Business Associate Agreement

Template version 1.0 · Effective upon execution

This Business Associate Agreement ("BAA") is entered into between Simera Health, Inc., a Delaware corporation ("Business Associate"), and the healthcare entity executing this agreement ("Covered Entity"), and is incorporated into the Simera Health Terms of Service.

1. Definitions

Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Rules (45 CFR Parts 160 and 164). Key terms include:

• Business Associate: Simera Health, Inc.
• Covered Entity: The healthcare provider or health plan executing this BAA.
• PHI: Protected Health Information as defined at 45 CFR § 160.103.
• HIPAA Rules: The HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
• Services: Revenue cycle analysis, denial management, and financial intelligence services provided by Simera.

2. Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted by this BAA or required by law.
• Implement appropriate administrative, physical, and technical safeguards to protect PHI (45 CFR § 164.308, 164.310, 164.312).
• Report any use or disclosure of PHI not provided for by this BAA, including breaches of unsecured PHI, to Covered Entity without unreasonable delay and no later than 60 days after discovery.
• Ensure any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions through a written sub-BAA.
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.
• Return or destroy all PHI upon termination of this BAA, retaining no copies, unless retention is required by law.
• Support Covered Entity in fulfilling individuals' rights under 45 CFR § 164.524 (access), § 164.526 (amendment), and § 164.528 (accounting of disclosures).

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only to:

• Perform the Services on behalf of Covered Entity.
• Provide data aggregation services relating to the healthcare operations of Covered Entity.
• Use PHI for the proper management and administration of Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances of confidentiality.
• De-identify PHI in accordance with 45 CFR § 164.514(b) and use de-identified data for product improvement and benchmarking.

4. Obligations of Covered Entity

Covered Entity agrees to:

• Provide Business Associate only with the minimum necessary PHI to perform the Services.
• Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to with individuals.
• Not request Business Associate to use or disclose PHI in a manner that would violate the HIPAA Rules.
• Obtain all necessary authorizations and consents from patients as required by applicable law prior to sharing PHI with Business Associate.

5. Term and Termination

This BAA is effective upon execution and remains in effect for as long as Business Associate retains PHI or performs Services under the applicable service agreement. Either party may terminate this BAA if the other party materially breaches a provision, provided the non-breaching party gives 30 days written notice and the breach is not cured within that period.

Upon termination, Business Associate will return or destroy all PHI. If return or destruction is not feasible, Business Associate will extend protections of this BAA to the PHI and limit further use.

6. Miscellaneous

• Amendment: This BAA may be amended only by written agreement signed by both parties. The parties agree to amend this BAA as necessary to comply with changes in the HIPAA Rules.
• No Third-Party Beneficiaries: Nothing in this BAA shall confer any rights or remedies upon any person other than the parties.
• Governing Law: This BAA is governed by the laws of the State of Delaware.
• Entire Agreement: This BAA, together with the Simera Terms of Service, constitutes the entire agreement between the parties regarding the subject matter hereof.
• Survival: Sections 2, 3, 5, and 6 survive termination of this BAA.

7. Execution

To execute this BAA, email compliance@simera.health with your organization name, primary contact name and title, and your NPI or Tax ID. We will prepare a countersigned copy and return it within 2 business days. Electronic signatures are accepted pursuant to the Electronic Signatures in Global and National Commerce Act (E-SIGN).