Business Associate Agreement

Effective: April 1, 2026

This Business Associate Agreement ("BAA") is entered into between Clique Health, Inc. ("Business Associate") and the entity executing a services agreement with Clique ("Covered Entity"). This BAA supplements and is incorporated into the underlying services agreement.

1. Definitions

Capitalized terms not defined herein shall have the meanings ascribed to them in HIPAA (the Health Insurance Portability and Accountability Act of 1996), the HITECH Act, and their implementing regulations at 45 CFR Parts 160 and 164, as amended. "Protected Health Information" or "PHI" refers to individually identifiable health information received, created, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. Permitted Uses and Disclosures

Business Associate may use or disclose PHI solely as follows:

As necessary to perform services under the underlying services agreement
As required by law, including as required by the Secretary of HHS for compliance investigations
For the proper management and administration of Business Associate, provided that any disclosures are required by law or Business Associate obtains reasonable assurances that the information will be held confidentially
To provide data aggregation services relating to the healthcare operations of Covered Entity, if permitted under the services agreement
To de-identify PHI in accordance with 45 CFR 164.514(a)-(c)

Business Associate shall not use or disclose PHI for any purpose other than as expressly permitted or required by this BAA or as required by law. Business Associate shall not sell PHI or use PHI for marketing purposes.

3. Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include, but are not limited to:

Encryption of PHI in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with multi-factor authentication
Audit logging of all access to PHI
Regular risk assessments and vulnerability scanning
Workforce training on HIPAA requirements and data handling procedures
Use of Trusted Execution Environments (TEEs) for processing PHI where applicable

4. Subcontractors

Business Associate shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate remains responsible for the acts and omissions of its subcontractors.

5. Breach Notification

Business Associate shall report to Covered Entity any Breach of Unsecured PHI (as defined in 45 CFR 164.402) without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. The notification shall include:

Identification of each individual whose PHI has been or is reasonably believed to have been affected
A description of the nature of the Breach, including the types of PHI involved
A description of the investigation, mitigation steps taken, and protections against further incidents
Contact information for individuals who can provide additional information

Business Associate shall cooperate with Covered Entity in meeting its breach notification obligations under 45 CFR 164.404-164.408.

6. Access and Amendment

Business Associate shall make PHI available to Covered Entity as necessary for Covered Entity to fulfill its obligations to provide individuals with access to their PHI under 45 CFR 164.524. Business Associate shall make PHI available for amendment and shall incorporate amendments to PHI as directed by Covered Entity, in accordance with 45 CFR 164.526.

7. Accounting of Disclosures

Business Associate shall maintain an accounting of disclosures of PHI as required by 45 CFR 164.528 and shall make such accounting available to Covered Entity upon request. Business Associate shall retain records of such disclosures for a minimum of six (6) years.

8. Obligations of Covered Entity

Covered Entity shall:

Notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI
Notify Business Associate of any restrictions on the use or disclosure of PHI agreed to by Covered Entity under 45 CFR 164.522
Not request Business Associate to use or disclose PHI in a manner that would violate HIPAA

9. Term and Termination

This BAA is effective as of the date the underlying services agreement is executed and shall remain in effect for the duration of the services agreement, unless terminated earlier as provided herein.

Either party may terminate this BAA if the other party materially breaches a provision of this BAA and fails to cure such breach within thirty (30) days of written notice. Covered Entity may terminate this BAA immediately if Business Associate has breached a material term and cure is not feasible.

Upon termination, Business Associate shall return or destroy all PHI in its possession, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI for as long as it is retained.

10. Miscellaneous

This BAA shall be interpreted consistently with HIPAA and the HITECH Act
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA
This BAA may not be assigned without the prior written consent of both parties
This BAA, together with the underlying services agreement, constitutes the entire agreement between the parties with respect to PHI

Contact

For questions regarding this BAA or to request execution, please contact us at legal@cliquehealth.com.