CorralData Business Associate Agreement

This Business Associate Agreement (“BAA” or this “Agreement”) is entered into by and between the customer named on the applicable Services Order Form or that otherwise accepts the CorralData SaaS Services Agreement available at https://corraldata.com/saas/ (the “Services Agreement”) (“Covered Entity”) and Corral Data, Inc. (“Business Associate”). This BAA is incorporated into and forms part of the Services Agreement and is effective as of the effective date of the Services Agreement (the “Effective Date”).

This BAA applies only to the extent that (a) Covered Entity is a “covered entity” or “business associate” as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (b) Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity in connection with the services provided under the Services Agreement.

This BAA is made in furtherance of the obligations of Covered Entity to comply with certain provisions of HIPAA, and such rules and regulations as may be lawfully promulgated thereunder by the Department of Health and Human Services (“HHS”) that relate to the security and privacy of individually identifiable health information. In consideration of the covenants, conditions, representations, warranties and restrictions set forth herein, the parties agree as follows:

---

1. Definitions

Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule, Security Rule, and HITECH Act.

a. Agent. “Agent” shall have the meaning as determined in accordance with the federal common law of agency.

b. Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR §164.402.

c. Business Associate. “Business Associate” shall mean the Business Associate defined above.

d. Covered Entity. “Covered Entity” shall mean the Covered Entity defined above.

e. Data Aggregation. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR §164.501.

f. Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR §164.501.

g. Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term in Section 13400 of the HITECH Act.

h. Health Care Operations. “Health Care Operations” shall have the same meaning as the term “health care operations” in 45 CFR §164.501.

i. HITECH Act. “HITECH Act” shall mean The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009 (“ARRA” or “Stimulus Package”), specifically DIVISION A: TITLE XIII Subtitle D—Privacy, and its corresponding regulations as enacted under the authority of the Act.

j. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

k. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

l. Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.

m. Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR §164.103.

n. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.

o. Security Rule. “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. parts §160 and §164, Subparts A and C.

p. Subject Matter. “Subject Matter” shall mean compliance with the Privacy and Security Rules, and with the HITECH Act, and its corresponding regulations.

q. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR §164.402.

r. Security Incident. “Security Incident” shall have the same meaning as set forth in 45 C.F.R. § 164.304.

s. Credentials. “Credentials” means any authentication data that permits access to accounts, systems, applications, or services that store, process, or transmit Protected Health Information, including but not limited to usernames, passwords, API keys, tokens, and private keys.

t. Secrets. “Secrets” means sensitive authentication or authorization material used to protect access to systems or data, including encryption keys, API tokens, and password vault entries.

u. Secure Method. “Secure Method” means a method of transmitting Credentials or Secrets that preserves their confidentiality and integrity, such as an enterprise secrets manager, encrypted file transfer, temporary API token delivered out of band, single sign on provisioning, or other mutually agreed encrypted channel that includes logging and access controls.

---

2. Obligations and Activities of Business Associate

a. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.

b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act.

c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and in a manner as prescribed herein.

d. Breach and Security-Incident Notification.

i. Business Associate shall notify Covered Entity of any Breach of Unsecured Protected Health Information (“PHI Breach”) without unreasonable delay and in no event later than ten (10) business days after the Breach has been confirmed.

ii. Business Associate shall notify Covered Entity of any other security incident that compromises the confidentiality, integrity, or availability of Protected Health Information (“Security Incident”) within fifteen (15) business days after confirmation of the Security Incident.

iii. Each notice shall include the information reasonably required for Covered Entity to comply with 45 C.F.R. §§ 164.404–164.408 and Section 13402 of the HITECH Act, as such information becomes available.

e. Business Associate agrees to ensure that any Agent, including a subcontractor, to whom Business Associate provides Protected Health Information, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to those contained herein shall be imposed on said Agents and/or subcontractors via a written agreement, and that Business Associate shall only provide said Agents and/or subcontractors Protected Health Information consistent with Section 13405(b) of the HITECH Act. Further, Business Associate agrees to provide copies of said written agreements to Covered Entity within ten (10) business days of a Covered Entity’s request for same.

f. Reasonable Efforts for Access. Business Associate agrees to make reasonable efforts to provide access to Protected Health Information in a Designated Record Set as requested by Covered Entity. Access shall be provided within a reasonable timeframe, and in no case less than ten (10) business days after receipt of such a request. Business Associate’s obligation to provide access to Electronic Health Records is contingent on the Business Associate’s control over such access.

g. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526, at the request of Covered Entity or an Individual. This provision does not apply if Business Associate and its employees, subcontractors and Agents have no Protected Health Information from a Designated Record Set of Covered Entity.

h. Business Associate agrees to make available to Covered Entity or the Secretary, upon request, internal practices, books, and records directly related to the services provided under the underlying services agreement, only to the extent they are material to Business Associate’s use or disclosure of Protected Health Information and are necessary for compliance with the Privacy Rule or Security Rule. Such requests must be submitted in writing with a minimum notice of fifteen (15) business days, except where shorter notice is required by law.

i. Business Associate agrees to maintain necessary and sufficient documentation of disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of such disclosures, in accordance with 45 CFR §164.528.

j. On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528. Business Associate shall provide said documentation in a manner and format to be specified by Covered Entity. Business Associate shall have a reasonable time within which to comply with such a request from Covered Entity and in no case shall Business Associate be required to provide such documentation in less than three (3) business days after Business Associate’s receipt of such request.

k. Except as provided for in this Agreement, in the event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate shall redirect the Individual to the Covered Entity.

---

3. Permitted Uses and Disclosures by Business Associate

a. Except as otherwise limited by this Agreement, Business Associate may make any uses and disclosures of Protected Health Information necessary to perform its services to Covered Entity and otherwise meet its obligations under this Agreement, if such use or disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by Covered Entity. All other uses or disclosures by Business Associate not authorized by this Agreement or by specific instruction of Covered Entity are prohibited.

b. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

c. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used, or further disclosed, only as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

d. Data Aggregation and De-Identified Data.

i. Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

ii. De-Identified Data. Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R. § 164.514(b). Once de-identified in accordance with that standard, such data are no longer Protected Health Information and are not subject to HIPAA or this BAA. Business Associate may use and disclose de-identified data, alone or in aggregated form, for any lawful business purpose, including analytics, quality assurance, research, and developing, improving, and distributing benchmarking and industry insights. Business Associate will not attempt to re-identify de-identified data, will not disclose de-identified data in a form that could reasonably permit re-identification, and will contractually require the same of any recipient. For clarity, Business Associate does not and will not sell Protected Health Information.

iii. Any other secondary use or disclosure of Covered Entity’s Protected Health Information requires Covered Entity’s prior written consent.

e. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j)(1).

---

4. Obligations and Activities of Covered Entity

a. Covered Entity shall notify Business Associate of the provisions and any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such provisions and limitation(s) may affect Business Associate’s use or disclosure of Protected Health Information.

b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information.

c. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, and also notify Business Associate regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s use or disclosure of Protected Health Information.

d. Covered Entity shall notify Business Associate of any modifications to accounting disclosures of Protected Health Information under 45 CFR §164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s use or disclosure of Protected Health Information.

e. Covered Entity shall provide Business Associate, within thirty (30) business days of Covered Entity executing this Agreement, a description and/or specification regarding the manner and format in which Business Associate shall provide information to Covered Entity, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(d)(iii) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the Privacy Rule or the HITECH Act, and Business Associate is provided sixty (60) business days’ notice before the requested modification takes effect.

f. Covered Entity shall provide Business Associate, within thirty (30) business days of Covered Entity executing this Agreement, a description and/or specification regarding the manner and format in which Business Associate shall provide information to Covered Entity, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(j) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the Privacy Rule or the HITECH Act, and Business Associate is provided sixty (60) business days’ notice before the requested modification takes effect.

g. Mutual Indemnification.

i. Each Party (“Indemnifying Party”) shall indemnify, defend, and hold harmless the other Party, its officers, directors, employees, and agents (“Indemnified Party”) from and against any third-party claims, liabilities, damages, judgments, fines, penalties, and reasonable attorneys’ fees arising from the Indemnifying Party’s material breach of this Agreement or violation of applicable law, including any unauthorized use or disclosure of Protected Health Information.

ii. The Indemnifying Party’s total liability for indemnified claims shall be subject to the limitation of liability set forth in § 8(e).

h. Secure Transfer of Credentials and Secrets.

1. Covered Entity Obligations. Covered Entity shall not transmit account Credentials, Secrets, or any information that permits access to Protected Health Information by unencrypted email or other insecure, non encrypted channels. All Credentials and Secrets provided to Business Associate must be shared using a Secure Method. Covered Entity shall use unique, least privilege accounts for Business Associate access and shall require multi factor authentication on any account that can access Protected Health Information.

2. Notification and Rotation. If Covered Entity becomes aware that Credentials or Secrets have been transmitted by an insecure method or may have been compromised, Covered Entity shall, at its expense, rotate or revoke such credentials immediately and in any event no later than 24 hours after discovery, and shall promptly notify Business Associate. Covered Entity shall cooperate with Business Associate to contain the event and shall provide all information reasonably necessary for Business Associate to investigate and respond.

3. Business Associate Response. Upon receiving notice under Section 4.h.2, Business Associate will take reasonable steps, consistent with its security policies and the Security Rule, to contain and remediate access under its control, which may include disabling or rotating Business Associate controlled credentials, auditing access logs, and preserving evidence for an investigation.

4. Limitation of Business Associate Liability. Notwithstanding anything to the contrary in this Agreement, Business Associate’s obligations and liability arising from the receipt, storage, or use of Credentials or Secrets provided by Covered Entity are limited to the extent they result from Business Associate’s breach of this Agreement, gross negligence, or willful misconduct.

5. Covered Entity Indemnity. Covered Entity shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees and agents from and against all losses, claims, liabilities, damages, fines, penalties and reasonable attorneys’ fees arising out of or relating to Covered Entity’s transmission of Credentials or Secrets by insecure means, Covered Entity’s failure to rotate or revoke compromised credentials in accordance with Section 4.h.2, or Covered Entity’s breach of its obligations under this Section 4.h.

6. No Admission. Nothing in this Section 4.h constitutes an admission by either party that insecure transmission of Credentials is acceptable, nor does this Section modify the limitation of liability, indemnification, or insurance provisions of this Agreement except as expressly set forth herein.

---

5. Term and Termination

a. This BAA shall commence as of the Effective Date written above and shall terminate concurrently with the termination of the Agreement, unless sooner terminated as provided hereunder when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement.

b. Termination for Cause by Covered Entity. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall give Business Associate written notice of such breach and provide reasonable opportunity for Business Associate to cure the breach or end the violation. Covered Entity may terminate this Agreement, and Business Associate agrees to such termination, if Business Associate has breached a material term of this Agreement and does not cure the breach or cure is not possible. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.

c. Termination for Cause by Business Associate. Upon Business Associate’s knowledge of a material breach of this Agreement by Covered Entity, Business Associate shall give Covered Entity written notice of such breach and provide reasonable opportunity for Covered Entity to cure the breach or end the violation. Business Associate may terminate this Agreement, and Covered Entity agrees to such termination, if Covered Entity has breached a material term of this Agreement and does not cure the breach or cure is not possible. If neither termination nor cure is feasible, Business Associate shall report the violation to the Secretary.

d. Effect of Termination. Upon termination of this Agreement, Business Associate shall return or destroy all Protected Health Information (PHI) received from Covered Entity, except where Business Associate is required by law to retain such PHI, or where destruction or return is infeasible for legitimate operational reasons. If return or destruction is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible, and extend the protections of this Agreement to the retained PHI for as long as Business Associate maintains it.

---

6. Entire Agreement

a. This Agreement supersedes all other prior and contemporaneous written and oral agreements and understandings between Covered Entity and Business Associate regarding this Subject Matter. It contains the entire Agreement between the parties.

b. This Agreement may be modified only by a signed written agreement between Covered Entity and Business Associate.

c. All other agreements entered into between Covered Entity and Business Associate, not related to this Subject Matter, remain in full force and effect.

---

7. Governing Law

a. Governing Law. This Agreement and the rights of the parties shall be governed by and construed in accordance with Federal law as it pertains to the Subject Matter and shall be governed by and construed in accordance with the laws of the State of New York, without giving effect to its conflict of laws provisions.

b. Jurisdiction. The parties agree that any appropriate state court sitting in New York County, New York, or any Federal Court sitting in the United States District Court for the Southern District of New York shall have exclusive jurisdiction of any case or controversy arising under or in connection with this Agreement and shall be the proper forum in which to adjudicate such case or controversy.

c. Each Party irrevocably consents to the jurisdiction of such courts and irrevocably waives to the fullest extent permitted by law the defense of an inconvenient forum to the maintenance of such suit, action, or proceeding in any such court and further waives the right to object with respect to such suit, action, or proceeding that such court does not have jurisdiction over such Party.

---

8. Miscellaneous

a. Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule, or HITECH Act means the section as in effect or as amended.

b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act, and its corresponding regulations.

c. Survival. The respective rights and obligations of Business Associate under Section 5(d) of this Agreement shall survive the termination of this Agreement.

d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act, and its corresponding regulations.

e. Limitation of Liability.

i. Cap. Except as set forth in subsection (ii), each Party’s aggregate liability arising out of or relating to this Agreement shall not exceed (a) two (2) times the total fees paid or payable by Covered Entity to Business Associate under the underlying services agreement during the twelve (12) months immediately preceding the event giving rise to the claim, or (b) USD 1,000,000, whichever is greater.

ii. Carve-outs. The cap in subsection (i) shall not apply to (a) either Party’s indemnification obligations under § 4(g) to the extent the claim is covered by that Party’s cyber-liability or technology errors-and-omissions insurance, up to the policy limits actually available to pay the claim; (b) either Party’s willful misconduct or gross negligence; or (c) amounts payable by a Party pursuant to its obligations to comply with law, including HIPAA civil monetary penalties assessed against that Party.

iii. Exclusion of Consequential Damages. Neither Party shall be liable for any incidental, indirect, special, punitive, or consequential damages (including lost profits), regardless of the theory of liability, even if advised of the possibility of such damages.

f. Severability. If any provision or provisions of this Agreement is/are determined by a court of competent jurisdiction to be unlawful, void, or unenforceable, this Agreement shall not be unlawful, void or unenforceable thereby, but shall continue in effect and be enforced as though such provision or provisions were omitted.

g. Counterparts; Electronic Acceptance. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one original Agreement. Facsimile or electronically authenticated signatures shall be accepted and enforceable in lieu of original signatures. Acceptance of the Services Agreement constitutes acceptance of this BAA where this BAA applies pursuant to its terms.