This HIPAA Business Associate Agreement ("Agreement") is entered into as of the 7 day of January, 2026 by and between ("Covered Entity") and HealthDatix, Inc. (the "Business Associate".)


WHEREAS, the Covered Entity is required under the HIPAA Rules to obtain written assurances from a business associate that the business associate will appropriately safeguard protected health information ("PHI") as defined under the HIPAA Rules; and

WHEREAS, the Business Associate recognizes and is willing to comply with the specific requirements imposed pursuant to the HIPAA Rules as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009, commonly known as the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Omnibus Rule (2013); and

WHEREAS, the Covered Entity has or shall engage the Business Associate to provide services involving the use of PHI.

NOW, THEREFORE, in consideration of the premises, promises and mutual covenants contained herein and other good and valuable consideration, the sufficiency of which is hereby acknowledged, it is mutually covenanted and agreed by and between Covered Entity and Business Associate as follows:

1. Definitions.
   1. General. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, PHI, Required By Law, Secretary, Security Incident, Subcontractor, and Unsecured PHI. Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms are given when defined in the HIPAA Rules.
   2. Specific Definitions.
      1. Business Associate: "Business Associate" shall generally have the same meaning as the term "business associate" at 45 C.F.R. §160.103, and in reference to the party to this Agreement, shall mean the Business Associate as first defined above.
      2. Covered Entity: "Covered Entity" shall generally have the same meaning as the term "the Covered Entity" at 45 C.F.R. §160.103, and in reference to the party to this Agreement, shall mean the Covered Entity as first defined above; provided, however, that in the event that same is otherwise a hybrid entity under the HIPAA Rules, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. §164.105(a), as the Covered Entity for purposes of this Agreement.
      3. HIPAA Rules: "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
      4. Security Incident: 45 CFR § 164.304 defines "security incident" as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
      5. Breach: "Breach" shall mean an impermissible use or disclosure which compromises the security or privacy of the Protected Health Information. The HIPAA Breach Notification Rule, 45 CFR § 164.400-414, requires HIPAA Covered Entities and their Business Associates to provide notification of breach of Protected Health Information which has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology.
2. Term. This Agreement shall remain in effect for the duration of this Agreement and shall apply to all of the Services and/or Supplies delivered by the Business Associate pursuant to this Agreement.
   
3. HIPAA Assurances. In the event Business Associate creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information ("PHI") in the Health Insurance Portability and Accountability Act of 1996 or its relevant regulations ("HIPAA") and otherwise meets the definition of Business Associate as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), Business Associate shall:
   
   1. Recognize that HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity;
   2. Not use or further disclose the PHI, except as permitted by law;
   3. Not use or further disclose the PHI in a manner that had Covered Entity done so, would violate the requirements of HIPAA;
   4. Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by this Agreement;
   5. Comply with each applicable requirements of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity;
   6. Report promptly to Covered Entity any security incident or other use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware;
   7. Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are explained the Business Associate obligations under this paragraph and agree to the same restrictions and conditions;
   8. Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations;
   9. Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include:
      1. dates of disclosure,
      2. names of the entities or persons who received the PHI,
      3. a brief description of the PHI disclosed, and
      4. a brief statement of the purpose and basis of such disclosure;
   10. Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining Customer’s compliance with HIPAA; and
   11. Incorporate any amendments or corrections to PHI when notified by Customer or enter into a Business Associate Agreement or other necessary Agreements to comply with HIPAA.
4. Termination Upon Breach of Provisions. Notwithstanding any other provision of this Agreement, Covered Entity may immediately terminate this Agreement if it determines that Business Associate breaches any term in this Agreement. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach. Covered Entity shall also have the option to immediately stop all further disclosures of PHI to Business Associate if Covered Entity reasonably determines that Business Associate has breached its obligations under this Agreement. In the event that termination of this Agreement and the Agreement is not feasible, Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding any other provision of this Agreement or Agreement to the contrary.
   
5. Return or Destruction of Protected Health Information upon Termination. Upon the termination of this Agreement, unless otherwise directed by Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible upon termination of this Agreement, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this Agreement shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information.
   
6. No Third Party Beneficiaries. The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.
7. De-Identified Data. Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.
8. Miscellaneous.
   1. Amendment. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Rules, such party so shall notify the other party in writing. For a period of up to thirty (30) days, the parties shall address in good faith such concern and shall amend the terms of this Agreement if necessary to bring it into compliance. If after such thirty (30) day period the terms and conditions of this Agreement fail to comply with the HIPAA Rules with respect to the concern(s) raised pursuant to this Agreement, then either party has the right to terminate this Agreement upon written notice to the other party.
   2. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
   3. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
   4. Notices. Any notice to be given under this Agreement to a party shall be made via U.S. Mail, commercial courier or hand delivery to such party at its address given above, or to such other address, as shall hereafter be specified by notice from the party. Any such notice shall be deemed given when so delivered to or received at the proper address.
   5. Assignment. Agreement applies to the Services being provided by Business Associate and may not be assigned without the written consent of Covered Entity. An agreement with a Subcontractor that complies with the requirements of this Agreement shall not be an assignment for the purposes of this Agreement.
   6. Governing Law; Venue. This Agreement shall be governed by, construed, interpreted and enforced under the laws of the State of Florida, without regard to its choice of law provisions. The Parties agree to submit to the exclusive jurisdiction of, and venue in, the courts in Palm Beach County in Florida in any dispute arising out of or relating to the Agreement.
   7. Survival. The obligations imposed by this Agreement shall survive any expiration or termination of this Agreement.