This Business Associate Agreement (“BAA”) is entered into by and between Client (“Covered Entity”) and Vali (“Business Associate” or “BA”) as of Effective Date.

1. Definitions

• HIPAA Rules: 45 C.F.R. Parts 160 and 164 (the Privacy, Security, Breach Notification, and Enforcement Rules).

• PHI / ePHI: Protected Health Information, including electronic PHI, as defined in 45 C.F.R. § 160.103, limited to the PHI BA creates, receives, maintains, or transmits on behalf of Covered Entity in connection with scheduling, workforce management, and related services.

• Breach, Security Incident, Unsecured PHI: As defined in 45 C.F.R. §§ 164.402 and 164.304.

2. Permitted Uses and Disclosures by BA

2.1 Services. BA may use and disclose PHI solely to perform scheduling, workforce management, analytics, and related support services described in the Agreement and as otherwise permitted or required by this BAA or applicable law.

2.2 Minimum Necessary. BA shall request, use, and disclose only the minimum necessary PHI to accomplish the intended purpose.

2.3 Management and Legal Responsibilities. BA may use PHI for its proper management and administration and to carry out its legal responsibilities, and may disclose PHI for such purposes provided: (a) the disclosure is required by law; or (b) BA obtains reasonable written assurances from the recipient that the PHI will remain confidential, used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient will notify BA of any breach.

2.4 Data Aggregation. BA may aggregate PHI with other data it maintains in order to provide Covered Entity with analytics, benchmarking, and reporting services for the Covered Entity’s health care operations, provided such use is consistent with HIPAA.

2.5 De-Identification. BA may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(b). De-identified data is not PHI, and BA may use such de-identified data for analytics, product improvement, research, development, and other lawful business purposes.

2.6 Product Improvement and Development. BA may use PHI internally in de-identified, aggregated, or derivative form for the purpose of improving, testing, and developing BA’s products and services, provided such use is in compliance with HIPAA.

3. Safeguards and Security Rule Compliance

3.1 Safeguards. BA shall implement administrative, physical, and technical safeguards and comply with the Security Rule with respect to all ePHI it creates, receives, maintains, or transmits.

3.2 Policies, Training, and Risk Management. BA shall maintain policies and procedures, workforce training, access controls, audit controls, integrity protections, transmission security, and a documented risk analysis and risk management program appropriate to the nature of the Services and PHI.

3.3 Subcontractors. BA shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of BA agrees to the same restrictions and conditions that apply to BA with respect to such PHI.

4. Breach Notification

BA shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA and any Security Incident of which BA becomes aware.

In the event of a Breach of Unsecured PHI, BA shall notify Covered Entity without unreasonable delay after discovery of the Breach. Such notification shall include, to the extent known to BA: (a) the identification of each individual whose PHI has been, or is reasonably believed by BA to have been, accessed, acquired, used, or disclosed during the Breach; and (b) such other information as is reasonably requested by Covered Entity to meet its obligations under 45 C.F.R. Part 164, Subpart D.

Covered Entity shall be responsible for providing any required notifications to individuals, the Secretary of HHS, and the media, as applicable. BA shall reasonably cooperate with Covered Entity in investigating the Breach and fulfilling Covered Entity’s notification obligations.

5. Individual Rights Support

5.1 Access. BA shall make available to Covered Entity any PHI in BA’s possession that is part of a Designated Record Set maintained by BA (i.e., limited to scheduling information) in time and manner mutually agreed.

5.2 Amendment. BA shall make such PHI available for amendment and incorporate any amendments directed by Covered Entity pursuant to 45 C.F.R. § 164.526.

5.3 Accounting of Disclosures. BA shall maintain and provide information required for Covered Entity to provide an accounting of disclosures under 45 C.F.R. § 164.528.

6. HHS Access; Books and Records

BA shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity’s and BA’s compliance with the HIPAA Rules.

7. Return or Destruction of PHI

Upon expiration or termination of the Agreement, BA shall securely delete or return to Covered Entity all PHI in accordance with BA’s data retention and destruction policies. If BA determines that return or destruction is infeasible, BA shall extend the protections of this BAA to such PHI, limit further uses and disclosures to those purposes that make the return or destruction infeasible, and continue to safeguard the PHI for so long as BA retains it.

8. Term and Termination

8.1 Term. This BAA is effective as of the Effective Date and remains in effect until all PHI is returned to Covered Entity or destroyed.

8.2 Termination for Cause (by Covered Entity). Covered Entity may terminate this BAA (and the Agreement, if permitted by the Agreement) if it determines BA has violated a material term of this BAA and BA has failed to cure the breach within thirty (30) days after written notice.

8.3 Termination for Cause (by Business Associate). BA may terminate this BAA (and the Agreement, if permitted by the Agreement) if it determines that Covered Entity has violated a material term of this BAA .

9. Miscellaneous

9.1 Order of Precedence. In the event of a conflict between this BAA and the Agreement, this BAA controls with respect to PHI.

9.2 No Third-Party Beneficiaries. Nothing in this BAA creates rights in any third party.

9.3 Amendment for Legal Compliance. The parties shall amend this BAA to the extent required to comply with changes to the HIPAA Rules or other applicable law.

9.4 De-Identification. If expressly authorized in the Order Form, BA may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(b). De-identified data is not PHI; ownership and permitted uses shall be as stated in the Order Form.