ProperForm Business Associate Agreement

This ProperForm Agreement ("BAA") supplements and is incorporated into the terms referencing this BAA ("Terms") between ProperForm and the business agreeing to this BAA ("Business"). This BAA applies if and to the extent Business is a "Covered Entity" (or a business associate of a Covered Entity) and ProperForm is a "Business Associate," as those terms are respectively defined by HIPAA, in connection with the services ProperForm provides to Business (the "Services").

1. Definitions

As used in this BAA, the following terms have the meanings below:

• "Breach" means as defined under 45 C.F.R. § 164.402.

• "Designated Record Set" means as set forth in 45 C.F.R. § 164.501, and for purposes of this BAA refers to those records maintained by ProperForm within the Services that are used, in whole or in part, by or for Business to make decisions about individual Clients, including therapy plans, exercise recordings, and related transcriptions.

• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the rules and regulations promulgated thereunder, including the Security, Privacy, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.

• "Protected Health Information" or "PHI" means as defined by HIPAA and includes PHI created, received, stored, or transmitted electronically.

• "Security Incident" means as defined under 45 C.F.R. § 164.304.

2. Permitted Uses and Disclosures

2.1. Use Limitation.

ProperForm will use and disclose PHI only as necessary to perform services for the Business as set forth in the Terms and this BAA, and only in ways that would not violate HIPAA if done by the Business. ProperForm will not use or further disclose PHI except as permitted by this BAA or required by law and will limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

2.2. Special Disclosures.

ProperForm may use and disclose PHI for its proper management and administration and to carry out its legal obligations, provided that any disclosure of PHI for such purposes may only occur if (a) required by law; or (b) ProperForm obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that ProperForm will be notified of any Breach or Security Incident.

2.3. Compliance.

ProperForm agrees to comply with the applicable requirements of 45 C.F.R. Parts 160 and 164 to the extent applicable to Business Associates.

2.4. Automated Tools.

ProperForm may use automated and artificial intelligence based tools as part of the Services, provided that any PHI processed through those tools is handled in accordance with this BAA and is not used to train or improve any artificial intelligence models.

2.5. De-Identified Data.

ProperForm may de-identify PHI solely to the extent permitted by HIPAA, solely in accordance with the de-identification standards of 45 C.F.R. § 164.514, and solely for lawful purposes, including analytics, product improvement, benchmarking, and research, provided that: (a) ProperForm does not attempt to re-identify the data; and (b) de-identified data will not be used to develop, train, fine-tune, or otherwise improve any artificial intelligence or machine learning model, whether operated by ProperForm or any third party.

2.6. No Sale.

ProperForm will not sell PHI.

3. Technical Safeguards

ProperForm will implement appropriate administrative, physical, and technical safeguards to protect PHI against unauthorized use or disclosure in compliance with the HIPAA Security Rule and Privacy Rule and applicable law, including, as appropriate, encryption, access controls, logging, and workforce training. ProperForm will conduct, and document, periodic risk analyses to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(A), and will implement security measures sufficient to reduce identified risks to a reasonable and appropriate level.

4. Subcontractors

ProperForm will ensure that any agent or subcontractor to whom it provides PHI agrees in writing, to the extent applicable, to the same restrictions and conditions that apply to ProperForm with respect to such information.

5. Access to PHI

5.1. Business Access.

To the extent ProperForm maintains PHI in a Designated Record Set within the Services, ProperForm will make PHI available to Business so that Business may comply with individual Client rights to access, amend to comply with 45 C.F.R. § 164.526, or obtain an accounting of disclosures under HIPAA, including accounting of disclosures as required under 45 C.F.R. § 164.528. ProperForm will cooperate with Business in a commercially reasonable manner and within timeframes necessary to allow Business to comply with Business's obligations under HIPAA. Where ProperForm maintains PHI in an electronic health record, ProperForm will provide access to PHI as required by this BAA in an electronic format.

5.2. Audit Rights.

Upon written request no more than once per calendar year, ProperForm will respond to a reasonable written questionnaire from Business regarding ProperForm's security practices and HIPAA compliance under this BAA. In the event of a confirmed Breach affecting Business's PHI, Business may, upon reasonable prior written notice and at Business's expense, conduct or commission a targeted audit of ProperForm's practices related to the Breach, subject to reasonable confidentiality obligations and limitations necessary to protect the security of ProperForm's systems and other customers' data.

6. Required Access

ProperForm will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by ProperForm on behalf of, Business available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Business's compliance with HIPAA. ProperForm will provide Business with reasonable advance notice of any such request by the Secretary, unless prohibited by law or government directive.

7. Business Obligations

7.1. Authorizations and Disclosures.

Business will only disclose PHI to ProperForm if such disclosure is permitted under HIPAA and accompanied by all required consents or authorizations under applicable law.

7.2. Use Limitations.

Business is solely responsible for determining whether Business's end users are authorized to share, disclose, create, and/or use PHI within the Services. Business will not use the Services or disclose PHI in any manner that would not be permissible under HIPAA if done by Business or by any covered entity to which Business is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).

7.3. Notice of Changes.

Business will notify ProperForm of any changes in its privacy practices or restrictions on PHI that may affect ProperForm's use or disclosure of PHI.

8. Breaches and Security Incidents

8.1. Security Incident Response.

ProperForm will notify Business of any Security Incidents, Breaches, or use or disclosure of PHI not permitted by this BAA, of which ProperForm becomes aware, without unreasonable delay and, for Breaches, no later than 30 days after discovery.

8.2. Notification Contents.

A Breach notification will include, to the extent reasonably available at the time of notification: (a) A description of the nature of the Breach, including the date of the Breach and the date of discovery of the Breach, if known; (b) A description of the types of Unsecured PHI involved in the Breach (e.g., name, date of birth, health information, treatment information, or other types of PHI); (c) The identity of each individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the Breach. Where such identities are not fully known at the time of the initial notification, ProperForm will supplement the notification with the identity of affected individuals promptly as that information becomes available; (d) A description of the steps ProperForm has taken or is taking to investigate the Breach, mitigate its harmful effects, and prevent future occurrences of a similar Breach; and (e) Contact information for a ProperForm representative from whom Business may obtain additional information.

8.3. Mitigation.

ProperForm will mitigate, to the extent practicable, any harmful effects known to ProperForm of a use or disclosure of PHI in violation of this BAA.

8.4. Cooperation.

ProperForm will cooperate with Business in the investigation of any Security Incident or Breach and in Business's compliance with applicable notification obligations and any other of Business's obligations under HIPAA. Nothing in this BAA requires ProperForm to provide notifications directly to affected individuals, the media, or the Secretary of HHS unless otherwise required by applicable law or expressly agreed in writing by the parties.

8.5. Unsuccessful Attempts.

This Section will be deemed as notice to Business that ProperForm may periodically receive unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of ProperForm's systems and Services (including, without limitation, pings, port scans, unsuccessful log-in attempts, denial-of-service attacks that do not result in system compromise, or other similar events). Business acknowledges and agrees that even if such events constitute a Security Incident, other than the foregoing general notice, ProperForm will not be required to provide any notice under this BAA regarding these unsuccessful attempts.

9. Patient Portal; Clinical Limitations

As part of providing the Services, ProperForm operates a Client-facing portal (the "Client Portal") through which Business's Clients may access plans, information, recordings, and related content that Business has assigned to them, and through which Clients may track their progress. ProperForm's provision of the Client Portal constitutes direct interaction with Clients and may involve Client access to their own PHI. Notwithstanding the foregoing:

(a) ProperForm's interaction with Clients through the Client Portal is limited to making available the content and functionality assigned or enabled by Business. ProperForm does not independently use or disclose Client PHI through the Client Portal except as a conduit for Business's use of the Services and as otherwise permitted under this BAA and the Agreement;

(b) ProperForm does not provide medical advice, clinical decision-making, diagnoses, treatment recommendations, or other professional healthcare services to Clients or any other individual, and nothing in the Services or Client Portal should be construed as creating a business-patient relationship between ProperForm and any Client; and

(c) If a Client submits a request directly to ProperForm through the Client Portal to exercise rights under HIPAA (such as a request to access, amend, or restrict use of their PHI), ProperForm will promptly notify Business of the request and cooperate with Business in fulfilling any such request in accordance with Section 5 of this BAA. ProperForm is not independently responsible for fulfilling individual HIPAA rights requests except to the extent expressly required by applicable law or agreed in writing by the parties.

10. Termination

10.1. Termination.

This BAA will terminate upon any termination of the Terms.

10.2. Termination for Cause.

Business may terminate this BAA upon written notice if ProperForm materially breaches this BAA and fails to cure such breach within thirty (30) days, if cure is reasonably possible.

10.3. Return or Destruction of PHI.

Upon termination of the Terms or this BAA, ProperForm will, to the extent feasible, return or destroy all PHI received from, or created or received by Business on behalf of, Business that ProperForm still maintains in any form and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of this BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

11. Miscellaneous

11.1. HIPAA Compliance.

Each party will comply with all applicable provisions of HIPAA applicable to that party.

11.2. Governing Law.

This BAA will be governed by applicable federal law and, where consistent with HIPAA, the laws of the state specified in the Terms.

11.3. Interpretation.

Any ambiguity in this BAA will be resolved to permit compliance with HIPAA.

11.4. Survival.

The obligations of ProperForm under this BAA that by their nature are intended to survive termination or expiration, including without limitation obligations relating to safeguarding PHI, breach reporting, cooperation, and restrictions on use and disclosure of PHI, will survive termination or expiration of this BAA.

11.5. Order of Precedence.

If there is any conflict between this BAA and the Terms regarding the subject matter of this BAA, this BAA will control.