Business Associate Agreement.

This Agreement supplements and is incorporated into the Master Services Agreement between the parties.

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings ascribed to them in the HIPAA Rules at 45 CFR Parts 160 and 164. "Covered Entity" means the customer signing this Agreement. "Business Associate" means Conceptual Healthcare Corporation and any subsidiary providing services under the underlying agreement. "PHI" means Protected Health Information limited to PHI received from, or created or received by Business Associate on behalf of, Covered Entity.

2. Permitted uses and disclosures

Business Associate may use or disclose PHI only as necessary to perform the services set forth in the underlying agreement, as required by law, or as expressly permitted in this section. Business Associate may use PHI for the proper management and administration of Business Associate, and to provide data aggregation services as permitted by 45 CFR § 164.504(e)(2)(i)(B).

Prohibited. Business Associate will not (a) sell PHI, (b) use PHI for marketing as defined under 45 CFR § 164.501, (c) use PHI for the training of foundation models without a separate, written authorization referencing this Agreement, or (d) re-identify de-identified data.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards meeting or exceeding the HIPAA Security Rule (45 CFR §§ 164.308, 164.310, 164.312, 164.316). Current safeguards are documented in the Security Architecture Whitepaper and include: AES-256-GCM at rest, TLS 1.3 in transit, FIPS 140-3 validated KMS, hardware-backed key custody, role-based access with quarterly recertification, and immutable append-only audit logs anchored to CH Chain.

4. Reporting and breach notification

Business Associate will report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement. Breach notification: Business Associate will notify Covered Entity within one (1) hour of confirming a Breach of Unsecured PHI — substantially faster than the 60-day statutory maximum at 45 CFR § 164.410. Notice will include the items required by 45 CFR § 164.410(c).

5. Subcontractors

Business Associate will require, by written contract, that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to restrictions and conditions at least as stringent as those that apply to Business Associate under this Agreement. The current list of subprocessors with access to PHI is published at /compliance#subprocessors and updated within 30 days of any change.

6. Access, amendment, accounting

Access (§ 164.524). Business Associate will, within ten (10) business days of a request, provide Covered Entity (or, at Covered Entity's direction, the Individual) access to PHI in the Designated Record Set. Amendment (§ 164.526). Business Associate will incorporate amendments within ten (10) business days. Accounting (§ 164.528). Business Associate will document and provide an accounting of disclosures sufficient for Covered Entity to respond to an Individual's request — within thirty (30) days. The patient app exposes this accounting in real time.

7. Audit and attestation

Business Associate will, at Covered Entity's reasonable request and no more than once per calendar year, provide its current SOC 2 Type II report, HITRUST CSF v11 certification letter, and a written attestation of HIPAA Security Rule compliance signed by an officer of the company. Covered Entity may, with thirty (30) days' notice, conduct a documentation review under reasonable confidentiality terms.

8. Term and termination

This Agreement is effective on the Effective Date of the underlying agreement and terminates when all PHI is destroyed or returned to Covered Entity under § 9. Either party may terminate this Agreement upon thirty (30) days' written notice if the other party materially breaches this Agreement and does not cure within that period.

9. Return or destruction of PHI

Upon termination, Business Associate will, at Covered Entity's option, return or destroy all PHI it maintains in any form. Where return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the retained PHI and limit further use to those purposes that make the return or destruction infeasible. Destruction is performed via cryptographic shredding (key destruction) and confirmed in writing within ten (10) business days.

10. Indemnification and insurance

Business Associate maintains cyber liability and errors-and-omissions insurance in amounts not less than $10,000,000 per occurrence, with Covered Entity named as additional insured upon request. Business Associate indemnifies Covered Entity for losses caused by a breach of this Agreement attributable to Business Associate's negligence or willful misconduct, subject to the limitation of liability in the underlying agreement (with PHI breaches uncapped where prohibited by law).

11. Miscellaneous

Regulatory amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the HIPAA Rules. Interpretation. Any ambiguity will be resolved to permit the parties to comply with the HIPAA Rules. Survival. Sections 2, 3, 4, 9, and 10 survive termination. No third-party beneficiaries. Nothing in this Agreement confers rights on any person other than the parties and their successors and permitted assigns.

12. Signature block

COVERED ENTITY: ____________________________
Name: ____________________________
Title: ____________________________
Date: ____________________________

BUSINESS ASSOCIATE: Conceptual Healthcare Corporation
By: Maria R. Lahti, MD — Chief Medical Officer & Privacy Officer
Date: signed at execution

Document control. Template version 2026.05. Last reviewed by Privacy Officer on May 1, 2026. Material changes to this template are announced 30 days in advance to all signed Covered Entities. Past versions are archived at /trust/transparency-report.