Unless Avytree and the Business have executed a separate Business Associate Agreement, this Business Associate Addendum (the “Addendum”) supplements the underlying agreement, including the Terms of Use, Order Form, Privacy Policy, and Disclosure Statement (collectively “The Agreements”), Avytree, Inc. and its affiliates (“Avytree”, "Company", "We", "Us") and its customer ( “Business”), and is intended to and shall be interpreted to ensure the parties’ compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, 45 C.F.R. Part 164 (collectively “HIPAA Regulations”). The terms in The Agreements shall also apply to the parties’ performance under this Addendum to the extent the terms are not inconsistent with this Addendum.

Terms used, but not otherwise defined in this Addendum, shall have the same meaning as those terms are used in the HIPAA Regulations or in The Agreements.

‍

1. Obligations Of Avytree

1.1 Avytree agrees to not use or disclose Protected Health Information other than as permitted or required by this Addendum or as required by law.

1.2 Avytree agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.

1.3 Avytree agrees to report to Business any use or disclosure of the Protected Health Information not provided for by this Addendum of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410. Avytree also agrees to report to Business any security incident, including all data breaches, related to Protected Health Information of which Avytree becomes aware; provided that the reporting requirement shall not apply to routine, unsuccessful security incidents such as port scans, pings, etc., that do not pose a material threat to the Protected Health Information.

1.4 Avytree agrees to provide access, at the request of Business and during normal business hours, to Protected Health Information in a Designated Record Set to Business or, as directed by Business, to an Individual in order to meet the requirements under 45 C.F.R. §164.524, provided that Business delivers to Avytree a written notice at least five (5) business days in advance of requesting such access.

1.5 Avytree agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Business directs or agrees to pursuant to 45 C.F.R. §164.526, at the request of Business or an Individual.

1.6 To the extent Avytree carries out one or more of Business’s obligations under Subpart E of 45 C.F.R. Part 164, Avytree agrees to comply with the requirements of Subpart E that apply to Business in the performance of such obligations.

1.7 Avytree agrees to maintain and, on request of Business, provide to Business documentation necessary to permit Business to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.‍

‍

2. Permitted Uses And Disclosures By Avytree

2.1 Except as otherwise limited by this Addendum, Avytree may make any uses and disclosures of Protected Health Information necessary to perform the Avytree Services for and on behalf of Business and Member in accordance with the terms of The Agreements and to otherwise meet its obligations under this Addendum.

2.2 Except as otherwise limited in this Addendum, Avytree may use Protected Health Information for the proper management and administration of the Avytree, including internal analytics for Avytree’s own product development, or to carry out the legal responsibilities of Avytree Services.

2.3 Except as otherwise limited in this Addendum, Avytree may disclose Protected Health Information as required by law.

2.4 Except as otherwise limited in this Addendum, Avytree may use Protected Health Information: (i) to provide Data Aggregation Avytree Services relating to the health care operations of Business as permitted by 45 C.F.R. §164.504(e)(2)(i)(B), and (ii) to de identify such Protected Health Information in accordance with 45 C.F.R. 164.514(a) – (c).

‍

3. Obligations Of Business

3.1 If and to the extent that Business has imposed or agreed to any limitation on the use or disclosure of Protected Health Information that is more restrictive than HIPAA, Business shall notify Avytree of any such limitation(s) that Business has imposed.

3.2 Business shall immediately notify Avytree of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Avytree’s use or disclosure of Protected Health Information.

3.3 Business shall not request Avytree to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Regulations if done by the Business, except as permitted by other terms in this Addendum.

‍

4. Term And Termination

4.1 The Term of this Addendum shall be effective upon execution of the Underlying Agreement (“Effective Date”) and shall remain in effect until (i) this Addendum is terminated, and (ii) all Protected Health Information is either returned or destroyed in accordance with Section 4.3.

4.2 This Addendum shall terminate: (i) upon termination of the Underlying Agreement; (ii) upon 30 days’ prior written notice to the breaching party if either party breaches a material term of this Addendum and the breaching party fails to cure the breach by the end of the 30-day notice period; or (iii) the HIPAA Regulations are amended or Business agrees to restrictions on the use or disclosure of Protected Health Information such that Avytree determines that performance of these Terms may cause Avytree to incur unanticipated costs to comply or face adverse regulatory action.

4.3 Upon termination of this Addendum for any reason, Avytree, with respect to Protected Health Information received from Business or created, maintained, or received by Avytree on behalf of Business, shall: 1) Retain only the Protected Health Information which is necessary for Avytree to continue its proper management and administration or to carry out its legal responsibilities; 2) Return to Business or destroy the remaining Protected Health Information that Avytree still maintains in any form; and 3) If and to the extent that such return or destruction is impractical, continue to use appropriate safeguards and comply with the HIPAA Regulations as to any Protected Health Information that Avytree retains.