Business Associate Agreement

1.1 "Breach" shall have the same meaning as the term "breach" at 45 CFR 164.402.

1.2 "Business Associate" shall mean Ajentik AI Pte. Ltd.

1.3 "Covered Entity" shall mean the healthcare organization that has executed this Agreement.

1.4 "Data Aggregation" shall have the same meaning as the term "data aggregation" at 45 CFR 164.501.

1.5 "Designated Record Set" shall have the same meaning as the term "designated record set" at 45 CFR 164.501.

1.6 "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is created, received, maintained, or transmitted in electronic media.

1.7 "Individual" shall have the same meaning as the term "individual" at 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

1.8 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" at 45 CFR 160.103.

1.9 "Required by Law" shall have the same meaning as the term "required by law" at 45 CFR 164.103.

1.10 "Secretary" shall mean the Secretary of the Department of Health and Human Services or designee.

1.11 "Security Incident" shall have the same meaning as the term "security incident" at 45 CFR 164.304.

1.12 "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" at 45 CFR 164.402.

2.1 Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

2.3 Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.

2.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.5 Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.

2.6 Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.

2.7 Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.

2.8 To the extent the Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

2.9 Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3.1 Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Service Agreement.

3.2 Business Associate may use or disclose PHI as Required by Law.

3.3 Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity's minimum necessary policies and procedures.

3.4 Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

3.5 Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.6 Business Associate may provide Data Aggregation services relating to the health care operations of the Covered Entity.

4.1 Administrative Safeguards:

• Security Officer designation and responsibilities
• Workforce training and access management procedures
• Access authorization and termination procedures
• Security awareness and training programs
• Security incident response procedures
• Business Associate Agreements with subcontractors

4.2 Physical Safeguards:

• Facility access controls
• Workstation use and security policies
• Device and media controls

4.3 Technical Safeguards:

• Unique user identification and automatic logoff
• Encryption and decryption of ePHI
• Audit logs and controls
• Integrity controls
• Transmission security

5.1 Business Associate shall notify Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach of Unsecured PHI.

5.2 Such notification shall include, to the extent possible:

• The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach
• A description of what happened, including the date of the Breach and the date of discovery
• A description of the types of Unsecured PHI involved
• Any steps Individuals should take to protect themselves from potential harm
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against future Breaches
• Contact procedures for Individuals to ask questions or learn additional information

5.3 Business Associate shall provide such other information as Covered Entity may reasonably request.

5.4 Business Associate shall maintain documentation of all required notifications and shall, upon request, provide such documentation to Covered Entity or the Secretary.

6.1 Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such PHI.

6.2 Business Associate shall ensure that any agents, including subcontractors, to whom it provides ePHI agree in writing to implement reasonable and appropriate safeguards to protect such ePHI.

6.3 Business Associate shall obtain written certification from any agent or subcontractor that the agent or subcontractor has implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.

7.1 Access: Within ten (10) business days of receipt of a request from Covered Entity for access to PHI about an Individual contained in a Designated Record Set, Business Associate shall make available to Covered Entity such PHI for so long as Business Associate maintains such information in the Designated Record Set.

7.2 Amendment: Within ten (10) business days of receipt of a request from Covered Entity for the amendment of an Individual's PHI contained in a Designated Record Set, Business Associate shall incorporate any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526.

9.1 Termination for Cause: Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either:

• Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or
• Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.

9.2 Effect of Termination:

• Except as provided in paragraph 9.3, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
• In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon determination that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

9.3 Survival: The obligations of Business Associate under Section 9.2 shall survive the termination of this Agreement.

11.1 Business Associate shall indemnify, defend, and hold harmless Covered Entity, its officers, directors, employees, and agents from and against any claim, cause of action, liability, damage, cost, or expense (including reasonable attorneys' fees and costs of litigation) arising out of or in connection with any breach of this Agreement by Business Associate or any violation of HIPAA by Business Associate.

11.2 Covered Entity shall indemnify, defend, and hold harmless Business Associate, its officers, directors, employees, and agents from and against any claim, cause of action, liability, damage, cost, or expense (including reasonable attorneys' fees and costs of litigation) arising out of or in connection with any negligent or wrongful acts or omissions of Covered Entity in connection with its obligations under this Agreement or HIPAA.

13.1 Regulatory References: A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

13.2 No Third-Party Beneficiaries: Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

13.3 Ambiguities: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

13.4 Governing Law: This Agreement shall be governed by the laws of Singapore, without regard to its conflict of law provisions.