Frontdesk Business Associate Agreement

This Frontdesk Business Associate Agreement (“BAA”) is incorporated into the applicable Frontdesk Terms of Service or Master Services Agreement (the “Underlying Agreement”) for any TCF Corp (“Frontdesk”) client in which the applicable Frontdesk Services (as defined in the Underlying Agreement) may involve the creation, maintenance, use, transmission or disclosure of protected health information (“PHI”) within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 as they shall be amended (collectively the “HIPAA Rules”). In such case, Frontdesk will be considered the “Business Associate” hereunder and the Frontdesk client will be considered the “Covered Entity” hereunder.

If and only to the extent that Business Associate is a “business associate” as defined in the HIPAA Rules, this BAA supplements the Underlying Agreement and is intended to and will be interpreted to satisfy the requirements for business associate agreements as set forth in the HIPAA Rules. If Business Associate is not a business associate as defined in the HIPAA Rules, this BAA will be void notwithstanding any other terms to the contrary.

1. DEFINITIONS

The following terms used in this BAA will have the same meaning as those terms in the HIPAA Rules: Business Associate, Breach, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Privacy Officer, Privacy Rule, Protected Health Information, Required By Law, Secretary, Security Rule, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. All other capitalized terms not defined in this BAA will have the meaning set forth in the Underlying Agreement.

2. RESPONSIBILITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:

2.1 Use and Disclosure

Not use or disclose PHI other than as permitted by Section 3 below, or as otherwise required by law;

2.2 Safeguards

Use appropriate safeguards to prevent the use or disclosure of protected health information other than as permitted by this BAA, and to the extent applicable to business associates, Business Associate will comply with the requirements in 45 CFR Part 164, Subpart C (“HIPAA Security Rule”) including the use of administrative, physical and technical safeguards to protect electronic protected health information;

2.3 Reporting

Report to Covered Entity any use or disclosure of PHI not provided for by the BAA of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident as required by 45 CFR § 164.314(a)(2). The parties acknowledge that Business Associate is periodically subject to attempted but unsuccessful attempts to access its information system (e.g., typical “pings” or port scans), but that such unsuccessful attempts are trivial, routine, and do not constitute a material threat to the security of protected health information. The parties agree that further notice of such trivial but unsuccessful attempts will not be required unless expressly required by Covered Entity;

2.4 Subcontractors

In accordance with 45 CFR 164.502(e)(1)-(2) and 164.308(b)(2)-(3), if applicable, to ensure that any subcontractor(s) that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. Business Associate may fulfill this requirement by having the subcontractors execute an agreement that incorporates the terms of this BAA;

2.5 Access to PHI

Within fifteen (15) days after Covered Entity’s request, make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;

2.6 Amendments

Within thirty (30) days after Covered Entity’s request, make available to Covered Entity any protected health information for amendment and incorporate any amendments to protected health information as necessary to enable Covered Entity to satisfy its obligations under 45 CFR 164.526;

2.7 Accounting of Disclosures

Within thirty (30) days after Covered Entity’s request, make available to Covered Entity the information required to provide an accounting of disclosures as necessary to enable Covered Entity to satisfy Covered Entity’s obligations under 45 CFR 164.528;

2.8 Privacy Rule Compliance

To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under 45 CFR Part 164, Subpart E (“HIPAA Privacy Rule”), comply with the requirements of the HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and

2.9 Records Availability

Make Business Associate’s internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules.

3. USES AND DISCLOSURES BY BUSINESS ASSOCIATE

3.1. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose protected health information only as follows:

3.1.1. As necessary to perform the services set forth in the Underlying Agreement, or as otherwise expressly authorized or permitted by the Underlying Agreement.

3.1.2. To de-identify protected health information in accordance with 45 CFR § 164.514(a)-(c). Any information that has been de-identified as provided in this Agreement will not be subject to this BAA and Business Associate will be entitled to use it for its own purposes.

3.1.3. As required by law.

3.1.4. For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (i) any disclosures for these purposes are required by law, or (ii)(a) Business Associate obtains reasonable assurances from the entity to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the entity, and (b) the entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.1.5. To provide data aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR § 164.501 and for the creation of de-identified information as set forth in Section 3.1.2.

3.2. Impermissible Uses or Disclosures

Business Associate may not use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity except for the specific uses and disclosures set forth in Sections 3.1.1-3.1.5, above.

3.3. Minimum Necessary

Business Associate agrees to make uses and disclosures and requests for protected health information consistent with Covered Entity’s minimum necessary policies and procedures as disclosed by Covered Entity to Business Associate in advance.

4. RESPONSIBILITIES OF COVERED ENTITY

4.1. Representations and Warranties

Covered Entity represents and warrants that, prior to execution of this BAA and at all times during this BAA, (i) Covered Entity has obtained or will obtain any consent or authorization required by the HIPAA Rules or other law necessary for Business Associate to perform its duties pursuant to this BAA; and (ii) Covered Entity has notified Business Associate of:

4.1.1. Any limitation(s) in Covered Entity’s notice of privacy practices, policies, or agreements, or any order or other limitation imposed on Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

4.1.2. Any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

4.1.3. Any restriction on the use or disclosure of PHI to which Covered Entity has agreed or which Covered Entity is required to abide under 45 CFR 164.522, to the extent that such restriction may impact in any manner Business Associate’s use or disclosure of PHI.

4.2. Notice of Change by Covered Entity

Covered Entity agrees to immediately notify Business Associate of any non-compliance with the representations and warranties identified in Section 4.1, including any change in the limitations, agreements, or restrictions identified in Section 4.1. Covered Entity understands and agrees that Business Associate entered into this BAA in reliance on Covered Entity’s representations and warranties in Section 4.1, and that any non-compliance or change in limitations, agreements or restrictions may affect Business Associate’s performance under this BAA and will entitle Business Associate to immediately terminate this BAA and/or the Underlying Agreement at Business Associate’s election.

5. REQUESTS BY COVERED ENTITY

Covered Entity will not request Business Associate to use or disclose protected health information in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

6. TERM AND TERMINATION

6.1. Term

The Term of this BAA will commence on the Effective Date of the Underlying Agreement and will terminate on the termination date of the Underlying Agreement or on the date Covered Entity terminates this BAA for cause as authorized in Section 6.2, whichever is sooner.

6.2. Termination

This BAA may be terminated as follows:

6.2.1. Either party may terminate this BAA upon thirty (30) days prior written notice to the other party due to a material breach of this BAA by the other party. The breaching party will have the opportunity to cure the breach during the 30-day notice period. If the breaching party fails to cure the breach within the 30-day notice period, the non-breaching party may declare the BAA terminated by providing written notice at the end of the 30-day period.

6.2.2. Either party may terminate this BAA if either party determines that the other party has violated any law or regulation and/or that continued performance under this BAA may subject the party to adverse action by any governmental agency.

6.2.3. Business Associate may terminate this BAA pursuant to Section 4.2.

6.2.4. This BAA will automatically terminate without any further action of the parties upon the termination or expiration of the Underlying Agreement.

6.3. Obligations of Business Associate upon Termination

Upon termination of this BAA for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, will:

6.3.1. Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities as described in Section 3.1.4.

6.3.2. If feasible, return or destroy all other protected health information in Business Associate’s control.

6.3.3. For any protected health information that is retained, continue to extend the protections of this BAA to such information and limit further uses and disclosures to those purposes permitted by this BAA.

6.3.4. Business Associate’s obligations under this Section 6.3 will terminate upon termination of this BAA.

7. MISCELLANEOUS

7.1 Amendments; Waiver

The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary to comply with the requirements of the HIPAA Rules and any other applicable law or, if the parties cannot agree on such amendment, to terminate this BAA upon notice to the other party. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

7.2 Governing Law

This BAA will be construed to comply with the requirements of the HIPAA Rules, and any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules. All other aspects of this BAA will be governed under the laws of the State in which Business Associate maintains its principal place of business.

7.3 Assignment/Subcontracting

This BAA will inure to the benefit of and be binding upon the parties and their respective legal representatives, successors and assigns. Business Associate may assign or subcontract rights or obligations under this BAA to subcontractors or third parties without the express written consent of Covered Entity. Covered Entity may assign its rights and obligations under this BAA to any successor or affiliated entity.

7.4 Cooperation

The parties agree to cooperate with each other’s efforts to comply with the requirements of the HIPAA Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of HIPAA Rules or this BAA; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this BAA.

7.5 Relation to Underlying Agreement

This BAA supplements the Underlying Agreement. The terms and conditions of the Underlying Agreement will continue to apply to the extent not inconsistent with this BAA. If there is a conflict between this BAA and the Underlying Agreement with respect to the subject matter of this BAA, this BAA will control, but only to the extent necessary to resolve the conflict.

7.6 Interpretation

Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules.

7.7 No Third-Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor will anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

7.8 Limitation on Liability

In no event will Business Associate or any of its directors, officers, agents, parents, affiliates, or subsidiaries (collectively “Business Associate”) be liable to Covered Entity or any third party for any special, consequential, incidental, or indirect loss or damages arising out Business Associate’s acts or omissions relating to this BAA or the HIPAA Rules whether or not Covered Entity has been advised of the possibility of such loss or damages. In all cases, Business Associate’s aggregate liability under any legal theory, including contract, tort, or other bases, will not exceed the fees paid by Covered Entity to Business Associate pursuant to the Underlying Agreement during the six (6) month period prior to the first occurrence upon which liability is based.

7.9 Entire Agreement

This BAA contains the entire agreement between the parties as it relates to the use or disclosure of protected health information, and supersedes all prior discussions, negotiations, and services relating to the same to the extent such other prior communications are inconsistent with this BAA.

7.10 Notices

Any notices to be given hereunder to a party will be made via email to the email address associated with the Client’s account (for Covered Entity) or to legal@frontdesk.ai (for Business Associate), or as otherwise described in the Underlying Agreement. Notices sent by email shall be deemed effective upon the sender’s receipt of a delivery confirmation or, if no delivery confirmation is received, one (1) business day after sending, provided no “bounce back” or error message is received.