HIPAA Business Associate Agreement

The purpose of this Agreement is to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and the HITECH Act, as applicable to the limited services provided by Finit Systems as Business Associate.

Finit Systems provides EZAppointo as a scheduling and appointment coordination platform, and not as an electronic health record system, medical records repository, medical billing platform, or clinical documentation system.

Terms used but not otherwise defined in this Agreement shall have the meanings assigned under HIPAA.

2.1 Protected Health Information ("PHI")

For purposes of this Agreement, PHI is limited to information created, received, transmitted, or maintained by Finit Systems on behalf of Covered Entity in connection with scheduling services, including:

• patient first and last name;
• phone number;
• email address;
• appointment scheduling information;
• provider assignment information; and
• appointment timing and availability information.

PHI does not include medical records, diagnoses, treatment histories, prescriptions, laboratory data, imaging, psychotherapy notes, insurance claims data, or clinical charting information, unless voluntarily entered by Covered Entity personnel or end users into open-text fields.

2.2 Security Incident

"Security Incident" shall have the meaning defined under 45 CFR § 164.304.

2.3 Breach

"Breach" shall have the meaning defined under 45 CFR § 164.402.

Finit Systems may use and disclose PHI solely:

• to provide scheduling and appointment coordination services;
• to operate, maintain, support, secure, and improve the EZAppointo platform;
• as required by law; or
• as otherwise permitted under HIPAA.

Finit Systems shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.

Consistent with 45 CFR § 164.504(e)(2)(ii)(E), Finit Systems shall request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose of providing the services, consistent with the HIPAA Rules and applicable guidance issued by the Secretary.

Covered Entity acknowledges and agrees that:

• EZAppointo is designed solely for scheduling and appointment coordination functions;
• EZAppointo is not intended to function as an electronic health record system, medical charting system, or long-term PHI repository; and
• Covered Entity shall not intentionally upload or store clinical records, diagnoses, treatment histories, prescriptions, laboratory results, imaging, or other unnecessary medical information within the platform.

Finit Systems does not provide medical advice, diagnosis, treatment recommendations, emergency services, or clinical decision-making functionality.

Covered Entity acknowledges that patients or users may voluntarily include incidental PHI in appointment notes, intake comments, or other open-text fields despite platform restrictions.

Covered Entity agrees to:

• limit PHI collection to the minimum necessary;
• avoid requesting unnecessary clinical details through scheduling workflows; and
• train its workforce appropriately regarding permissible platform usage.

Finit Systems shall apply HIPAA-compliant safeguards to such incidental PHI to the extent it is received or maintained within the platform.

6.1 Administrative, Physical, and Technical Safeguards

Finit Systems shall implement reasonable and appropriate administrative, physical, and technical safeguards designed to protect PHI, including:

• encryption of PHI in transit using TLS;
• encryption of PHI at rest;
• role-based access controls;
• authentication and access management procedures;
• secure backup procedures;
• audit logging and monitoring;
• incident response procedures; and
• workforce confidentiality obligations.

6.2 Compliance and Security Management Services

In support of its administrative safeguards and overall HIPAA compliance program, Finit Systems utilizes the HIPAA compliance and security management services provided by Accountable ("Accountable"). Through these services, Finit Systems administers, maintains, and documents compliance activities, including, without limitation, security risk assessments, policy and procedure management, workforce HIPAA training, vendor and subcontractor management, and ongoing monitoring of its administrative and technical safeguards.

The use of Accountable supplements, and does not limit or replace, Finit Systems' obligations under this Agreement and the HIPAA Rules. To the extent Accountable creates, receives, maintains, or transmits PHI on behalf of Finit Systems in connection with such services, Accountable is engaged as a subcontractor subject to the requirements of Section 7 of this Agreement and applicable HIPAA Rules.

Finit Systems may use subcontractors, subprocessors, cloud hosting providers, infrastructure providers, communication providers, or other third parties in connection with operation of the platform.

Finit Systems shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Finit Systems agrees to implement appropriate safeguards as required by HIPAA, in accordance with 45 CFR §§ 164.314(a) and 164.504(e).

8.1 Impermissible Use or Disclosure — Reporting

Finit Systems shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which Finit Systems becomes aware, without unreasonable delay and in no event later than fifteen (15) business days after discovery, consistent with 45 CFR § 164.504(e)(2)(ii)(C).

8.2 Security Incidents

Finit Systems shall report known Security Incidents involving PHI to Covered Entity within fifteen (15) business days after confirmation of such incident.

The parties acknowledge that this Section constitutes notice of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, loss, or destruction of PHI (such as pings, port scans, unsuccessful log-on attempts, and similar network events). Finit Systems shall provide additional detail regarding such events upon reasonable written request.

8.3 Breach Notification

Finit Systems shall notify Covered Entity without unreasonable delay and no later than sixty (60) calendar days after discovery of a Breach involving unsecured PHI, as required under 45 CFR § 164.410(b).

Such notification shall include, to the extent known:

• the nature of the Breach;
• the categories of information involved;
• corrective actions taken; and
• recommended mitigation steps.

9.1 Access

To the extent Finit Systems maintains PHI in a Designated Record Set, Finit Systems shall make such PHI available to Covered Entity, in a manner consistent with 45 CFR § 164.524, so that Covered Entity may fulfill Individual access requests. If an Individual submits an access request directly to Finit Systems, Finit Systems shall promptly forward such request to Covered Entity. Covered Entity is responsible for responding to such requests.

9.2 Amendment

To the extent Finit Systems maintains PHI in a Designated Record Set, Finit Systems shall make such PHI available for amendment and shall incorporate amendments as directed by Covered Entity in accordance with 45 CFR § 164.526. If an Individual submits an amendment request directly to Finit Systems, Finit Systems shall promptly forward such request to Covered Entity.

9.3 Accounting of Disclosures

Finit Systems shall document disclosures of PHI and make such documentation available to Covered Entity within ten (10) business days after receipt of a written request, to the extent required for Covered Entity to respond to an accounting of disclosures request under 45 CFR § 164.528. Documentation shall include: (a) the date of the disclosure; (b) the name and address of the recipient; (c) a brief description of the PHI disclosed; and (d) the purpose of and basis for the disclosure. This obligation applies only to disclosures for which accounting is required under HIPAA.

Finit Systems shall make its internal practices, books, records, policies, and procedures relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules, in accordance with 45 CFR § 164.504(e)(2)(ii)(H). No attorney-client or other legal privilege shall be deemed waived by Finit Systems solely by virtue of compliance with this provision.

This Agreement shall remain in effect for as long as Finit Systems maintains PHI on behalf of Covered Entity.

Either party may terminate this Agreement if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days after written notice.

Upon termination of the Underlying Agreement, Finit Systems shall delete or destroy PHI maintained in active production systems within a commercially reasonable timeframe, except where retention is required by law or is technically infeasible.

Covered Entity acknowledges that:

• residual copies of PHI may remain temporarily within encrypted backup systems, disaster recovery archives, immutable storage systems, or automated backup media;
• immediate selective deletion from such systems may be technically infeasible;
• retained backup data shall remain protected under the safeguards of this Agreement; and
• such backup data shall be permanently deleted in accordance with Finit Systems' standard retention and overwrite schedules.

Finit Systems shall not access retained backup PHI except as necessary for disaster recovery, legal compliance, or security purposes.

Finit Systems' obligations under this Agreement regarding PHI retained after termination, including all safeguards, use limitations, and disclosure restrictions, shall survive termination of this Agreement and remain in full force and effect until such retained PHI is permanently deleted or destroyed.

This Agreement does not create any separate or additional liability obligations beyond those set forth in the Underlying Agreement.

Any limitations of liability, disclaimers, indemnification provisions, damage caps, arbitration clauses, or exclusions of damages contained in the Underlying Agreement shall apply to this Agreement to the fullest extent permitted by law.

This Agreement shall be governed by and construed in accordance with:

• the governing law specified in the Underlying Agreement; or
• if none is specified, the laws of the State of New York, without regard to conflict-of-law principles.

All notices under this Agreement shall be sent to the addresses specified in the Underlying Agreement or to:

A reference in this Agreement to a section of HIPAA means the section as currently in effect or as amended. Upon the effective date of any regulation or binding guidance that amends HIPAA and is applicable to this Agreement, the relevant obligations shall automatically update to remain in compliance.

This Agreement supplements and forms part of the Underlying Agreement between the parties. To the extent of any conflict between this Agreement and the Underlying Agreement regarding PHI obligations, this Agreement shall control solely with respect to HIPAA compliance obligations.