covered Entity, including all such PHI which GenHealth has disclosed to its employees, subcontractors and/or agents. Destruction shall include destruction of all copies including backup tapes and other electronic backup medium. In the event the return or destruction of some or all such PHI is infeasible, PHI not returned or destroyed pursuant to this paragraph shall be used or disclosed only for those purposes that make return or destruction infeasible.

4. Continuing Privacy Obligation: GenHealth’s obligation to protect the privacy of PHI is continuous and survives any termination, cancellation, expiration, or other conclusion of this Agreement or any Underlying Agreement between Business Associate and Covered Entity.

7. Intellectual Property Rights: Nothing in this Agreement shall grant Covered Entity any license or other intellectual property rights to the Services or other GenHealth properties and GenHealth reserves and retains sole exclusive ownership of its entire right, title, and interest in and to all intellectual property rights arising out of or relating to the Services, including any improvements, except as otherwise provided in the Underlying Agreements.

8. Notices. All notices pursuant to this Agreement must be given in writing and shall be effective when received if hand-delivered or upon dispatch if sent by reputable overnight delivery service, facsimile or U.S. Mail to the appropriate address or facsimile number as set forth at the end of this Agreement.

9. Indemnification. GenHealth agrees to indemnify, defend and hold harmless Covered Entity and Covered Entity’s respective employees, directors, officers, and agents (the “Indemnitees”), against all actual and direct losses suffered by the Indemnitees and all liability of the Indemnitees to third parties arising from or in connection with any breach of this Agreement by GenHealth, its employees, directors, officers, or agents. Accordingly, on demand, GenHealth shall reimburse Covered Entity for any and all documented actual and direct losses, liabilities, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon the Indemnitees by reason of any suit, claim, action, proceeding or demand by any third party which results from the Business Associate’s breach hereunder. GenHealth’s obligation to indemnify Covered Entity shall survive the expiration or termination of this Agreement for any reason.

10. Miscellaneous.

    a) Individuals who are the subject of PHI are not third-party beneficiaries of this Agreement.

    b) The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties agree to take such action as may be necessary from time to time to implement changing standards and requirements of HIPAA, Omnibus Rule updates to HIPAA, and other applicable laws relating to the security or confidentiality of Health Information. Either party may terminate this Agreement and any Underlying Agreement upon thirty (30) days written notice in the event (i) Business Associate does not within thirty (30) days enter into negotiations to amend this Agreement to implement any modified standards or requirements of HIPAA, or (ii) Business Associate does not enter into an amendment to this Agreement that satisfies the standards and requirements of HIPAA.

    c) In the event that any provision of this Agreement violates any applicable statute, ordinance or rule of law in any jurisdiction that governs this Agreement, such provision shall be ineffective to the extent of such violation without invalidating any other provision of this Agreement. To the extent that term sof this Agreement are in conflict with any terms of the Underlying Agreements, the terms of this Agreement shall control.

    d) This Agreement may not be amended, altered or modified except by written agreement signed by GenHealth and Covered Entity.

    e) No provision of this Agreement may be waived except by an agreement in writing signed by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any other term or provision. Nothing in this Agreement shall be deemed a waiver of any legally recognized claim of privilege available to GenHealth.

    f) The persons signing below have the right and authority to execute this Agreement for their respective entities and no further approvals are necessary to create a binding agreement.

    g) All references herein to specific statutes, codes or regulations shall be deemed to be references to those statutes, codes or regulations as may be amended from time to time.

    h) This Agreement shall be governed by and interpreted in accordance with the laws of the State of Delaware.

    i) GenHealth understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this Agreement may cause Covered Entity irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as may be just and proper. Such right of Covered Entity is to be in addition to the remedies otherwise available to Covered Entity at law or in equity.

    j) The Parties acknowledge that GenHealth shall be and have the status of independent contractor in the performance of its obligations under the terms of this Agreement. Nothing in this Agreement shall be construed to create (1) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (2) a relationship of employer and employee between the parties.

    k) GenHealth’s obligations under this Agreement and any breach by GenHealth of the obligations in this Agreement shall be subject to any limitations on damages that are specified in any Underlying Agreement.

11. Acceptance. By accepting GenHealth’s terms of service and creating an account or otherwise agreeing to receive services involving PHI, Covered Entity agrees to be bound by this Business Associate Agreement.

IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the Effective Date.

GenHealth, Inc.:

https://www.genhealth.ai