Terms of Service

Effective Date: February 5, 2026

1. DEFINITIONS

• "Services"means Reap's proprietary healthcare SaaS platform and any associated applications, tools, or documentation made available by Reap to customers.
• "Authorized Users"means individuals who are authorized by Customer to use the Services on Customer's behalf.
• "Customer Data" means any data, including Personal Health Information (PHI), submitted by or on behalf of Customer to the Services.
• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, including amendments and implementing regulations.
• "BAA" means the Business Associate Agreement attached as Exhibit A.
• "Order Form"means the ordering document executed by the parties that specifies the Services, fees, billing frequency (annual or monthly), and any other commercial terms applicable to Customer's subscription.
• "Confidential Information"means any non-public information disclosed by one party ("Disclosing Party") to the other ("Receiving Party"), whether orally, in writing, or electronically, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation, Customer Data, business plans, product roadmaps, pricing, financial information, technical data, and trade secrets.
• "Federal Healthcare Program" means any plan or program that provides health benefits, whether directly, through insurance, or otherwise, which is funded directly, in whole or in part, by the United States Government or any State health care program, including Medicare and Medicaid (as defined at 42 U.S.C. § 1320a-7b(f)).
• "Applicable Healthcare Laws" means all federal and state laws, rules, and regulations governing healthcare, including without limitation the federal Anti-Kickback Statute (42 U.S.C. § 1320a-7b), the Stark Law (42 U.S.C. § 1395nn), the False Claims Act (31 U.S.C. §§ 3729–3733), HIPAA, and any applicable state equivalents thereof.
• "SNF" or "Skilled Nursing Facility" means a facility that provides skilled nursing care and related services to patients who require medical, nursing, or rehabilitative services, as defined under 42 U.S.C. § 1395i-3 and applicable state law.

2. SERVICES AND ACCESS

• 2.1 Provision of Services. Subject to the terms of this Agreement, Reap will provide Customer and its Authorized Users access to the Services during the Term.
• 2.2 Usage Restrictions. Customer shall not, and shall not permit others to:
  • Reverse engineer or decompile the Services;
  • Use the Services for any purpose other than internal business operations;
  • Use the Services in violation of any applicable laws, including HIPAA; or
  • Use the Services to train, develop, or improve any competing software, product, or service.
• 2.3 Customer Responsibilities. Customer is responsible for:
  • Maintaining the confidentiality of access credentials;
  • Ensuring Authorized Users comply with this Agreement; and
  • Obtaining any necessary consents for processing Customer Data.
• 2.4 Nature of Services — No Healthcare Referrals.The Services constitute administrative, operational, and technology tools designed to support Customer's internal business operations. Nothing in this Agreement shall be construed to: (a) require Customer to refer, recommend, arrange for, or provide any items or services to any individual enrolled in a Federal Healthcare Program; (b) constitute a referral of patients or healthcare services by either party; (c) create a joint venture, partnership, or agency relationship between the parties for purposes of Applicable Healthcare Laws; or (d) require Customer to purchase, lease, order, or arrange for any items or services from Reap other than the Services specified in the Order Form. Customer acknowledges that its decision to use the Services is based on the Services' functionality and utility for Customer's internal operations and is not conditioned on, or in exchange for, any referral of business between the parties.

3. FEES AND PAYMENT

• 3.1 Fees. Customers shall pay Reap the fees set forth in the applicable Order Form. Unless the Order Form expressly specifies monthly billing, all fees shall be calculated and invoiced on an annual basis. If monthly billing is specified in the Order Form, fees shall be invoiced monthly in advance at the applicable monthly rate stated therein.
• 3.2 Introductory Pricing.Reap may offer a discounted introductory pricing period ("Introductory Term") for a fixed duration (e.g., 30 or 90 days). The Introductory Term is available only to first-time customers and may not be combined with other offers. Upon expiration of the Introductory Term, pricing will automatically revert to Reap's then-current standard pricing for the selected modules unless otherwise agreed in writing.
• 3.3 Invoicing and Payment.Fees will be invoiced in advance and are due within thirty (30) days of the invoice date unless otherwise stated. All payments are non-refundable, except as expressly provided in Sections 4.5, 5.2, 5.4, and 10.8 of this Agreement. Late fees of 1.5% per month (or the maximum rate permitted by law, whichever is less) shall apply to any amounts not paid when due. Reap reserves the right to suspend access to the Services upon fifteen (15) days' written notice if amounts remain overdue, provided that Reap shall not suspend access if Customer has disputed the applicable invoice in good faith and the parties are actively working to resolve the dispute.
• 3.4 Automatic Billing. Customer agrees to automatic monthly billing via the credit card on file unless alternative payment arrangements are specified in the Order Form.
• 3.5 Taxes.All fees are exclusive of taxes, which shall be the responsibility of the customer, other than taxes on Reap's income.
• 3.6 Fair Market Value and Anti-Kickback Compliance.
  • (a) The fees set forth in each Order Form have been negotiated at arm's length and represent fair market value for the Services provided, without regard to the volume or value of any referrals or other business between the parties or involving any Federal Healthcare Program. No fee, discount, rebate, or other remuneration paid or provided under this Agreement is intended to induce or reward the referral of patients, the purchase, lease, or ordering of any item or service reimbursable by a Federal Healthcare Program, or the recommending or arranging for the purchase, lease, or ordering of any such item or service.
  • (b) Neither party shall knowingly offer, pay, solicit, or receive any remuneration, directly or indirectly, overtly or covertly, in cash or in kind, in exchange for or to induce the referral of an individual to a person for the furnishing of any item or service for which payment may be made in whole or in part under a Federal Healthcare Program.
  • (c) The parties intend for this Agreement to comply with the Anti-Kickback Statute (42 U.S.C. § 1320a-7b) and all applicable state anti-kickback and fee-splitting statutes. To the extent this Agreement is found not to comply with any such law, the parties agree to negotiate in good faith to amend the applicable provisions to achieve compliance while preserving the economic intent of the arrangement to the maximum extent possible.
• 3.7 Pricing Independence and State Compliance.
  • (a) Reap's pricing for the Services is determined independently for each Customer based on the scope of Services, number of facilities, usage volume, and other commercially relevant factors. Nothing in this Agreement grants Customer any right to pricing parity, most-favored-nation pricing, or equivalent pricing with any other customer of Reap. Fees may vary between customers and are treated as Confidential Information of Reap.
  • (b) To the extent Customer operates in a state that imposes specific requirements on vendor pricing, cost reporting, or fee transparency in connection with facilities that participate in Medicaid or other state healthcare programs, Customer shall notify Reap of any such requirements applicable to this Agreement, and the parties shall cooperate in good faith to ensure compliance. Reap shall provide Customer with commercially reasonable documentation of fees upon written request to support Customer's regulatory reporting obligations, subject to appropriate confidentiality protections.

4. DATA RIGHTS AND PRIVACY

• 4.1 Customer Data Ownership. As between the parties, Customer owns all rights, title, and interest in Customer Data.
• 4.2 License to Use Data. Customer grants Reap a non-exclusive, worldwide license to use Customer Data solely to provide and improve the Services during the Term. Customer further grants Reap a non-exclusive, worldwide, royalty-free license to use, reproduce, modify, and display Customer Data in an aggregated and de-identified form for product improvement, development, research, and benchmarking, subject to the following conditions:
  • (a) De-identification shall be performed in accordance with the HIPAA Safe Harbor method (45 CFR § 164.514(b)(2)) or the Expert Determination method (45 CFR § 164.514(b)(1));
  • (b) Reap shall not attempt to re-identify any de-identified data or combine de-identified data with other data in a manner that could reasonably be expected to identify any individual;
  • (c) De-identified and aggregated data shall not be shared with third parties in a form that could reasonably identify Customer or any individual; and
  • (d) This license shall survive termination of the Agreement solely with respect to data that has been de-identified prior to the effective date of termination.
• 4.3 PHI and HIPAA Compliance. If Customer Data includes PHI, the parties agree to the Business Associate Agreement in Exhibit A.
• 4.4 Data Security. Reap shall implement and maintain administrative, physical, and technical safeguards designed to protect Customer Data in accordance with industry standards and applicable law, including:
  • (a) Encryption of Customer Data at rest using AES-256 (or equivalent) and in transit using TLS 1.2 or higher;
  • (b) Access controls limiting access to Customer Data to authorized personnel on a need-to-know basis;
  • (c) Commercially reasonable vulnerability assessments and security testing; and
  • (d) An incident response plan that includes notification to Customer within seventy-two (72) hours of confirmed unauthorized access to Customer Data.
• 4.5 Subprocessors.Reap shall maintain a current list of subprocessors that process Customer Data, which shall be made available to Customer upon request. Reap shall provide Customer with at least thirty (30) days' prior written notice before engaging a new subprocessor that will process Customer Data. If Customer reasonably objects to a new subprocessor on data security or compliance grounds, the parties shall work in good faith to resolve the objection. If the objection cannot be resolved within thirty (30) days, Customer may terminate the affected Services without penalty upon written notice to Reap.

5. TERM AND TERMINATION

• 5.1 Term.This Agreement begins on the Effective Date and continues for an initial period of twelve (12) months (the "Initial Term"). Following the Initial Term, this Agreement shall automatically renew for successive twelve (12) month periods (each, a "Renewal Term") unless either party provides written notice of non-renewal at least ninety (90) days prior to the end of the then-current term. Where the Order Form specifies monthly billing, the Initial Term remains twelve (12) months; monthly billing reflects the invoicing frequency only and does not create a month-to-month arrangement unless the Order Form expressly states otherwise.
  
  Reap shall send Customer a written reminder of the upcoming renewal and the non-renewal deadline at least one hundred twenty (120) days before the end of the then-current term.
• 5.2 Termination.Either party may terminate this Agreement for cause upon thirty (30) days' written notice if the other party materially breaches this Agreement and fails to cure such breach within such thirty (30) day period. Either party may terminate this Agreement for convenience upon ninety (90) days' written notice.
  
  Upon termination by Customer for Reap's uncured material breach, or upon termination by Reap for convenience, Reap shall refund to Customer any prepaid fees covering the period after the effective date of termination on a pro-rata basis.
• 5.3 Effect of Termination. Upon termination:
  • Access to Services will cease;
  • All unpaid amounts for Services rendered through the effective date of termination shall become immediately due; and
  • Reap will delete or return Customer Data per the BAA and Section 5.6.
• 5.4 Opt-Out Period.Notwithstanding Section 5.1, Customer may terminate this Agreement for any reason during the first thirty (30) days following the Effective Date (the "Opt-Out Period") by providing written notice to Reap. Upon such termination, Customer shall pay only for the pro-rata portion of fees attributable to the period of actual use, and Reap shall refund any prepaid fees covering the period after the effective date of termination. This Section 5.4 applies only to the Initial Term and does not apply to Renewal Terms.
• 5.5 Trials. Any free or discounted trial period is provided as-is and may be terminated or modified at any time by Reap. At least seven (7) days before the end of the Introductory Term, Reap shall send Customer written notice specifying the date the trial ends, the applicable standard pricing, and instructions for cancellation. Unless Customer provides written notice of cancellation prior to the end of the Introductory Term, the Agreement shall continue under the standard fee schedule outlined in the Order Form.
• 5.6 Transition Assistance and Data Return.Upon expiration or termination of this Agreement for any reason, Reap shall, at Customer's request made within thirty (30) days after the effective date of termination:
  • (a) Provide Customer Data in a machine-readable, industry-standard format (e.g., CSV, JSON, or HL7/FHIR as applicable);
  • (b) Provide reasonable transition assistance for a period of up to ninety (90) days at Reap's then-current professional services rates; and
  • (c) Certify in writing the deletion of all Customer Data from Reap's systems (including backups) within ninety (90) days following the effective date of termination, subject to any legal or regulatory retention requirements.

6. CONFIDENTIALITY

• 6.1 Obligations.Each party agrees to: (a) hold the other party's Confidential Information in strict confidence; (b) not disclose Confidential Information to any third party except to employees, agents, or contractors who have a need to know and are bound by confidentiality obligations at least as protective as those in this Agreement; and (c) protect Confidential Information using at least the same degree of care it uses to protect its own confidential information, but in no event less than reasonable care.
• 6.2 Exclusions.Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was already known to the Receiving Party without restriction prior to disclosure; (c) is independently developed by the Receiving Party without use of or reference to the Disclosing Party's Confidential Information; or (d) is received lawfully from a third party without restriction on disclosure.
• 6.3 Compelled Disclosure. If the Receiving Party is compelled by law, regulation, or legal process to disclose Confidential Information, the Receiving Party shall: (a) promptly notify the Disclosing Party (to the extent legally permitted) to allow the Disclosing Party to seek a protective order; and (b) disclose only the minimum amount of Confidential Information required.
• 6.4 Return and Destruction.Upon termination of this Agreement or upon the Disclosing Party's written request, the Receiving Party shall promptly return or destroy all Confidential Information in its possession and certify such return or destruction in writing, except to the extent retention is required by applicable law or regulation.
• 6.5 Survival. The obligations under this Section 6 shall survive termination or expiration of this Agreement for a period of five (5) years, except with respect to trade secrets, which shall be protected for as long as they remain trade secrets under applicable law.

7. WARRANTIES AND DISCLAIMERS

• 7.1 Reap Warranty. Reap warrants that: (a) the Services will materially conform to the applicable documentation; (b) the Services will be provided in a professional and workmanlike manner consistent with generally accepted industry standards; and (c) Reap will not knowingly introduce any malicious code into the Services.
• 7.2 Compliance Warranty. Each party warrants that it will comply with all laws and regulations applicable to its performance under this Agreement, including HIPAA and applicable state health information privacy laws.
• 7.3 Disclaimer.EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS." REAP DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
• 7.4 Regulatory Compliance Warranty. Each party represents and warrants that: (a) it shall not take any action in connection with this Agreement that would constitute a violation of Applicable Healthcare Laws, including without limitation the Anti-Kickback Statute, the Stark Law, or the False Claims Act; (b) neither it nor any of its owners, officers, directors, or employees has been excluded from participation in any Federal Healthcare Program or convicted of a criminal offense related to the provision of healthcare items or services; and (c) it shall promptly notify the other party if it or any of its owners, officers, directors, or employees becomes excluded from participation in any Federal Healthcare Program or is charged with or convicted of a healthcare-related criminal offense during the Term.

8. LIMITATION OF LIABILITY

• 8.1 Limitation.EXCEPT FOR THE EXCLUDED CLAIMS SET FORTH IN SECTION 8.3, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO REAP IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
• 8.2 Exclusion of Consequential Damages. EXCEPT FOR THE EXCLUDED CLAIMS SET FORTH IN SECTION 8.3, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY, REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
• 8.3 Excluded Claims. The limitations in Sections 8.1 and 8.2 shall not apply to:
  • (a) Either party's indemnification obligations under Section 9;
  • (b) Either party's breach of Section 6 (Confidentiality);
  • (c) Either party's breach of the BAA or HIPAA obligations;
  • (d) Either party's willful misconduct or gross negligence;
  • (e) Customer's obligation to pay fees due under this Agreement; or
  • (f) Reap's liability for unauthorized disclosure of Customer Data caused by Reap's failure to comply with Section 4.4 (Data Security).

9. INDEMNIFICATION

• 9.1 By Customer.Customer shall indemnify, defend, and hold harmless Reap and its officers, directors, employees, and agents against any third-party claims, losses, damages, and expenses (including reasonable attorneys' fees) arising from:
  • Customer's use of the Services in violation of this Agreement;
  • The content, accuracy, or legality of Customer Data;
  • Any breach of HIPAA not attributable to Reap;
  • Customer's negligent or willful acts or omissions regarding the security of their access credentials; or
  • Customer's violation of Applicable Healthcare Laws to the extent not caused by Reap's acts or omissions.
• 9.2 By Reap.Reap shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents against any third-party claims, losses, damages, and expenses (including reasonable attorneys' fees) arising from:
  • (a) Claims that the Services infringe a third party's intellectual property rights;
  • (b) Any breach of the BAA or HIPAA attributable to Reap's acts or omissions; or
  • (c) Reap's gross negligence or willful misconduct in the performance of its obligations under this Agreement.
• 9.3 Indemnification Procedures.The party seeking indemnification ("Indemnified Party") shall: (a) promptly notify the indemnifying party ("Indemnifying Party") in writing of any claim (provided that failure to provide prompt notice shall not relieve the Indemnifying Party of its obligations except to the extent it is materially prejudiced by such failure); (b) grant the Indemnifying Party sole control of the defense and settlement of the claim; and (c) provide reasonable cooperation at the Indemnifying Party's expense. The Indemnifying Party shall not settle any claim in a manner that imposes obligations on the Indemnified Party or admits fault on behalf of the Indemnified Party without the Indemnified Party's prior written consent.

10. GENERAL

• 10.1 Assignment.Neither party may assign this Agreement without the other's prior written consent, except in connection with a merger or sale of all or substantially all assets, provided that the assignee agrees in writing to be bound by the terms of this Agreement.
• 10.2 Governing Law and Judicial Venue. This Agreement shall be governed by the laws of the State of Florida, without regard to its conflict of laws principles. The exclusive jurisdiction and venue for any judicial proceeding related to the enforcement or confirmation of an arbitration award, or for any action seeking injunctive relief or equitable remedies (which are excluded from arbitration), shall be the state or federal courts located in Miami-Dade County, Florida, and each party hereby consents to the exclusive jurisdiction and venue of such courts.
• 10.3 Dispute Resolution and Binding Arbitration.
  • (a) Escalation. Prior to initiating any formal dispute resolution proceeding, the parties shall attempt to resolve the dispute through good-faith negotiation between senior representatives of each party for a period of at least thirty (30) days following written notice of the dispute.
  • (b) Mediation. If the dispute is not resolved through negotiation, the parties shall attempt to resolve the dispute through mediation administered by the American Arbitration Association ("AAA") under its Commercial Mediation Procedures for a period of at least thirty (30) days before initiating arbitration.
  • (c) Arbitration. Any dispute, controversy, or claim not resolved through negotiation or mediation shall be finally settled by binding arbitration administered by the AAA under its Commercial Arbitration Rules. The arbitration shall be conducted by a single arbitrator in Miami-Dade County, Florida. The award rendered by the arbitrator shall be final, and judgment may be entered upon it in any court having jurisdiction.
  • (d) Class Action Waiver. The parties agree that all claims must be brought in the parties' individual capacity, and not as a plaintiff or class member in any purported class or representative proceeding.
• 10.4 Force Majeure. Neither party shall be liable to the other for any delay or failure to perform any obligation under this Agreement (except for payment obligations) if the delay or failure is due to events which are beyond the reasonable control of such party, including but not limited to, strikes, shortages, riots, acts of war, government action, natural disasters, epidemics or pandemics, or interruption of internet services or utility services. The affected party shall provide prompt notice to the other party and use commercially reasonable efforts to mitigate the effect of the force majeure event. If a force majeure event continues for more than ninety (90) days, either party may terminate this Agreement upon written notice.
• 10.5 Audit Rights.
  • (a) Reap's Audit Right. Customer agrees that Reap may, upon at least thirty (30) days' written notice and no more than once per twelve (12) month period, audit Customer's use of the Services to ensure compliance with this Agreement. Customer shall provide reasonable assistance in connection with any audit. If an audit reveals that Customer has underpaid fees to Reap by five percent (5%) or more, Customer shall pay Reap for the reasonable costs of the audit in addition to any underpaid fees.
  • (b) Customer's Audit Right. Customer may, upon at least thirty (30) days' written notice and no more than once per twelve (12) month period, audit or engage an independent third-party auditor (subject to reasonable confidentiality obligations) to audit Reap's compliance with its obligations under this Agreement, including data security and HIPAA obligations. Such audit shall be conducted during normal business hours at Customer's expense, except that if the audit reveals a material breach of Reap's obligations, Reap shall bear the reasonable costs of the audit.
• 10.6 Publicity.Reap may use Customer's name and logo on Reap's website and in marketing materials to identify Customer as a customer of Reap only with Customer's prior written consent, which may be given or withheld in Customer's sole discretion. Reap shall cease using such name and logo promptly upon Customer's written request.
• 10.7 Entire Agreement. This Agreement (including any Order Forms, Exhibits, and the BAA) constitutes the entire agreement and supersedes all prior agreements.
• 10.8 Amendments.Reap may update these Terms from time to time. For any material changes (including changes to pricing, liability limitations, data rights, or termination provisions), Reap shall provide Customer with at least thirty (30) days' prior written notice describing the changes. Material changes shall require Customer's affirmative written consent. If Customer does not consent to a material change, Customer may terminate this Agreement upon written notice within thirty (30) days of receiving notice of the change, and Reap shall refund any prepaid fees covering the period after the effective date of termination on a pro-rata basis. Non-material changes (such as corrections, clarifications, or formatting updates) shall be effective upon posting to Reap's website.
• 10.9 Notices. All notices required or permitted under this Agreement shall be in writing and shall be deemed given when: (a) delivered personally; (b) sent by email with confirmed receipt; or (c) sent by nationally recognized overnight courier, addressed to the applicable party at the address set forth in the Order Form or such other address as may be designated in writing.
• 10.10 Regulatory Severability and Reformation. If any provision of this Agreement is determined by a court of competent jurisdiction, governmental agency, or regulatory body to violate any Applicable Healthcare Law, such provision shall be automatically reformed to the minimum extent necessary to bring it into compliance with such law while preserving the original economic intent of the parties to the maximum extent permissible. The invalidity or unenforceability of any provision shall not affect the validity or enforceability of any other provision of this Agreement, and the remaining provisions shall continue in full force and effect. In the event any provision cannot be reformed to achieve compliance, such provision shall be severed and the parties shall negotiate in good faith to replace it with a lawful provision that achieves substantially the same economic result.

11. ACCEPTABLE USE

• 11.1 Compliance and Usage Restrictions. Customer agrees not to use the Services for any purpose that is prohibited by law or this Agreement. Without limiting the generality of the foregoing, Customer shall not, and shall not permit any Authorized User or third party to:
  • Attempt to access or search the Services using any engine, software, tool, or agent (e.g., bots, spiders) other than those provided or authorized by Reap;
  • Transmit or upload any data that infringes the intellectual property or privacy rights of any individual or third party;
  • Introduce malicious software, code, or any material intended to damage or interfere with the Services;
  • Use the Services in any way that could disrupt, disable, or interfere with the functioning of the platform;
  • Use the Services to transmit unsolicited or unauthorized advertising or promotional materials; or
  • Misrepresent your identity or affiliation when using the Services.
• 11.2 Investigations and Enforcement.Reap reserves the right to investigate and take appropriate legal action against any user who, in Reap's reasonable determination, violates this Acceptable Use Policy, including suspension or termination of access to the Services. Reap shall provide Customer with written notice and a reasonable opportunity to cure any violation (except where immediate action is necessary to prevent harm to the Services, other customers, or third parties) before suspending or terminating access.

Exhibit A — Business Associate Agreement (BAA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BA Agreement") is entered into as of the Effective Date of the Agreement by and between the undersigned customer ("Customer") and Reap Tech, Inc. ("Business Associate"), a Florida corporation. This BA Agreement governs the handling of Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the HITECH Act and related regulations.

1. DEFINITIONS

Capitalized terms not defined in this BA Agreement shall have the meanings set forth in HIPAA. "Services Agreement" refers to any agreement under which Business Associate provides services to Customer involving PHI.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

• Use/disclosure only as permitted by agreement or law
• Implement required administrative, physical, and technical safeguards, including encryption of PHI at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher)
• Report breaches or security incidents to Customer within twenty-four (24) hours of discovery, followed by formal notification within the timeframe required by HIPAA/HITECH (45 CFR § 164.404)
• Notify of unauthorized uses/disclosures
• Comply with minimum necessary standards
• Cooperate in breach mitigation and response
• Ensure subcontractor compliance through written agreements containing substantially similar obligations
• Clarify scope for third-party integrations
• Provide access and amendment to Designated Record Sets
• Make books/records available for audit
• Account for disclosures to Customer on request
• Maintain a log of security incidents and provide a summary report to Customer upon request, no less than annually

3. PERMITTED USES AND DISCLOSURES

• As required to perform under the Services Agreement
• For internal operations and legal duties
• Disclosure if required by law or under protective conditions
• For data aggregation or de-identified information creation, subject to the de-identification requirements in Section 4.2 of the Agreement

4. OBLIGATIONS OF CUSTOMER

• Disclose only minimum necessary PHI
• Maintain required consents and authorizations
• Notify of restrictions or permission changes
• Avoid PHI in prohibited storage areas (logs, env vars, etc.)

5. TERM AND TERMINATION

• Agreement continues until PHI is returned or destroyed
• Either party may terminate for uncured material breach (30-day notice)
• If infeasible to destroy PHI, protections must continue indefinitely
• Upon termination, Business Associate shall return or destroy all PHI within ninety (90) days and certify destruction in writing, except where retention is required by law

6. COMPLIANCE WITH TRANSACTION STANDARDS

Business Associate shall comply with HIPAA transaction and code set rules (45 CFR Part 162) and ensure subcontractors do the same.

7. MISCELLANEOUS

• HIPAA citations shall include updated versions
• Amendments shall be made as required to maintain compliance
• BA Agreement survives termination as needed
• If conflicts exist with the Services Agreement, this BA Agreement governs for matters related to PHI
• Governed by the laws of Florida unless otherwise stated