Business Associate Agreement

Last Updated: 6/27/2025

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into as of Effective Date of the Client Services Agreement (as defined therein), by and between the entity on whose behalf the individual accepting this BAA accepts this BAA (“Client”) and Go Lassie, Inc. (“Business Associate”). Client and Business Associate may each be referred to as a “Party” and, collectively, are the “Parties”.

BACKGROUND

1. Client is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

2. The Parties have entered into or will enter into the Client Services Agreement, available at https://lassie.ai/terms/services-agreement under which Business Associate provides or will provide certain specified services to Client (the “Agreement”);

3. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;

4. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Client as such term is defined under HIPAA;

5. Both Parties are committed to complying with all applicable federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and

6. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.

AGREEMENT

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Client to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions. For purposes of this BAA, the Parties give the meaning to the terms set forth in Exhibit A. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

2. Use and Disclosure of PHI.

   1. Business Associate may use or disclose PHI as reasonably necessary to provide services under the Agreement to Client, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. Without limiting the foregoing, to the extent permitted by law, Business Associate may use and retain insights and information from the provision of the Services, as well as deidentified information, in connection with and to improve Business Associate’s products and services, including those services and features offered to other customers of Business Associate that utilize or rely upon Data Aggregation.

   2. Except as otherwise limited by this BAA or federal or state law, Client authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party.

   3. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law.

   4. Business Associate may use PHI to provide Data Aggregation services.

   5. Business Associate may use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c). Such de-identified information will be owned by Business Associate.

   6. Upon request, Business Associate will make available to Client any of Client’s PHI that Business Associate or any of its agents or subcontractors have in their possession.

   7. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

3. Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Client.

4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Client any disclosure of PHI not provided for by this BAA or any Security Incident affecting Electronic PHI of which it becomes aware. The parties acknowledge and agree that this Section 4 constitutes notice by Business Associate to Client of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of, PHI, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, or any combination thereof.

5. Reporting Breaches of Unsecured PHI. Business Associate will notify Client in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach.

6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

7. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree to substantially similar restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Client.

8. Access to PHI by Individuals.

   1. Upon request, Business Associate agrees to provide Client with copies of the PHI it maintains in a Designated Record Set in the time and manner reasonably designated by Client to enable Client or the applicable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.

   2. If any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate, within ten business days, will forward that request to Client. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Client or the applicable Covered Entity.

9. Amendment of PHI.

   1. Upon request and instruction from Client in writing, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Client or the applicable Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Client to amend such information will be completed by Business Associate within 15 business days of Client’s request.

   2. If any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate, within ten business days, will forward this request to Client. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Client or the applicable Covered Entity.

10. Accounting of Disclosures.

    1. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Client or the applicable Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. Business Associate will provide Client the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure. Such reporting shall exclude ancillary disclosures within the context of business demonstrations of the products or services under NDA.

    2. Business Associate will furnish to Client information collected in accordance with this Section, within ten business days after written request by Client, to permit Client or the applicable Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or if Client elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent required under the HITECH Act or HHS regulations adopted in connection with the HITECH Act.

    3. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will, within ten business days, forward such request to Client.

11. Availability of Records. Business Associate will make available records, to the extent required by law, relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Client’s and Business Associate’s compliance with HIPAA, and this BAA.

12. Responsibilities of Client. Concerning the use and/or disclosure of Protected Health Information by Business Associate, Client agrees to:

    1. Notify Business Associate of any limitation(s) in its or the applicable Covered Entity’s notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

    2. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

    3. Notify Business Associate of any restriction to the use or disclosure of PHI that Client or Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

    4. Except for data aggregation or management and administrative activities of Business Associate, which may include the use by Business Associate of use of data in de-identified or anonymized and aggregated form in connection with Business Associate’s products or services or the improvement thereof, including during or after the term of this BAA, Client shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client or the applicable Covered Entity.

13. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any Protected Health Information shared with it under the Agreement.

14. Term and Termination.

    1. This BAA will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.

    2. Either Party may terminate this BAA if the other Party materially breaches this BAA and does not cure such breach within 30 days after written notice of the same.

    3. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Client or destroyed by Business Associate, to the extent feasible. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.C will survive any termination of this BAA.

15. Effect of BAA.

    1. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.

    2. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.

16. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

17. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s address in the signature block (as updated in writing from time to time).

18. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

19. HITECH Act Compliance. The Parties agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach an agreement on such a modification, either Party will have the right to terminate this BAA upon 30-days’ prior written notice to the other Party.

Exhibit A: Definitions

1. “Affiliate” means a subsidiary or affiliate of Client that is, or has been, considered a covered entity, as defined by HIPAA.

   2. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402, as applied to the Unsecured PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Client.

   3. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

   4. “Data Aggregation” shall be consistent with the meaning given to that term in the Privacy Rule.

   5. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.

   6. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).

   7. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103, limited to the information created or received by the Business Associate from or on behalf of the Client.

   8. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.

   9. “HHS” means the U.S. Department of Health and Human Services.

   10. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

   11. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

   12. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

   13. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by the Business Associate from or on behalf of the Client.

   14. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as applied to the ePHI created, received, maintained, or transmitted by Business Associate from or on behalf of Client.

   15. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

   16. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103, limited to the information created or received by the Business Associate from or on behalf of the Client, that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).