Business Associate Agreement

1. Covered Entity is either a "covered entity" or "business associate" of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act, and the related regulations promulgated by HHS (collectively, "HIPAA").
2. The Parties have entered into or will enter into one or more agreements under which Business Associate provides certain specified services to Covered Entity through the QR Rx digital aftercare platform, including the creation, management, and distribution of patient care plans (collectively, the "Agreement").
3. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information, including but not limited to patient names, dates of birth, phone numbers, email addresses, encounter details, care plan instructions, medication information, and related health data.
4. By providing the services pursuant to the Agreement, Business Associate will become a "business associate" of the Covered Entity as such term is defined under HIPAA.
5. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule").
6. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows.

For purposes of this BAA, the Parties give the following meaning to each of the terms below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

• "Breach":the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
• "Breach Notification Rule":the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
• "Designated Record Set":the meaning given under the Privacy Rule, including 45 CFR §164.501.B.
• "Electronic PHI":any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
• "Health Care Operations":the meaning given in 45 CFR §164.501.
• "HHS":the U.S. Department of Health and Human Services.
• "HITECH Act":the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
• "Individual":the meaning given in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
• "Platform":the QR Rx digital aftercare platform, including all associated web applications, mobile interfaces, APIs, and related services accessible through qrrx.io.
• "Privacy Rule":the portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
• "Protected Health Information / PHI":the meaning given in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity through the Platform.
• "Security Incident":the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
• "Security Rule":the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 and Part 164, Subparts A and C.
• "Unsecured PHI":any PHI as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through technology or methodology specified by the Secretary of HHS.

A. Except as otherwise provided, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement, including the creation, management, distribution, and secure delivery of patient care plans, medication tracking, appointment reminders, and related aftercare communications, and to undertake other activities permitted or required by this BAA or as required by law.

B. Except as otherwise limited, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate's business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains reasonable assurances from any third party that the PHI will be held confidential and used only as required by law or for the purpose for which it was disclosed.

C. Business Associate will not use or disclose PHI other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, limited to the minimum necessary amount to carry out the intended purpose.

D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity's PHI that Business Associate or any of its agents or subcontractors have in their possession.

E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Such safeguards include encryption of PHI in transit (TLS 1.2+) and at rest; access controls including unique user identification and authentication; audit logging of access to and modifications of PHI; hosting on HIPAA-compliant infrastructure with signed Business Associate Agreements with all subcontractors; and patient verification through multi-factor authentication (QR code, PIN, and date of birth).

Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware, and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.

Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the Breach Notification Rule.

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

Business Associate will ensure that any of its agents or subcontractors that have access to PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA. Business Associate's current subcontractors with access to PHI include:

• Render, Inc. (compute hosting and Postgres database infrastructure). BAA in place.
• Amazon Web Services, Inc. (file storage on Amazon S3, encryption keys via AWS KMS). BAA in place.
• Paubox, Inc. (HIPAA-compliant transactional email delivery for care plans, recovery reminders, password resets, and team invitations). BAA in place.
• Telnyx LLC (SMS delivery for care plan links, recovery check-ins, and unscanned-plan nudges). BAA in place.
• Google LLC (Cloud Translation API, used to translate procedure-level care plan content into the patient's preferred language). BAA in place. Patient identifiers are not transmitted to this service; only the de-identified care plan content is sent.

The Platform also uses Anthropic, PBC for the Cura AI care plan assistant described in Section 22. Anthropic is not a BAA subprocessor. Business Associate ensures that no PHI is transmitted to Anthropic by de-identifying every payload before it leaves the Platform; only procedure-level care plan content authored by Covered Entity is sent. See Section 22 for the full description.

The most current subprocessor list, with the role and BAA status of each provider, is published at qrrx.io/subprocessors. Business Associate shall notify Covered Entity of material changes to its subcontractors by updating that page within 30 calendar days, and at least 30 calendar days in advance when a new subprocessor with PHI access is engaged.

Upon request, Business Associate will provide Covered Entity with a summary of its security practices and infrastructure.

A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set to enable Covered Entity to respond to an Individual's request for access to PHI under 45 CFR §164.524.

B. In the event any Individual requests access to their PHI directly from Business Associate, Business Associate within ten business days will forward that request to Covered Entity.

A. Upon request from Covered Entity, Business Associate will amend PHI in a Designated Record Set within 15 business days.

B. Individual requests for amendment will be forwarded to Covered Entity within ten business days.

Business Associate will document disclosures of PHI and make available to Covered Entity: (i) the date of disclosure; (ii) the name and address of the recipient; (iii) a description of the PHI disclosed; and (iv) the purpose of the disclosure. Such information will be provided within ten business days of written request.

Business Associate will make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary of HHS for purposes of determining compliance with HIPAA.

Covered Entity agrees to:

• Notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.
• Notify Business Associate of any changes in permission by an Individual to use or disclose PHI.
• Notify Business Associate of any restrictions to the use or disclosure of PHI.
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
• Obtain any required patient consents before entering patient information into the Platform, including consent for electronic communications.

All patient data entered into the Platform remains the property of Covered Entity. Business Associate's data stewardship does not confer data ownership rights.

• This BAA is effective upon electronic acceptance and continues for the duration of Covered Entity's subscription to the Platform.
• Covered Entity may terminate this BAA if Business Associate breaches a material term and fails to cure within 30 days of written notice.
• Business Associate may terminate if Covered Entity breaches a material term and fails to cure within 30 days.
• Upon termination, Business Associate will retain PHI for 30 days to allow data export, after which all PHI will be destroyed. If destruction is not feasible, Business Associate will extend protections indefinitely. This section survives termination.

This BAA is subject to the Terms of Service. Where terms conflict, this BAA governs.

References to HIPAA sections mean the section as in effect or amended.

Notices to Business Associate: contact@qrrx.io. Notices to Covered Entity: the email associated with their Platform account.

Business Associate may update this BAA as necessary for HIPAA compliance. Covered Entity will be notified of material changes. Continued use constitutes acceptance.

Each Party agrees to comply with applicable provisions of the HITECH Act and related HHS regulations.

This BAA is governed by federal law including the HIPAA Rules. To the extent not preempted, the laws of the State of New York apply.

The Platform offers an optional AI-assisted care plan assistant called Cura that lets patients ask questions about their own care plan in plain language. Covered Entity may enable or disable Cura at the practice level at any time. When enabled, Cura answers a patient's question by consulting, in order: (i) Covered Entity's own provider-authored FAQ library; (ii) the cross-clinic verified knowledge base described below; (iii) a short-term cache of recent answers; and (iv) only as a last resort, a third-party large language model operated by Anthropic, PBC.

No PHI is transmitted to Anthropic. Before any payload leaves the Platform, patient names, dates of birth, phone numbers, and email addresses are removed by automated de-identification. Only de-identified care plan content (procedure type, instructions, medication names, milestone descriptions) and the patient's question text reach the model. Question text and model responses are not used by Anthropic to train its models, are not retained beyond the immediate response, and are subject to Anthropic's standard zero-retention controls for API traffic.

Cross-clinic verified knowledge base. The Platform maintains a non-PHI library of verified, procedure-specific aftercare answers (the "Cura Knowledge Base"). Entries in the Cura Knowledge Base are keyed by procedure type, recovery-day window, and answer category (for example, "what is normal" / "when to call your provider"). Each entry tracks the number of independent clinical teams that have verified the answer pattern, which patients see as a "Verified by N clinical teams" trust signal.

What is and is not shared. Covered Entity's verified provider-authored FAQ entries may, in Business Associate's discretion or at Covered Entity's request, be promoted into the Cura Knowledge Base. Promotion does not transfer ownership, does not include any patient identifier, does not include any clinic identifier on the patient-facing surface, and does not republish the original asking patient's question text to any other clinic or patient. Only the procedure-level answer pattern, its category, and its day-of-recovery window are shared. Internal contribution audit records (which clinic verified which entry) are kept under the same access controls that protect PHI; they are never displayed to other clinics or to patients.

Covered Entity may, at any time and by written request to privacy@qrrx.io, opt out of having any of its provider-authored FAQ entries promoted into the Cura Knowledge Base, and may request that any previously promoted entry attributable to Covered Entity be removed. Removal is processed within 30 calendar days. Entries that have been independently verified by other clinical teams will remain in the Knowledge Base unattributed to Covered Entity; entries unique to Covered Entity will be removed in full.

Business Associate's intent in maintaining the Cura Knowledge Base is to build a verified, clinician-reviewed layer of aftercare information that patients across the Platform can trust, without exposing any individual clinic's patient population, internal protocols, or competitive information. The Cura Knowledge Base is not sold, licensed, or shared with third parties for any commercial purpose, and is not used for advertising.

By creating an account on the Platform and checking the acceptance box, Covered Entity agrees to be bound by this BAA. Electronic acceptance constitutes a legally binding agreement. The date, time, IP address, user agent, and identity of the accepting party are recorded.