PaiKnight

HIPAA BUSINESS ASSOCIATE AGREEMENT

Between PaiKnight LLC, a Delaware limited liability company (“Business Associate” or “PaiKnight”) and Provider (as identified in the Order Form or Master Services Agreement) (“Covered Entity”)

Effective Date: June 19, 2026

RECITALS

WHEREAS, Covered Entity is a health care provider (or other “covered entity” as that term is defined under HIPAA, as defined below) that engages Business Associate to perform certain revenue cycle management and insurer-reimbursement coordination Services;

WHEREAS, in the course of providing those Services, Business Associate may create, receive, maintain, transmit, or otherwise Process Protected Health Information (“PHI”) on behalf of Covered Entity;

WHEREAS, the parties intend this Business Associate Agreement (“Agreement” or “BAA”) to satisfy the requirements of 45 C.F.R. § 164.504(e) and the related provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and the regulations promulgated thereunder (collectively, the “HIPAA Rules”), as amended by the Omnibus Rule published January 25, 2013 (78 Fed. Reg. 5566);

NOW, THEREFORE, in consideration of the mutual covenants herein and the parties’ ongoing business relationship, the parties agree as follows:

SECTION 1 — DEFINITIONS

Capitalized terms used but not separately defined in this Agreement have the meanings given to them under the HIPAA Rules (45 C.F.R. Parts 160 and 164), which definitions are incorporated herein by reference. Key defined terms include, without limitation:

1.1 “Breach” has the meaning set forth at 45 C.F.R. § 164.402, generally meaning the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, subject to the exceptions therein (including the three-prong risk-of-harm assessment).

1.2 “Business Associate” has the meaning set forth at 45 C.F.R. § 160.103 and, for purposes of this Agreement, refers to PaiKnight LLC.

1.3 “Covered Entity” has the meaning set forth at 45 C.F.R. § 160.103 and, for purposes of this Agreement, refers to the Provider identified in the applicable Order Form or Master Services Agreement executed by the parties.

1.4 “Designated Record Set” has the meaning set forth at 45 C.F.R. § 164.501.

1.5 “Electronic Protected Health Information” or “ePHI” has the meaning set forth at 45 C.F.R. § 160.103, meaning PHI that is transmitted by or maintained in electronic media.

1.6 “HIPAA Rules” means, collectively: the HIPAA Privacy Rule (45 C.F.R. Part 164, Subparts A and E), the HIPAA Security Rule (45 C.F.R. Part 164, Subparts A and C), the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D), and the HIPAA Enforcement Rule (45 C.F.R. Part 160, Subparts C, D, and E), each as amended or replaced from time to time.

1.7 “Individual” has the meaning set forth at 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).

1.8 “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 164, Subparts A and E.

1.9 “Protected Health Information” or “PHI” has the meaning set forth at 45 C.F.R. § 160.103, limited to the PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

1.10 “Required By Law” has the meaning set forth at 45 C.F.R. § 164.103.

1.11 “Security Incident” has the meaning set forth at 45 C.F.R. § 164.304, meaning the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

1.12 “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 164, Subparts A and C.

1.13 “Services” means the revenue cycle management, insurer-reimbursement coordination, benefits verification, prior authorization support, single case agreement coordination, denial management, and related administrative services that Business Associate performs for Covered Entity pursuant to the Master Services Agreement or Order Form in effect between the parties (the “Underlying Agreement”).

1.14 “Subcontractor” has the meaning set forth at 45 C.F.R. § 160.103 and means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the business associate’s workforce.

1.15 “Unsecured PHI” has the meaning set forth at 45 C.F.R. § 164.402, meaning PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified in HHS guidance (45 C.F.R. § 164.402; see also HHS Guidance Specifying Technologies/Methodologies Under Section 13402(h)(2) of the HITECH Act).

SECTION 2 — PERMITTED USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE

This Section implements 45 C.F.R. § 164.504(e)(2)(i), which requires the BAA to establish the permitted or required uses and disclosures of PHI by the Business Associate.

2.1 Services Performance. Business Associate may use and disclose PHI as necessary to perform the Services on behalf of Covered Entity, provided that such use or disclosure is consistent with this Agreement and would not violate the Privacy Rule if done by Covered Entity. Business Associate shall access PHI solely for the purpose of providing the Services and shall not use PHI for any purpose other than as expressly authorized by this Agreement or Required By Law. (45 C.F.R. § 164.504(e)(2)(i)(A).)

2.2 Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, to the extent that:

  1. such use is Required By Law; or

  2. Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(45 C.F.R. § 164.504(e)(2)(ii)(A).)

2.3 Data Aggregation.

Business Associate SHALL NOT use PHI to provide data aggregation services, as defined at 45 C.F.R. § 164.501, relating to the health care operations of Covered Entity.

2.4 Disclosures Required By Law. Business Associate may disclose PHI as Required By Law, provided that Business Associate provides Covered Entity with reasonable advance notice of any such disclosure (to the extent permitted by applicable law and practicable under the circumstances) and cooperates with Covered Entity’s efforts to seek a protective order or other relief.

2.5 Payment Coordination — No Fund Movement. All PHI used by Business Associate in connection with insurer billing, remittance reconciliation, and related financial coordination is used solely in an administrative and records capacity. Business Associate does not hold, route, or escrow insurer reimbursements or patient funds on behalf of Covered Entity. Money flows directly from insurer to Covered Entity; Business Associate records payment events only.

SECTION 3 — PROHIBITED USES AND DISCLOSURES; MINIMUM NECESSARY

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(A)–(B) and the minimum-necessary standard of 45 C.F.R. § 164.502(b).

3.1 General Prohibition. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as expressly authorized under Sections 2.2 and 2.3 of this Agreement.

(45 C.F.R. § 164.504(e)(2)(ii)(A).)

3.2 Prohibition on Sale of PHI. Business Associate shall not, directly or indirectly, receive remuneration in exchange for PHI except as permitted under 45 C.F.R. § 164.502(a)(5)(ii) and only with written authorization from Covered Entity where required.

(45 C.F.R. § 164.502(a)(5)(ii); HITECH § 13405(d); 45 C.F.R. § 164.514(f).)

3.3 Prohibition on Marketing and Fundraising. Business Associate shall not use or disclose PHI for marketing communications (as defined at 45 C.F.R. § 164.501) or for fundraising purposes without Covered Entity’s prior written authorization.

(45 C.F.R. § 164.508(a)(3); HITECH § 13406.)

3.4 Minimum Necessary. Business Associate shall make reasonable efforts to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 C.F.R. § 164.502(b) and applicable HHS guidance. Business Associate implements a least-privilege access model under which individual case handlers are authorized to access only the PHI associated with cases assigned to them; no handler may access PHI for cases outside their assigned case portfolio.

SECTION 4 — SAFEGUARDS

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(B) (appropriate safeguards) and the Security Rule requirements applicable to Business Associates under HITECH and the Omnibus Rule (45 C.F.R. §§ 164.308, 164.310, 164.312, 164.316).

4.1 General Obligation. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI (including ePHI) that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312, 164.316). Business Associate acknowledges that, pursuant to HITECH § 13401 and the Omnibus Rule, the Security Rule applies directly to Business Associates.

(45 C.F.R. § 164.504(e)(2)(ii)(B); 45 C.F.R. § 164.308 et seq.)

4.2 Administrative Safeguards (45 C.F.R. § 164.308). Business Associate’s administrative safeguards include, without limitation:

  1. Risk Analysis and Management. Business Associate conducts and documents periodic risk analyses of potential risks and vulnerabilities to ePHI and implements reasonable and appropriate security measures to reduce such risks to a reasonable and appropriate level. (45 C.F.R. § 164.308(a)(1).)

  2. Workforce Training and Supervision. Access to PHI is conditioned on (i) execution of a confidentiality agreement and (ii) documented completion of current HIPAA privacy and security training. Business Associate maintains a training registry that tracks each workforce member’s (and applicable Subcontractor personnel’s) training status. PHI access is gated on current training status; access is suspended if training lapses. (45 C.F.R. § 164.308(a)(5).)

  3. Access Management. Business Associate applies a least-privilege access model. Role-based access controls limit each case handler to PHI associated with their assigned case portfolio. Developer and engineering roles have no access to PHI by default. Privileged access is reviewed periodically (no less than annually). (45 C.F.R. § 164.308(a)(4).)

  4. Workforce Sanctions. Business Associate maintains a sanctions policy for workforce members who fail to comply with its security policies and procedures. (45 C.F.R. § 164.308(a)(1)(ii)(C).)

  5. Incident Response. Business Associate maintains written incident response policies and procedures, including procedures for identifying, responding to, and reporting Security Incidents and Breaches as required by this Agreement and the Breach Notification Rule. (45 C.F.R. § 164.308(a)(6).)

  6. Contingency Planning. Business Associate maintains data backup, disaster recovery, and emergency-mode operations plans for ePHI. (45 C.F.R. § 164.308(a)(7).)

  7. Vendor and Sub-Processor Management. Business Associate maintains a register of all Subcontractors and technology sub-processors that access, Process, or store PHI. Each such party is required to execute a written subcontractor Business Associate Agreement before receiving PHI (see Section 5). Business Associate maintains a PHI-tool allowlist and does not permit PHI to reside in tools that have not executed a BAA with Business Associate or whose BAA coverage has not been confirmed. (45 C.F.R. § 164.308(b); 45 C.F.R. § 164.502(e)(1)(ii).)

4.3 Physical Safeguards (45 C.F.R. § 164.310). Business Associate’s physical safeguards include, without limitation:

  1. Facility access controls limiting physical access to systems that process ePHI. (45 C.F.R. § 164.310(a).)

  2. Workstation and device controls including device encryption, screen locks, and remote wipe capabilities for any device that may access ePHI. (45 C.F.R. § 164.310(b)–(c).)

  3. Procedures to govern the receipt and removal of hardware and electronic media containing ePHI, including media sanitization or destruction prior to disposal. (45 C.F.R. § 164.310(d).)

4.4 Technical Safeguards (45 C.F.R. § 164.312). Business Associate’s technical safeguards include, without limitation:

  1. Encryption at Rest. All PHI maintained by Business Associate is encrypted at rest using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode), which provides authenticated encryption and prevents padding-oracle attacks. Encryption is applied at the field level within the application layer and is enforced without a fail-open path — i.e., unencrypted PHI cannot be written to the data store. (45 C.F.R. § 164.312(a)(2)(iv); 45 C.F.R. § 164.312(e)(2)(ii).)

  2. Encryption in Transit. All PHI transmitted over any network is encrypted using TLS (Transport Layer Security) with current industry-standard cipher suites. This includes inbound and outbound API calls, web application traffic, database connections, and all cross-border transmissions to or from the offshore processing team (see Section 12). (45 C.F.R. § 164.312(e)(1)–(2).)

  3. Audit Controls and Immutable Audit Logging. Business Associate maintains an immutable audit log capturing all access to, creation of, modification of, and disclosure of PHI. Each audit log entry records, at minimum: user identifier, action type, affected record identifier, timestamp, originating IP address, session identifier, and the jurisdiction and country from which the access originated. Audit logs are protected against modification, deletion, or tampering (append-only with cryptographic integrity controls) and are retained for no less than six (6) years from creation, consistent with the HIPAA documentation retention period. (45 C.F.R. § 164.312(b).)

  4. Unique User Identification and Authentication. Business Associate assigns each workforce member and authorized Subcontractor user a unique identifier. Multi-factor authentication (TOTP or equivalent) is required for all access to systems containing PHI. Session inactivity timeouts are enforced. Consecutive failed authentication attempts trigger an account lockout. (45 C.F.R. § 164.312(a)(2)(i); 45 C.F.R. § 164.312(d).)

  5. Integrity Controls. Business Associate implements mechanisms to authenticate ePHI and detect unauthorized alteration or destruction. (45 C.F.R. § 164.312(c); 45 C.F.R. § 164.312(e)(2)(i).)

  6. Automatic Logoff. Business Associate configures application sessions to terminate automatically after a defined period of inactivity. (45 C.F.R. § 164.312(a)(2)(iii).)

SECTION 5 — SUBCONTRACTORS

This Section implements 45 C.F.R. § 164.504(e)(1)(ii), 45 C.F.R. § 164.502(e)(1)(ii), and 45 C.F.R. § 164.308(b), which require Business Associates to obtain written assurances from Subcontractors that are themselves business associates.

5.1 Flow-Down Obligation. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(1), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees, by written contract, to substantially the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such PHI. Such written contract (a “Subcontractor BAA”) shall be executed before the Subcontractor is permitted to access any PHI.

(45 C.F.R. § 164.504(e)(1)(ii); 45 C.F.R. § 164.308(b)(1)–(2).)

5.2 Known Subcontractor Categories. As of the Effective Date, Business Associate’s Subcontractor categories that may access PHI in connection with the Services include:

  1. Cloud Infrastructure Sub-Processors. Business Associate uses Amazon Web Services, Inc. (“AWS”) and/or Google LLC / Google Cloud Platform (“GCP”) as cloud infrastructure sub-processors. Each such provider has entered into a HIPAA Business Associate Agreement with Business Associate (or offers a standard BAA covering HIPAA-regulated workloads), and ePHI stored or processed on such infrastructure is covered by the applicable sub-processor BAA. Business Associate shall maintain evidence of each sub-processor BAA and make it available to Covered Entity upon written request.

  2. Offshore Processing Team. Business Associate engages an offshore team (the “Offshore Team”) to perform case-handling, administrative coordination, and related revenue cycle Services. See Section 12 for additional terms governing offshore PHI processing.

  3. Other Subcontractors. Business Associate shall maintain a current register of all other Subcontractors that access PHI (the “Subcontractor Register”) and shall make such register available to Covered Entity upon written request. Business Associate shall update the Subcontractor Register within thirty (30) days of adding or removing a Subcontractor that accesses PHI.

5.3 Business Associate’s Liability for Subcontractors. Business Associate remains fully responsible to Covered Entity for any acts or omissions of its Subcontractors with respect to PHI to the same extent as if Business Associate had performed the function directly. A Subcontractor’s violation of a Subcontractor BAA shall be treated as a violation of this Agreement by Business Associate.

5.4 Notification of Subcontractor Breach. Business Associate shall include in each Subcontractor BAA a requirement that the Subcontractor notify Business Associate of any Security Incident, Breach, or unauthorized use or disclosure of PHI promptly, and in sufficient time to allow Business Associate to meet its notification obligations to Covered Entity under Sections 6 and 7 of this Agreement.

5.5 Payment Processors. Business Associate uses Stripe, Inc. (“Stripe”) to process SaaS subscription fees, communication-credit purchases, and per-case administrative fees between Business Associate and Covered Entity. Stripe processes financial payment data; Stripe is not provided with, and does not Process, clinical PHI or other PHI as part of payment processing. Business Associate does not route, hold, or escrow insurer reimbursements or patient clinical-payment funds through Stripe.

SECTION 6 — REPORTING — SECURITY INCIDENTS AND UNAUTHORIZED USE OR DISCLOSURE

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(C), which requires the BAA to require the Business Associate to report to the Covered Entity any use or disclosure of PHI not provided for by the Agreement, and to report Security Incidents.

6.1 Unauthorized Use or Disclosure. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted or required by this Agreement of which Business Associate becomes aware, without unreasonable delay and in no event later than without unreasonable delay and no later than sixty (60) days after Business Associate discovers such use or disclosure. Reports shall be directed to the Covered Entity’s designated privacy/security contact specified in Section 13.

(45 C.F.R. § 164.504(e)(2)(ii)(C).)

6.2 Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. With respect to unsuccessful Security Incidents (e.g., pings, port scans, denial-of-service attempts, malware blocked by controls) that do not result in unauthorized access to PHI, Business Associate may provide periodic summary reports (no less frequently than monthly) rather than individual incident reports, consistent with HHS guidance. For Security Incidents that involve or may involve unauthorized access to PHI, Business Associate shall report promptly in accordance with Section 6.1.

(45 C.F.R. § 164.504(e)(2)(ii)(C); see also HHS guidance on Security Incident Reporting.)

6.3 Report Content. Each report under this Section 6 shall include, to the extent reasonably available at the time of the report and without delaying timely notification:

  1. a description of what happened, including the date of the incident and the date of discovery;

  2. a description of the types of PHI involved (e.g., name, date of birth, diagnosis, insurer information, case data);

  3. an estimate of the number of Individuals affected, or a statement that such estimate is not yet available;

  4. a description of what Business Associate is doing to investigate the incident, mitigate harm, and prevent future occurrences; and

  5. contact information for the Business Associate representative handling the incident (primary contact: security@paiknight.com).

Business Associate shall supplement the initial report as additional information becomes available.

SECTION 7 — BREACH NOTIFICATION

This Section implements the Breach Notification Rule at 45 C.F.R. Part 164, Subpart D, and specifically the Business Associate’s obligations under 45 C.F.R. § 164.410.

7.1 Notification Obligation. Following the discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity of the Breach without unreasonable delay and in no event later than without unreasonable delay and no later than sixty (60) days after Business Associate discovers the Breach.

(45 C.F.R. § 164.410(b).)

7.2 Discovery. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate, or by exercising reasonable diligence, would have been known to Business Associate, including knowledge of any employee, officer, or agent of Business Associate (other than the individual committing the Breach). (45 C.F.R. § 164.410(a)(2).)

7.3 Notification Content. To the extent possible, Business Associate’s notification to Covered Entity shall include the elements required under 45 C.F.R. § 164.410(c):

  1. the identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;

  2. a brief description of what happened, including the date of the Breach and the date of discovery;

  3. a description of the types of Unsecured PHI involved (e.g., name, date of birth, Social Security number, account number, diagnosis, treatment information, insurer or claim information);

  4. any steps Individuals should take to protect themselves from potential harm resulting from the Breach;

  5. a brief description of what Business Associate is doing to investigate the Breach, mitigate harm to Individuals, and protect against further Breaches; and

  6. contact information for Business Associate (security@paiknight.com).

(45 C.F.R. § 164.410(c).)

7.4 Risk Assessment. If Business Associate or Covered Entity is uncertain whether an impermissible use or disclosure constitutes a Breach, Business Associate shall provide reasonable cooperation to Covered Entity in conducting the four-factor risk-of-harm assessment specified at 45 C.F.R. § 164.402 (considering the nature and extent of PHI involved, the unauthorized person, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated). Business Associate shall provide all available information necessary for Covered Entity to make the required determination.

7.5 Cooperation with Covered Entity Notification. Following notification of a Breach, Business Associate shall cooperate fully with Covered Entity in:

  1. identifying all affected Individuals and their contact information;

  2. preparing and delivering required notifications to affected Individuals, HHS, and any applicable state regulators (including notifications required under applicable state breach notification laws — see Section 7.6);

  3. providing information for Covered Entity’s annual breach log and HHS reporting obligations; and

  4. mitigating, to the extent practicable, any harmful effect of the Breach known to Business Associate.

7.6 State Law Breach Notification. The parties acknowledge that applicable state privacy and data-breach notification laws may impose requirements in addition to or different from the HIPAA Breach Notification Rule, including, without limitation, those arising under the California Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act / CPRA (Cal. Civ. Code §§ 1798.100 et seq.), the New York SHIELD Act, Texas Health & Safety Code § 181.001 et seq. (HB 300), and the Washington My Health My Data Act (RCW 70.372 et seq.). Business Associate shall cooperate with Covered Entity in meeting obligations under applicable state law, including any state-specific content, timing, or regulator-notification requirements.

SECTION 8 — INDIVIDUAL RIGHTS SUPPORT

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(E)–(G), which require the BAA to address the Business Associate’s obligations to support the Covered Entity in meeting the rights of Individuals under the Privacy Rule.

8.1 Access to PHI (45 C.F.R. § 164.524). Business Associate shall, within fifteen (15) days of a written request by Covered Entity, make available to Covered Entity the PHI in a Designated Record Set that Business Associate maintains about an Individual, in a form and format requested by Covered Entity (or in a readable hard copy if no other form is agreed upon), to the extent necessary to enable Covered Entity to respond to an Individual’s request for access to their PHI under 45 C.F.R. § 164.524. If an Individual requests access directly to Business Associate, Business Associate shall promptly (and in no event later than five (5) business days) forward the request to Covered Entity.

(45 C.F.R. § 164.504(e)(2)(ii)(E); 45 C.F.R. § 164.524.)

8.2 Amendment of PHI (45 C.F.R. § 164.526). Business Associate shall, within fifteen (15) days of a written request by Covered Entity, make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs in accordance with 45 C.F.R. § 164.526. If an Individual requests amendment directly to Business Associate, Business Associate shall promptly forward the request to Covered Entity.

(45 C.F.R. § 164.504(e)(2)(ii)(F); 45 C.F.R. § 164.526.)

8.3 Accounting of Disclosures (45 C.F.R. § 164.528). Business Associate shall document and make available to Covered Entity information required for Covered Entity to provide an accounting of disclosures of PHI by Business Associate, as required by 45 C.F.R. § 164.528. Such documentation shall include: the date of each disclosure, the name and address (if known) of the entity or person who received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure. Business Associate shall provide such accounting information to Covered Entity within fifteen (15) days of a written request. Business Associate shall maintain disclosure accounting records for the longer of (i) six (6) years from the date of the disclosure or (ii) the period required by applicable law.

(45 C.F.R. § 164.504(e)(2)(ii)(G); 45 C.F.R. § 164.528.)

8.4 Restriction Requests. Business Associate shall comply with any restriction on uses or disclosures of PHI that Covered Entity notifies Business Associate in writing that Covered Entity has agreed to pursuant to 45 C.F.R. § 164.522(a), or that are required under 45 C.F.R. § 164.522(b) (e.g., restriction on disclosure to a health plan when the Individual has paid out-of-pocket in full).

SECTION 9 — AVAILABILITY OF BOOKS AND RECORDS TO THE SECRETARY

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(H).

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services (the “Secretary”) for purposes of determining Covered Entity’s compliance with the HIPAA Rules, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(H). Business Associate shall provide Covered Entity with prompt written notice of any government inquiry, investigation, or audit directed to Business Associate that relates to Covered Entity’s PHI or compliance with the HIPAA Rules, to the extent permitted by law.

(45 C.F.R. § 164.504(e)(2)(ii)(H).)

SECTION 10 — RETURN OR DESTRUCTION OF PHI UPON TERMINATION

This Section implements 45 C.F.R. § 164.504(e)(2)(ii)(J).

10.1 Return or Destruction. Upon termination or expiration of this Agreement for any reason, Business Associate shall, at the election and direction of Covered Entity, return to Covered Entity or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI after return or destruction is complete. Business Associate shall complete return or destruction within sixty (60) days following the effective date of termination or expiration.

(45 C.F.R. § 164.504(e)(2)(ii)(J).)

10.2 Infeasibility. If return or destruction of any PHI is not feasible (e.g., because PHI is embedded in backup media, archival systems, or is otherwise impracticable to retrieve and destroy), Business Associate shall:

  1. notify Covered Entity in writing of the specific PHI it is not able to return or destroy, the reason(s) why return or destruction is infeasible, and the expected timeline for such return or destruction if feasible in the future;

  2. extend the protections of this Agreement to such retained PHI; and

  3. limit further uses and disclosures of such PHI to only those purposes that make the return or destruction infeasible.

Business Associate’s obligations under this Agreement with respect to any PHI it retains pursuant to this Section shall survive termination or expiration of this Agreement until all such PHI is returned or destroyed.

(45 C.F.R. § 164.504(e)(2)(ii)(J).)

10.3 Subcontractor Obligations. Business Associate shall impose return-or-destruction obligations on each Subcontractor consistent with this Section 10, including obligations on the Offshore Team and cloud infrastructure sub-processors, and shall certify to Covered Entity within ninety (90) days of termination that all such obligations have been satisfied.

10.4 Audit Logs. The parties acknowledge that immutable audit logs containing PHI access records may be subject to retention requirements under the HIPAA Rules (45 C.F.R. § 164.530(j) — six-year retention for Privacy Rule documentation; 45 C.F.R. § 164.316(b) — six-year retention for Security Rule documentation). Destruction of audit logs is subject to compliance with such retention requirements.

SECTION 11 — TERM AND TERMINATION

11.1 Term. This Agreement is effective as of the Effective Date and shall continue in effect for as long as Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity in connection with the Services, unless earlier terminated in accordance with this Section 11.

11.2 Termination for Cause by Covered Entity. Covered Entity may terminate this Agreement and the Underlying Agreement upon written notice to Business Associate if Covered Entity determines that Business Associate has materially violated a material term of this Agreement and:

  1. Business Associate does not cure the violation within thirty (30) days after receiving written notice from Covered Entity specifying the violation in reasonable detail; or

  2. if cure within thirty (30) days is not possible, Business Associate has not commenced cure within thirty (30) days and is not diligently pursuing cure to completion.

(45 C.F.R. § 164.504(e)(2)(iii).)

If Business Associate has violated a material term of this Agreement and cure is not possible, Covered Entity may terminate this Agreement immediately upon written notice.

11.3 Termination for Cause by Business Associate. Business Associate may terminate this Agreement upon written notice if Business Associate determines that Covered Entity has materially violated a material term of this Agreement and Covered Entity does not cure the violation within thirty (30) days after receiving written notice specifying the violation in reasonable detail.

11.4 Effect of Termination. Upon termination or expiration of this Agreement for any reason: (a) all rights and licenses granted to Business Associate with respect to PHI shall immediately terminate; (b) Section 10 (Return or Destruction) shall apply; and (c) all provisions of this Agreement that expressly survive termination or that by their nature should survive termination shall continue in full force and effect.

SECTION 12 — OFFSHORE AND INTERNATIONAL PHI TRANSFER

12.1 Disclosure of Offshore Processing. Business Associate hereby discloses to Covered Entity that certain Services may be performed, in whole or in part, by the Offshore Team located outside the United States (the “Offshore Team”). As of the Effective Date, Offshore Team personnel are located in the Philippines. Business Associate shall update Covered Entity in writing within thirty (30) days of any material change in the countries or jurisdictions where Offshore Team personnel are located.

12.2 Equivalent Safeguards. Offshore Team personnel are subject to the same security, privacy, confidentiality, training, and access controls as Business Associate’s domestic workforce, including, without limitation:

  1. HIPAA training gating (Section 4.2(b)) — access is not granted until documented HIPAA training is completed and is suspended if training lapses;

  2. executed confidentiality agreements;

  3. least-privilege, case-assignment-based access controls (Section 3.4);

  4. AES-256-GCM encryption at rest and TLS encryption in transit for all cross-border data flows;

  5. immutable audit logging with jurisdiction and country of access recorded for every PHI access event (Section 4.4(c)); and

  6. the Subcontractor BAA required by Section 5.1.

12.3 Subcontractor BAA for Offshore Team. Business Associate shall execute a written Subcontractor BAA with each entity or individual comprising the Offshore Team before such entity or individual is permitted to access any PHI. Such Subcontractor BAA shall impose substantially the same requirements as this Agreement. Business Associate shall make evidence of executed Offshore Team Subcontractor BAAs available to Covered Entity upon written request.

(45 C.F.R. § 164.502(e)(1)(ii); 45 C.F.R. § 164.308(b).)

12.4 Encrypted Transmission. All PHI transmitted to or from the Offshore Team shall be encrypted in transit using TLS with current industry-standard cipher suites. Business Associate shall not transmit PHI to Offshore Team personnel via unencrypted channels (including unencrypted email, messaging platforms, or file-sharing services not covered by a BAA). Business Associate shall maintain a list of approved encrypted communication and collaboration tools for Offshore Team PHI access.

12.5 Audit Trail for Offshore Access. Each access to PHI by Offshore Team personnel shall be individually logged in the immutable audit log (Section 4.4(c)), with the jurisdiction and country fields populated. Business Associate shall make offshore-access audit logs available to Covered Entity upon written request, and shall include offshore-access audit records in any evidence package requested by Covered Entity or HHS.

12.6 Covered Entity Approval Rights. Covered Entity acknowledges and consents to PHI access by the Offshore Team subject to the conditions set forth in this Section 12.

12.7 Applicable Law and Cooperation. To the extent that the processing of PHI by the Offshore Team is subject to applicable law in the jurisdiction(s) where the Offshore Team is located (including any local data protection, privacy, or security requirements), Business Associate shall ensure compliance with such local requirements to the extent they are consistent with and do not reduce the protections required under this Agreement. Business Associate shall promptly notify Covered Entity of any demand, order, or legal process from any non-U.S. governmental authority seeking access to PHI, to the extent permitted by applicable law.

SECTION 13 — GENERAL PROVISIONS

13.1 Survival. The following provisions shall survive termination or expiration of this Agreement: Section 1 (Definitions), Section 3 (Prohibited Uses and Disclosures), Section 6 (Reporting — to the extent obligations arose prior to termination), Section 7 (Breach Notification — to the extent Breaches were discovered prior to termination), Section 9 (Availability of Books and Records), Section 10 (Return or Destruction), Section 12 (Offshore and International PHI Transfer — with respect to obligations arising prior to termination), and this Section 13.

13.2 No Third-Party Beneficiaries. This Agreement is entered into solely for the benefit of the parties and their respective permitted successors and assigns. Nothing in this Agreement, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement. Without limiting the foregoing, Individuals whose PHI is processed under this Agreement are not third-party beneficiaries of this Agreement.

13.3 Amendment to Comply With Law. The parties agree to amend this Agreement to the extent necessary to comply with any change in applicable law, including any amendment, modification, or replacement of the HIPAA Rules, HHS guidance, or applicable state law, that materially affects either party’s obligations under this Agreement. Either party may notify the other in writing of the need for an amendment; if the parties cannot agree on the terms of an amendment within sixty (60) days of such notice, either party may terminate this Agreement on thirty (30) days’ written notice.

13.4 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-laws principles, except to the extent preempted by federal law (including the HIPAA Rules).

13.5 Order of Precedence. In the event of any conflict or inconsistency between this Agreement and the Underlying Agreement (including any Master Services Agreement, Terms of Service, or Order Form executed by the parties), the terms of this Agreement shall control with respect to the parties’ HIPAA obligations. The Underlying Agreement shall control with respect to all other matters not governed by this Agreement.

13.6 Indemnification and Limitation of Liability. the indemnification and limitation-of-liability provisions of the Terms of Service apply

13.7 Notices. All notices, reports, or other communications required or permitted under this Agreement shall be in writing and delivered by: (i) hand delivery; (ii) overnight courier with tracking; (iii) certified mail, return receipt requested; or (iv) email with confirmation of receipt, to:

Business Associate: PaiKnight LLC Attn: HIPAA Privacy/Security Officer 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702 Email: security@paiknight.com 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702

Covered Entity: the Covered Entity identified in the applicable Order Form Attn: Privacy Officer 254 Chapman Rd, Ste 208 #28091, Newark, Delaware 19702 legal@paiknight.com

Either party may update its notice information by providing written notice to the other party.

13.8 Entire Agreement. This Agreement, together with the Underlying Agreement, constitutes the entire agreement of the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. This Agreement may be modified only by a written amendment signed by both parties.

13.9 Counterparts; Electronic Signatures. This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures (including signatures delivered by PDF, DocuSign, or equivalent electronic signature platform) shall be deemed valid and binding.

13.10 Severability. If any provision of this Agreement is held invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenforceability shall not affect any other provision, and this Agreement shall be construed as if such invalid, illegal, or unenforceable provision had never been contained herein, provided that the essential economic and legal terms of the Agreement are not thereby fundamentally altered.

13.11 Waiver. No failure or delay by either party in exercising any right, power, or remedy under this Agreement shall operate as a waiver of such right, power, or remedy. A waiver of any provision of this Agreement must be in writing and signed by the waiving party.

13.12 Relationship of the Parties. The parties are independent contractors. Nothing in this Agreement shall be construed to create an employment, partnership, joint venture, agency, franchise, or other relationship between the parties. Neither party has authority to bind the other party to any obligation.

SECTION 14 — REGULATORY COMPLIANCE CROSS-REFERENCE

The following table maps the required provisions of 45 C.F.R. § 164.504(e) and related HITECH/Omnibus requirements to the corresponding sections of this Agreement:

Regulatory Requirement CFR Citation BAA Section
Establish permitted/required uses and disclosures 45 C.F.R. § 164.504(e)(2)(i) Section 2
Prohibit impermissible use or disclosure 45 C.F.R. § 164.504(e)(2)(ii)(A) Section 3.1
Prohibition on sale of PHI 45 C.F.R. § 164.502(a)(5)(ii) Section 3.2
Require appropriate safeguards 45 C.F.R. § 164.504(e)(2)(ii)(B) Section 4
Security Rule (Admin Safeguards) 45 C.F.R. § 164.308 Section 4.2
Security Rule (Physical Safeguards) 45 C.F.R. § 164.310 Section 4.3
Security Rule (Technical Safeguards) 45 C.F.R. § 164.312 Section 4.4
Report Security Incidents / unauthorized use or disclosure 45 C.F.R. § 164.504(e)(2)(ii)(C) Section 6
Subcontractor written assurances 45 C.F.R. § 164.504(e)(1)(ii); § 164.502(e)(1)(ii); § 164.308(b) Section 5
Subcontractor liability flow-down (HITECH/Omnibus) 45 C.F.R. § 164.308(b)(1)–(2) Section 5.1, 5.3
Breach Notification Rule 45 C.F.R. Part 164, Subpart D; § 164.410 Section 7
Support Individual access rights 45 C.F.R. § 164.504(e)(2)(ii)(E); § 164.524 Section 8.1
Support Individual amendment rights 45 C.F.R. § 164.504(e)(2)(ii)(F); § 164.526 Section 8.2
Support accounting of disclosures 45 C.F.R. § 164.504(e)(2)(ii)(G); § 164.528 Section 8.3
Availability of books/records to HHS 45 C.F.R. § 164.504(e)(2)(ii)(H) Section 9
Return or destruction at termination 45 C.F.R. § 164.504(e)(2)(ii)(J) Section 10
Termination for cause 45 C.F.R. § 164.504(e)(2)(iii) Section 11.2
Authorization for BA’s own management/administration 45 C.F.R. § 164.504(e)(2)(ii)(A) Section 2.2
Data aggregation services 45 C.F.R. § 164.504(e)(2)(i)(B) Section 2.3
Minimum necessary 45 C.F.R. § 164.502(b) Section 3.4
Direct applicability of Security Rule to BAs (HITECH) HITECH § 13401; Omnibus Rule Section 4.1

SIGNATURE PAGE

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.

BUSINESS ASSOCIATE

PaiKnight LLC

Signature: ______________________________

Printed Name: ______________________________

Title: ______________________________

Date: ______________________________

COVERED ENTITY

the Provider

Signature: ______________________________

Printed Name: ______________________________

Title: ______________________________

Date: ______________________________

End of Business Associate Agreement

Document path: PaiKnight-Platform-Plan/_legal-docs/business-associate-agreement.md Last revised: 2026-06-08