Business Associate Agreement Addendum

Recitals

WHEREAS, Customer is a Covered Entity (or is a Business Associate acting on behalf of one or more Covered Entities) as defined under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, as amended, and the regulations promulgated thereunder (collectively, "HIPAA");

WHEREAS, HealthcareGPS provides the MedicareCopilot Platform to Customer under the TOS, and in the course of providing such services, HealthcareGPS may receive, create, transmit, or maintain Protected Health Information on behalf of Customer;

WHEREAS, the parties desire to enter into this BAA to satisfy the requirements of HIPAA and to protect the privacy and security of Protected Health Information;

NOW, THEREFORE, in consideration of the mutual promises set forth herein and in the TOS, the parties agree as follows:

1. Definitions

"Breach" has the meaning set forth at 45 CFR § 164.402.

"Business Associate" has the meaning set forth at 45 CFR § 160.103. For purposes of this BAA, HealthcareGPS is the Business Associate.

"Covered Entity" has the meaning set forth at 45 CFR § 160.103. For purposes of this BAA, Customer is the Covered Entity (or a Business Associate acting on behalf of a Covered Entity).

"HIPAA Rules" means the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule promulgated under HIPAA, as amended from time to time.

"PHI" or "Protected Health Information" has the meaning set forth at 45 CFR § 160.103, limited to PHI that HealthcareGPS receives from, or creates, receives, maintains, or transmits on behalf of, Customer in connection with the MedicareCopilot Platform.

"Electronic PHI" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form.

"Security Incident" has the meaning set forth at 45 CFR § 164.304.

"Subcontractor" means a person or entity that performs functions or activities on behalf of HealthcareGPS involving the use or disclosure of PHI.

2. Obligations of HealthcareGPS (Business Associate)

2.1 Permitted Uses and Disclosures. HealthcareGPS may use and disclose PHI only as necessary to provide the MedicareCopilot Platform and related services to Customer as described in the TOS, and as otherwise permitted or required by this BAA or applicable law. HealthcareGPS shall not use or disclose PHI in a manner that would violate HIPAA if done by Customer. Specifically, HealthcareGPS may use PHI:

• To perform its obligations under the TOS and this BAA;
• For its proper internal management and administration, or to carry out its legal responsibilities;
• To de-identify PHI in accordance with 45 CFR § 164.514 and use such de-identified data for analytics, product improvement, benchmarking, and other commercial purposes; and
• As required by law.

2.2 Prohibited Uses. HealthcareGPS shall not:

• Use or disclose PHI for purposes of marketing or fundraising without Customer's prior written authorization;
• Sell PHI or receive direct or indirect remuneration in exchange for PHI;
• Use PHI in a manner that violates the HIPAA minimum necessary standard;
• Use or disclose PHI in any manner not permitted by this BAA.

2.3 Safeguards. HealthcareGPS shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Customer, in accordance with the HIPAA Security Rule (45 CFR §§ 164.308, 164.310, and 164.312).

2.4 Subcontractors. HealthcareGPS shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of HealthcareGPS agrees to restrictions and conditions at least as protective as those in this BAA through a written agreement before the Subcontractor uses or discloses PHI. This includes Connecture, Inc., which acts as a subcontractor to HealthcareGPS with respect to the underlying plan data and API infrastructure.

2.5 Minimum Necessary. HealthcareGPS shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with 45 CFR § 164.502(b).

2.6 Individual Rights. To the extent HealthcareGPS maintains PHI in a Designated Record Set, HealthcareGPS shall, within fifteen (15) business days of a written request by Customer:

• Make PHI available to Customer so that Customer can fulfill its obligations to provide individuals access to their PHI under 45 CFR § 164.524;
• Incorporate amendments to PHI as directed by Customer under 45 CFR § 164.526;
• Provide an accounting of disclosures of PHI as required under 45 CFR § 164.528.

2.7 Government Access. HealthcareGPS shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining compliance with HIPAA. HealthcareGPS shall promptly notify Customer upon receipt of any such request.

2.8 De-Identified Data Outside Scope. The parties acknowledge that data that has been de-identified in accordance with 45 CFR § 164.514 is no longer PHI and therefore falls outside the scope of this BAA and HIPAA's restrictions. HealthcareGPS's use, license, commercialization, or other exploitation of such de-identified data is not restricted by this BAA.

3. Breach Notification

3.1 Reporting. HealthcareGPS shall notify Customer without unreasonable delay, and in no case later than ten (10) business days after HealthcareGPS discovers a Breach of Unsecured PHI, as defined in 45 CFR § 164.402. Notice shall include, to the extent available:

• The date of the Breach and the date of discovery;
• A description of the nature of the Breach, including what happened;
• The types of PHI involved (e.g., name, date of birth, prescription information);
• The identities of affected individuals, or the number and classes of individuals if identities are unknown;
• A description of steps HealthcareGPS is taking to investigate, mitigate, and prevent future Breaches;
• Contact information for Customer to ask questions.

3.2 Security Incidents. HealthcareGPS shall report to Customer, within thirty (30) days of discovery, any Security Incident involving ePHI that does not rise to the level of a Breach. The parties acknowledge that this BAA constitutes standing notice of the ongoing occurrence of unsuccessful Security Incidents (such as port scans, failed log-in attempts, and ping attacks) that result in no unauthorized access, use, or disclosure of ePHI, for which no additional individual notice is required.

3.3 Mitigation. HealthcareGPS shall take reasonable steps to mitigate, to the extent practicable, any harmful effects resulting from a Breach or impermissible use or disclosure of PHI.

4. Obligations of Customer (Covered Entity)

4.1 Lawful Disclosures. Customer shall not request HealthcareGPS to use or disclose PHI in any manner that would violate HIPAA if done by Customer.

4.2 Notice of Privacy Practices. Customer shall promptly notify HealthcareGPS of any limitation in Customer's Notice of Privacy Practices that may affect HealthcareGPS's use or disclosure of PHI.

4.3 Individual Permissions. Customer shall promptly notify HealthcareGPS of any revocation of an individual's permission to use or disclose PHI, to the extent such change affects HealthcareGPS's use or disclosure.

4.4 Restrictions. Customer shall notify HealthcareGPS of any restrictions on the use or disclosure of PHI agreed to by Customer with an individual, to the extent such restrictions affect HealthcareGPS's use or disclosure.

4.5 Authorizations. Customer is responsible for obtaining all individual authorizations and consents required by HIPAA for any use or disclosure of PHI facilitated through the Platform.

4.6 Minimum Necessary. Customer shall only provide to HealthcareGPS the minimum amount of PHI necessary for HealthcareGPS to provide the MedicareCopilot Platform.

5. Term & Termination

5.1 Term. This BAA becomes effective upon Customer's electronic acceptance at checkout and remains in effect for the duration of the TOS, including any renewal periods, and until all PHI held by HealthcareGPS on behalf of Customer is returned or destroyed.

5.2 Termination for Cause. Either party may terminate this BAA and the TOS immediately upon written notice if the other party has materially breached this BAA and failed to cure such breach within thirty (30) days of written notice. If cure is not possible, the non-breaching party may terminate immediately upon written notice.

5.3 Effect of Termination. Upon termination or expiration of this BAA, HealthcareGPS shall, at Customer's written direction: (a) return to Customer all PHI maintained by HealthcareGPS, in a mutually agreed-upon format; or (b) securely destroy all PHI and certify such destruction in writing to Customer. If return or destruction is not feasible, HealthcareGPS shall extend the protections of this BAA to the PHI and limit further use or disclosure to those purposes that make return or destruction infeasible. This obligation survives termination of this BAA.

6. General Provisions

6.1 Relationship of Parties. HealthcareGPS is an independent contractor to Customer. Nothing in this BAA creates any agency, employment, partnership, or joint venture relationship between the parties.

6.2 Regulatory Changes. To the extent that HHS amends the HIPAA Rules in a manner that changes the obligations of the parties under this BAA, this BAA shall be deemed amended to the minimum extent necessary to comply with such changes, effective as of the compliance date of such changes. HealthcareGPS shall provide Customer with written notice of any proposed amendment.

6.3 No Third-Party Beneficiaries. This BAA is for the sole benefit of the parties and their permitted successors and assigns. Nothing herein confers any rights or remedies on any individual patient or third party.

6.4 Limitation of Liability. The limitation of liability provisions in Section 9 of the TOS apply to this BAA; provided, however, that such caps shall not be cumulative between the TOS and this BAA. The maximum aggregate liability of HealthcareGPS for claims under both the TOS and this BAA shall not exceed the higher of the applicable caps.

6.5 Interpretation. This BAA shall be interpreted to give effect to HIPAA compliance. In the event of an inconsistency between this BAA and HIPAA as interpreted by HHS or a court of competent jurisdiction, HIPAA shall control. Where this BAA is more protective than HIPAA requires, the more protective provisions shall apply to the extent permitted by law.

6.6 Governing Law. This BAA is governed by the laws of the State of California and applicable U.S. federal law (including HIPAA and the HITECH Act), without regard to conflict of laws principles, consistent with the TOS.

6.7 Severability. If any provision of this BAA is found invalid or unenforceable, it shall be reformed to the minimum extent necessary to make it enforceable, and all remaining provisions shall remain in full force.

6.8 Entire Agreement. This BAA, together with the TOS, constitutes the entire agreement between the parties with respect to the subject matter herein and supersedes all prior oral or written agreements relating to PHI.

6.9 DISCLAIMER. HEALTHCAREGPS MAKES NO WARRANTY THAT ITS SECURITY MEASURES WILL PREVENT ALL UNAUTHORIZED ACCESS TO PHI. CUSTOMER IS RESPONSIBLE FOR ENSURING THAT ITS OWN USE OF THE PLATFORM COMPLIES WITH HIPAA AND ALL APPLICABLE STATE PRIVACY LAWS. NOTHING IN THIS BAA CONSTITUTES LEGAL ADVICE, AND CUSTOMER SHOULD CONSULT QUALIFIED LEGAL COUNSEL REGARDING ITS OWN HIPAA OBLIGATIONS.

Electronic Acceptance

By clicking "I Agree" to this BAA at checkout, you acknowledge that you have read, understood, and agree to be legally bound by this Business Associate Agreement Addendum as part of your MedicareCopilot subscription.

This BAA is incorporated by reference into the MedicareCopilot Subscription Terms of Service and has the same legal force and effect.