Business Associate Agreement

This Business Associate Agreement (the "Agreement") is entered into as of the date the Covered Entity accepts this Agreement through the PathwayNotes application (the "Effective Date") by and between Minds Awakened, LLC, a Texas limited liability company with its principal place of business at 12807 Haynes Rd Bldg C1, Houston, TX 77066 ("Business Associate" or "BA"), and the legal entity that has accepted this Agreement through the PathwayNotes application ("Covered Entity" or "CE"). Business Associate and Covered Entity are sometimes referred to individually as a "Party" and collectively as the "Parties."

RECITALS

WHEREAS, Covered Entity is a health care provider that creates, receives, maintains, and transmits Protected Health Information in connection with the delivery of mental health services and is a "covered entity" as defined under HIPAA;

WHEREAS, Business Associate owns and operates PathwayNotes, a HIPAA-compliant software-as-a-service application that provides between-session client engagement features, including but not limited to client journaling, AI-generated reflections and summaries, evolving client profiles, and clinician-to-client messaging, together with any successor, derivative, or related products and services offered by Business Associate (collectively, the "Services");

WHEREAS, the Services depend on the use of artificial intelligence and machine learning models, the development, training, evaluation, and continuous improvement of which are core, integral, and essential to Business Associate's ability to provide the Services to Covered Entity and to all of Business Associate's other customers;

WHEREAS, in providing the Services to Covered Entity, Business Associate will create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, and accordingly is a "business associate" as defined under HIPAA;

WHEREAS, the Parties wish to enter into this Agreement to comply with the requirements of HIPAA, the HITECH Act, the HIPAA Omnibus Rule, and the regulations promulgated thereunder, including but not limited to 45 CFR §§ 164.502(e) and 164.504(e), and to allocate commercial risk between them in a clear and enforceable manner;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

SECTION 1Definitions

Capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings ascribed to them under HIPAA. The following terms shall have the meanings set forth below:

"Affiliate" with respect to a Party, means any entity that directly or indirectly controls, is controlled by, or is under common control with such Party, where "control" means ownership of more than fifty percent (50%) of the voting equity or the power to direct management.

"Breach" shall have the same meaning as the term in 45 CFR § 164.402, namely the unauthorized acquisition, access, use, or disclosure of Protected Health Information that compromises the security or privacy of such information, except as excluded under that section. A Breach is not deemed to have occurred unless and until a risk assessment in accordance with Section 3.4(d) concludes that an impermissible use or disclosure constitutes a Breach.

"Confidential Information" means non-public information of a Party, including but not limited to security designs, audit reports, risk analyses, subcontractor lists, pricing, customer lists, source code, model architectures and weights, and the terms of this Agreement.

"Designated Record Set" shall have the same meaning as the term in 45 CFR § 164.501.

"De-Identified Data" means information that has been de-identified in accordance with 45 CFR § 164.514(a)–(b) by either the Safe Harbor method or the Expert Determination method, at Business Associate's election. De-Identified Data is not PHI and is not subject to the restrictions of this Agreement.

"Disclosure" shall have the same meaning as the term in 45 CFR § 160.103.

"Electronic Protected Health Information" or "ePHI" shall have the same meaning as the term in 45 CFR § 160.103.

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder, including the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, as further amended by HITECH and the HIPAA Omnibus Rule.

"Individual" shall have the same meaning as the term in 45 CFR § 160.103, and shall include a personal representative under 45 CFR § 164.502(g).

"Model Outputs" means data, inferences, parameters, weights, embeddings, or other artifacts generated by Business Associate's artificial intelligence or machine learning systems, whether or not derived in whole or in part from PHI. Model Outputs that do not themselves contain PHI are not PHI for purposes of this Agreement.

"Protected Health Information" or "PHI" shall have the same meaning as the term in 45 CFR § 160.103, but is limited to information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Services. PHI does not include De-Identified Data or Model Outputs that do not themselves contain PHI.

"Required by Law" shall have the same meaning as the term in 45 CFR § 164.103.

"Secretary" means the Secretary of the U.S. Department of Health and Human Services or their designee.

"Security Incident" shall have the same meaning as the term in 45 CFR § 164.304, except that, consistent with HHS commentary at 78 Fed. Reg. 5566, "Security Incident" excludes Unsuccessful Security Incidents (defined below), which shall not require individualized notice.

"Subcontractor" means any person or entity to whom Business Associate delegates a function, activity, or service involving the use or disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity.

"Successful Security Incident" means a Security Incident that results in unauthorized access to, or unauthorized acquisition, use, disclosure, modification, or destruction of, PHI.

"Unsuccessful Security Incident" means a Security Incident that does not result in unauthorized access to PHI, including pings, port scans, unsuccessful log-on attempts, denial-of-service attempts that do not result in unauthorized access, malware not introduced into BA systems, and similar events that are part of the routine operation of information systems on the public internet.

"Unsecured PHI" shall have the same meaning as the term in 45 CFR § 164.402.

"Use" shall have the same meaning as the term in 45 CFR § 160.103.

SECTION 2Permitted Uses and Disclosures of PHI by Business Associate

2.1Performance of Services.

Business Associate may use and disclose PHI as necessary to perform the Services for, or on behalf of, Covered Entity, as set forth in any underlying service agreement between the Parties, as permitted or required by this Agreement, or as Required by Law.

2.2Operation, Maintenance, and Improvement of the Services; AI/ML Use.

Covered Entity expressly acknowledges and agrees that artificial intelligence and machine learning features are core, integral functionality of the Services, and that operating, hosting, maintaining, debugging, monitoring, improving, developing, training, evaluating, fine-tuning, and refining such features is necessary for Business Associate to perform the Services within the meaning of 45 CFR § 164.504(e)(2)(i)(A) and (B). Without limiting the foregoing:

(a)Business Associate may use PHI to operate, host, maintain, debug, monitor, and improve the Services.

(b)Business Associate may use PHI to train, evaluate, fine-tune, and improve the artificial intelligence and machine learning models that power the Services, provided that PHI used to train models that will be deployed or exposed to any other Covered Entity shall first be de-identified in accordance with 45 CFR § 164.514(a)–(b) by either the Safe Harbor method or the Expert Determination method, at Business Associate's election.

(c)Business Associate may perform customer-specific model fine-tuning that occurs solely within the boundary of Covered Entity's deployment using PHI of Covered Entity's Individuals without de-identification.

(d)Model Outputs, including model parameters and weights, that do not themselves contain PHI are not PHI and are the sole and exclusive property of Business Associate.

(e)Covered Entity represents, warrants, and covenants on a continuing basis that its Notice of Privacy Practices clearly and conspicuously discloses the use of artificial intelligence and machine learning in connection with treatment, payment, and health care operations through third-party software, and that all Individual authorizations required under HIPAA or applicable state mental-health confidentiality law have been obtained.

2.3Management and Administration; Legal Responsibilities.

Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities. Business Associate may disclose PHI for such purposes only if (a) the disclosure is Required by Law, or (b) Business Associate obtains reasonable written assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.

2.4Data Aggregation.

Business Associate may use PHI to provide Data Aggregation services as permitted by 45 CFR § 164.504(e)(2)(i)(B).

2.5De-Identification; Ownership of De-Identified Data and Model Outputs.

Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)–(b) by either the Safe Harbor method or the Expert Determination method, at Business Associate's election. Notwithstanding any other provision of this Agreement, De-Identified Data, aggregate statistics, benchmarks, research outputs, training datasets, model parameters, model weights, embeddings, and other Model Outputs derived in whole or in part from de-identified PHI:

(a)are not PHI;

(b)are the sole and exclusive property of Business Associate;

(c)may be used, retained, licensed, transferred, sold, and disclosed by Business Associate for any lawful purpose; and

(d)shall not be subject to return, destruction, recall, retraining, or any other obligation under Section 5.3 or any other provision of this Agreement upon termination or expiration of this Agreement.

2.6Minimum Necessary.

Business Associate shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of any use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

2.7Prohibited Uses.

Business Associate shall not (a) sell PHI in violation of 45 CFR § 164.502(a)(5)(ii); (b) use or disclose PHI for marketing purposes in violation of 45 CFR § 164.508(a)(3); or (c) use PHI in any other manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity. For clarity, the use of PHI for the operation, maintenance, training, and improvement of the Services as permitted in Section 2.2 is not the "sale" of PHI and is not "marketing."

SECTION 3Obligations of Business Associate

3.1Compliance with Law.

Business Associate shall comply with all provisions of HIPAA applicable to business associates under HITECH and the HIPAA Omnibus Rule.

3.2Safeguards; Standard of Care.

Business Associate shall use reasonable and appropriate administrative, physical, and technical safeguards consistent with industry standards for similarly situated software-as-a-service providers serving health care customers, and shall comply with Subpart C of 45 CFR Part 164 with respect to ePHI. Such safeguards shall include, at a minimum, encryption of ePHI in transit and at rest, access controls, audit logging, workforce training, and a written information security program. Business Associate is not a guarantor of security and shall not be deemed to have breached this Section 3.2 solely because a Security Incident occurs, provided Business Associate has implemented and maintained such reasonable safeguards.

3.3Reporting.

(a)Business Associate shall report Breaches of Unsecured PHI as set forth in Section 3.4.

(b)Business Associate shall report Successful Security Incidents of which it becomes aware without unreasonable delay and in no event later than ten (10) business days after discovery.

(c)Unsuccessful Security Incidents shall be reported in the aggregate, on a quarterly basis, upon Covered Entity's reasonable written request, and this Section 3.3(c) shall constitute ongoing notice of all such Unsuccessful Security Incidents.

3.4Breach Notification.

(a)Following discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity in writing without unreasonable delay and in no case later than sixty (60) calendar days after discovery.

(b)The notification shall include, to the extent reasonably available at the time of notice, the information required under 45 CFR § 164.410(c). Business Associate may supplement the notification as additional information becomes available.

(c)Business Associate shall reasonably cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity's notification obligations under 45 CFR §§ 164.404 and 164.408.

(d)Risk Assessment; Determination of Breach. Business Associate shall have the primary responsibility, in consultation with Covered Entity, to conduct the risk assessment required under 45 CFR § 164.402. In the event of unresolved disagreement, the matter shall be submitted to expedited dispute resolution under Section 10.13, and neither Party shall make any public notification, Individual notification, media notification, or notification to the Secretary in advance of resolution, except where notification is Required by Law and cannot reasonably be deferred.

(e)Allocation of Breach Response Costs. Costs of Breach response (including without limitation forensics, Individual notification, media notification, credit monitoring or identity theft protection services, regulatory response, defense costs, settlements, and fines) shall be borne by the Party whose acts or omissions caused the Breach. Business Associate shall not be responsible for any costs arising from: (i) the compromise of credentials of Covered Entity's workforce; (ii) Covered Entity's failure to use the Services in conformance with Business Associate's documentation; (iii) Covered Entity's failure to enforce its own information security policies; (iv) Covered Entity's submission of PHI to the Services in violation of HIPAA or applicable law; or (v) the acts or omissions of Covered Entity's workforce, subcontractors, vendors, or agents. All cost allocations under this Section 3.4(e) are subject to the Limitation of Liability in Section 7.

(f)Force Majeure Carve-Out. Business Associate shall not be liable for, and shall not be deemed to have caused, a Breach to the extent the Breach is caused by a Force Majeure Event under Section 10.10, including without limitation sophisticated cyberattacks (such as zero-day exploits or nation-state attacks) occurring despite Business Associate's implementation of safeguards consistent with industry standard.

3.5Subcontractors.

In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the same restrictions, conditions, and obligations that apply to Business Associate under this Agreement. Covered Entity shall have no approval right over, and no veto right with respect to, Business Associate's selection of Subcontractors. Upon Covered Entity's reasonable written request, not more frequently than once per calendar year (except in connection with a documented Security Incident), Business Associate shall provide a list of categories of Subcontractors that process PHI; such list is Business Associate's Confidential Information.

3.6Access to PHI in Designated Record Set.

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity within fifteen (15) business days of receipt of a written request from Covered Entity, in order to meet Covered Entity's obligations under 45 CFR § 164.524. Business Associate shall not respond to access requests received directly from Individuals; all such requests must be channeled through Covered Entity. Business Associate shall be entitled to reasonable reimbursement at its then-current rates for time and expenses incurred in responding to unduly burdensome, voluminous, or repetitive requests.

3.7Amendment of PHI.

Business Associate shall make amendments to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526 within thirty (30) days of receipt of a written request from Covered Entity. The cost-reimbursement provisions of Section 3.6 apply to requests under this Section 3.7.

3.8Accounting of Disclosures.

Business Associate shall document such disclosures of PHI as would be required for Covered Entity to respond to a request for an accounting under 45 CFR § 164.528, and shall provide such information to Covered Entity within thirty (30) days of receipt of a written request. The cost-reimbursement provisions of Section 3.6 apply.

3.9Access by the Secretary; Multi-Tenant Protections.

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with HIPAA. In connection with any such request: (a) Business Associate may redact or withhold from production any information relating to other customers or that constitutes its trade secrets or Confidential Information not material to the inquiry; (b) Business Associate may require execution of a protective order; and (c) Covered Entity shall reimburse Business Associate's reasonable costs of compliance, unless the inquiry was triggered by Business Associate's own willful misconduct or material breach.

3.10Mitigation.

Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in material violation of this Agreement. Mitigation obligations and costs are subject to the Limitation of Liability in Section 7.

3.11Workforce Training.

Business Associate shall provide HIPAA Privacy and Security training to its workforce members who have access to PHI, in such format, frequency, and content as Business Associate determines in its discretion consistent with industry standards.

3.12Risk Analysis; Confidentiality of Security Documentation.

Business Associate shall conduct an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1). Business Associate's risk analysis, audit reports, penetration test results, and similar documentation are Business Associate's Confidential Information and trade secrets, and shall not be disclosed to Covered Entity except as Required by Law. In lieu of such disclosure, Business Associate may, upon Covered Entity's reasonable annual written request, provide a current SOC 2 Type II report or equivalent third-party attestation, subject to confidentiality obligations.

3.13No On-Site Audit Right.

Except as Required by Law, Covered Entity shall have no right to conduct on-site inspections or audits of Business Associate's facilities, systems, books, or records. Provision of a SOC 2 Type II report per Section 3.12 satisfies any audit-related obligation of Business Associate to Covered Entity.

SECTION 4Obligations of Covered Entity

4.1Notice of Privacy Practices.

Covered Entity shall provide Business Associate with the Notice of Privacy Practices it produces in accordance with 45 CFR § 164.520, and any changes to such Notice. Covered Entity warrants that its Notice of Privacy Practices specifically and conspicuously discloses (a) the use of third-party software-as-a-service vendors in connection with treatment, payment, and health care operations; (b) the use of artificial intelligence and machine learning in connection with such software; and (c) the categories of Individual information that may be processed by such software.

4.2Permissible Requests.

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as expressly permitted under this Agreement.

4.3Restrictions and Authorizations.

Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices, changes in or revocation of permission by an Individual, and restrictions agreed to under 45 CFR § 164.522 that may affect Business Associate's permitted uses or disclosures.

4.4Authority to Disclose; Consents.

Covered Entity represents, warrants, and covenants on a continuing basis that:

(a)it has obtained all authorizations, consents, and waivers from Individuals required under HIPAA and applicable state mental-health confidentiality law (including but not limited to Tex. Health & Safety Code § 611, Cal. CMIA, N.Y. MHL § 33.13, 42 CFR Part 2 where applicable, and any successor or analogous law) to permit Business Associate to perform the Services;

(b)its Notice of Privacy Practices discloses Business Associate's role and the use of AI-driven features of the Services as set forth in Section 4.1;

(c)it has informed Individuals that journaling, AI-generated reflections, evolving client profiles, clinician messaging, and other features of the Services will process their information;

(d)where Individuals are minors, all required consents have been obtained from the parents or legal guardians; and

(e)Covered Entity will not submit to the Services any information that it is not authorized to submit under HIPAA or applicable state law.

4.5Workforce Discipline.

Covered Entity shall maintain reasonable workforce policies and disciplinary procedures with respect to access to and use of the Services, including password security, multi-factor authentication, and prompt termination of access for departing workforce members.

4.6Notice of Investigation.

Covered Entity shall promptly notify Business Associate of any governmental investigation, subpoena, complaint, or civil action that relates to PHI processed by Business Associate or to Business Associate's performance under this Agreement.

SECTION 5Term and Termination

5.1Term.

This Agreement commences on the Effective Date and continues in effect until terminated as provided in this Section 5, or until such time as all PHI is destroyed or returned in accordance with Section 5.3.

5.2Termination for Cause.

(a)Either Party may terminate this Agreement upon thirty (30) days' prior written notice if the other Party materially breaches a material term of this Agreement and fails to cure such breach within such thirty (30) day period. If, after good-faith consultation and a written explanation, cure is not feasible, the terminating Party may terminate upon ten (10) business days' written notice.

(b)Termination by Business Associate. In addition to its rights under Section 5.2(a), Business Associate may terminate this Agreement, the underlying service agreement, or both, immediately upon written notice if Covered Entity: (i) breaches Section 4.4; (ii) fails to pay undisputed fees when due and such failure continues for more than fifteen (15) days after notice; (iii) instructs Business Associate to use or disclose PHI in violation of HIPAA or applicable state law; (iv) is the subject of an OCR enforcement action that materially affects Business Associate's continued performance or reputation; (v) becomes insolvent or is the subject of a bankruptcy proceeding; or (vi) is involved in any matter that materially harms Business Associate's reputation or the reputation of the Services.

(c)If neither cure nor termination is feasible, the non-breaching Party shall report the breach or violation to the Secretary to the extent required by 45 CFR § 164.504(e)(1)(ii).

5.3Effect of Termination.

(a)Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI that Business Associate still maintains in any form, and shall retain no copies of such PHI, except as set forth in Section 5.3(d).

(b)If return or destruction is infeasible, Business Associate shall (i) extend the protections of this Agreement to such PHI, (ii) limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, and (iii) notify Covered Entity in writing of the conditions making return or destruction infeasible.

(c)Business Associate shall ensure that the obligations of this Section 5.3 also extend to PHI held by its Subcontractors.

(d)Carve-Outs. Notwithstanding Section 5.3(a), Business Associate may retain, and shall not be required to return or destroy: (i) PHI contained in immutable or routine backup media until cycled out of Business Associate's standard backup rotation, not to exceed twelve (12) months; (ii) PHI required to be retained by Required by Law, audit, regulatory, accreditation, or litigation-hold obligations; (iii) De-Identified Data, aggregate statistics, training datasets that have been de-identified, and Model Outputs (including model parameters and weights); (iv) Customer support records, billing and accounting records, and security logs that incidentally reference PHI; and (v) PHI commingled with information Business Associate is required to retain.

(e)Business Associate shall use reasonable efforts to provide Covered Entity with a one-time data export prior to termination upon written request, subject to reimbursement of Business Associate's reasonable export costs. If Covered Entity does not request and pay for an export within thirty (30) days after termination, Business Associate may destroy all PHI without further notice.

(f)Upon Covered Entity's written request, Business Associate shall provide written certification of the return or destruction of PHI.

SECTION 6Artificial Intelligence and Machine Learning Provisions

6.1Acknowledgment.

Covered Entity acknowledges and agrees that artificial intelligence and machine learning features are a core, integral, and essential component of the Services, and that Business Associate's ability to perform the Services for Covered Entity and for all of its other customers depends on Business Associate's ability to develop, train, evaluate, fine-tune, and improve its models on an ongoing basis.

6.2Permitted AI/ML Activities.

Without limiting Section 2.2, Business Associate may use PHI to (a) generate Model Outputs in the ordinary course of providing the Services; (b) evaluate model performance; (c) detect and remediate bias, hallucination, drift, or other model defects; (d) perform safety and red-team testing; (e) conduct quality assurance and benchmarking; and (f) develop new features and services.

6.3Ownership.

Business Associate is the sole and exclusive owner of all right, title, and interest in and to its artificial intelligence and machine learning models, including all model parameters, weights, embeddings, architectures, training datasets that have been de-identified, fine-tuning datasets that have been de-identified, and Model Outputs that do not themselves contain PHI.

6.4Outputs to Individuals.

Where the Services generate AI-driven outputs that are delivered to Individuals, Covered Entity bears sole clinical responsibility for the use of such outputs in connection with treatment. Business Associate is not engaged in the practice of medicine, psychology, counseling, or any other licensed clinical activity. Covered Entity shall provide appropriate disclosures to Individuals regarding the AI-driven nature of such outputs.

6.5No Diagnosis or Treatment.

The Services are administrative and engagement tools. Business Associate makes no representation or warranty that the Services will diagnose, treat, cure, or prevent any mental health condition, and disclaims any responsibility for clinical outcomes.

SECTION 7Limitation of Liability

7.1Exclusion of Indirect Damages.

EXCEPT FOR LIABILITY ARISING FROM A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITY, LOST DATA, OR LOSS OF GOODWILL, ARISING OUT OF OR RELATING TO THIS AGREEMENT, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF SUCH DAMAGES WERE FORESEEABLE.

7.2Liability Cap.

EXCEPT FOR LIABILITY ARISING FROM A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT, STATUTE, OR OTHERWISE, SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID OR PAYABLE BY COVERED ENTITY TO BUSINESS ASSOCIATE UNDER THE UNDERLYING SERVICE AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE HUNDRED THOUSAND U.S. DOLLARS ($100,000).

7.3HIPAA Penalties.

Each Party shall be solely responsible for civil monetary penalties or other regulatory sanctions imposed on it directly by the Secretary, the relevant state attorney general, or any other governmental authority, except to the extent that such penalties or sanctions are caused by the other Party's gross negligence or willful misconduct, in which case the indemnification provisions of Section 8 shall apply, subject to the cap in Section 7.2.

7.4Essential Element.

The Parties acknowledge that the limitations in this Section 7 are an essential element of the bargain between them, are reflected in the pricing of the Services, and shall apply notwithstanding the failure of any limited or exclusive remedy of its essential purpose.

SECTION 8Indemnification

8.1Indemnification by Business Associate.

Business Associate shall defend, indemnify, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against third-party claims, and resulting losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) to the extent caused by Business Associate's gross negligence, willful misconduct, or material breach of this Agreement.

8.2Indemnification by Covered Entity.

Covered Entity shall defend, indemnify, and hold harmless Business Associate and its Affiliates, officers, directors, employees, agents, and Subcontractors from and against third-party claims, and resulting losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) to the extent arising from or relating to:

(a)Covered Entity's breach of Section 4.4 (Authority to Disclose; Consents), including any failure to obtain Individual authorizations required under HIPAA or applicable state law;

(b)Covered Entity's Notice of Privacy Practices failing to disclose AI-driven processing, third-party software-as-a-service vendors, or any other matter required to be disclosed;

(c)Covered Entity's instructions, directions, or requests to Business Associate regarding PHI;

(d)Covered Entity's underlying treatment relationship with any Individual, including any claim of malpractice, negligence, or clinical harm;

(e)The acts or omissions of Covered Entity's workforce, agents, or vendors, including credential compromise, password sharing, or unauthorized account use;

(f)Covered Entity's submission to the Services of information that Covered Entity was not authorized to submit under HIPAA or applicable state or federal law (including 42 CFR Part 2 where applicable); and

(g)Any claim by an Individual or third party premised on Covered Entity's use of the Services in a manner inconsistent with Business Associate's documentation.

8.3Indemnification Procedure.

The indemnified Party shall (a) give the indemnifying Party prompt written notice of any claim, (b) grant the indemnifying Party sole control of the defense and settlement (provided no settlement imposing liability on the indemnified Party without consent), and (c) provide reasonable cooperation at the indemnifying Party's expense.

8.4Interaction with Limitation of Liability.

The indemnification obligations under this Section 8 are subject to the Limitation of Liability in Section 7, except that Covered Entity's indemnification obligations under Section 8.2 are not subject to the cap in Section 7.2 to the extent they relate to (i) Covered Entity's breach of Section 4.4, (ii) failure to obtain Individual consents, or (iii) Covered Entity's underlying treatment relationship.

SECTION 9Insurance

Each Party shall maintain at its own expense, throughout the term of this Agreement and for two (2) years thereafter:

(a)Cyber liability and data breach insurance with limits of not less than two million dollars ($2,000,000) per occurrence and five million dollars ($5,000,000) in the aggregate;

(b)Commercial general liability insurance with limits of not less than one million dollars ($1,000,000) per occurrence and two million dollars ($2,000,000) in the aggregate; and

(c)For Covered Entity, professional liability (errors and omissions / malpractice) insurance appropriate to its practice with limits of not less than one million dollars ($1,000,000) per occurrence and three million dollars ($3,000,000) in the aggregate.

Each Party waives its rights of subrogation against the other to the extent of insurance proceeds actually received.

SECTION 10Miscellaneous

10.1Regulatory References.

A reference in this Agreement to a section in HIPAA, HITECH, or any related regulation means the section as in effect or as amended.

10.2Amendment.

The Parties shall amend this Agreement as necessary for compliance with HIPAA and other applicable law. Business Associate may amend this Agreement upon thirty (30) days' prior notice to Covered Entity (delivered electronically through the Services or to Covered Entity's email of record) to (a) reflect changes in HIPAA, HITECH, or other applicable law, or (b) refine commercial terms applicable to all customers, provided that no amendment may materially reduce Covered Entity's rights without Covered Entity's consent (which may be evidenced by continued use of the Services after the notice period). All other amendments require a writing signed by both Parties.

10.3Survival.

Sections 1, 2.5, 3.4 (for events occurring during the term), 5.3, 6 (with respect to ownership and use of De-Identified Data and Model Outputs), 7, 8, 9 (for the post-termination tail), and this Section 10 shall survive termination of this Agreement.

10.4Interpretation.

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits each Party to comply with HIPAA. In the event of any conflict between this Agreement and any underlying service agreement, this Agreement shall control solely with respect to the use and disclosure of PHI; the underlying service agreement shall control with respect to all other matters, including fees, payment terms, intellectual property ownership, limitation of liability, indemnification, and termination, unless expressly stated otherwise in this Agreement. Sections 7 and 8 of this Agreement shall control over any conflicting provisions in any underlying service agreement.

10.5No Third-Party Beneficiaries.

Nothing in this Agreement is intended or shall be deemed to confer any rights, remedies, obligations, or liabilities upon any person other than the Parties and their respective successors and permitted assigns. No Individual shall have any direct right of action against Business Associate under this Agreement.

10.6Confidentiality of Agreement.

The terms of this Agreement, and each Party's Confidential Information, are confidential. Neither Party shall disclose such information except (a) to its employees, advisors, and insurers on a need-to-know basis under obligations of confidentiality, (b) as Required by Law, or (c) with the other Party's prior written consent.

10.7Notices.

Any notice required or permitted under this Agreement shall be in writing and shall be delivered by personal delivery, certified mail with return receipt requested, recognized overnight courier, or email (with confirmation of receipt) to the addresses set forth in the preamble or to the email of record in the Services. Notices shall be deemed given on the date of receipt.

10.8Governing Law; Venue; Jury Waiver.

This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws principles, except to the extent preempted by federal law. The exclusive venue for any dispute arising out of or relating to this Agreement (other than a request for injunctive relief, which may be brought in any court of competent jurisdiction) shall be the state and federal courts located in Travis County, Texas. EACH PARTY KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVES ITS RIGHT TO A TRIAL BY JURY OF ANY DISPUTE ARISING OUT OF OR RELATING TO THIS AGREEMENT.

10.9Entire Agreement.

This Agreement, together with any underlying service agreement between the Parties (including the PathwayNotes Terms of Service in effect at the time of execution), constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings or agreements, written or oral, relating to such subject matter.

10.10Force Majeure.

Neither Party shall be liable for any failure or delay in performance (other than payment obligations) caused by events beyond its reasonable control, including without limitation acts of God, war, terrorism, pandemic, epidemic, governmental action, labor disputes, internet or utility failures, third-party service provider failures, and sophisticated cyberattacks (including zero-day exploits, supply-chain attacks, and nation-state attacks) that occur despite the Party's implementation of reasonable safeguards consistent with industry standards (each, a "Force Majeure Event"). The affected Party shall use commercially reasonable efforts to mitigate the effect of the Force Majeure Event.

10.11Assignment.

Neither Party may assign this Agreement without the other Party's prior written consent, except that Business Associate may assign this Agreement, in whole or in part, to an Affiliate or to a successor in connection with a merger, acquisition, reorganization, change of control, or sale of all or substantially all of its assets or the assets of the PathwayNotes business line, without consent. Any purported assignment in violation of this Section is void.

10.12Electronic Execution; E-SIGN Act.

The Parties consent to the use of electronic signatures and to the formation of this Agreement by electronic means under the Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act. Covered Entity's electronic acceptance of this Agreement (whether by click-through, type-to-sign, or recognized e-signature platform) shall have the same legal force and effect as a manual signature. This Agreement may be executed in counterparts, each of which shall be deemed an original.

10.13Dispute Resolution.

Except for (a) actions seeking injunctive or other equitable relief, and (b) the Breach-determination disputes under Section 3.4(d) (which shall be resolved by expedited mediation administered by JAMS or AAA and concluded within thirty (30) days of submission), any dispute arising out of or relating to this Agreement shall first be submitted to good-faith negotiation for thirty (30) days, then to non-binding mediation administered by JAMS or AAA, and thereafter may be litigated in the courts specified in Section 10.8.

10.14Severability.

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be reformed to the minimum extent necessary to make it valid and enforceable while preserving the Parties' original intent.

10.15Independent Contractors.

The Parties are independent contractors. Nothing in this Agreement creates any agency, partnership, joint venture, or employment relationship.

10.16Construction.

The headings in this Agreement are for convenience only. "Including" means "including without limitation." No rule of construction against the drafting Party shall apply.

SECTION 11Acceptance

IN WITNESS WHEREOF, the Parties have caused this Business Associate Agreement to be executed by their duly authorized representatives as of the Effective Date.