HIPAA Business Associate Terms

Updated: October 1, 2021

These HIPAA Business Associate Terms apply in the event or to the extent that the Plan Sponsor, on behalf of the Plan Sponsor’s Infertility Health Reimbursement Arrangement (HRA) Plan (“the Plan”), intends to treat certain services provided by Carrot Fertility, Inc. (“the Business Associate”) pursuant to the parties’ separate services agreement (the “Master Services Agreement”), as provided under a group health plan within the meaning of the Employee Retirement Income Security Act of 1974. The Plan Sponsor intends to treat the Plan as a “covered entity” within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health ("HITECH") Act, and implementing regulations, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (collectively, the “HIPAA Rules”). Accordingly, these Business Associate Terms are necessary in the event or to the extent that, in providing services to the Plan Sponsor pursuant to the Master Services Agreement, the Business Associate creates, receives, uses or discloses Protected Health Information, including Electronic Protected Health Information, regarding any participant in the Plan. The Plan Sponsor and the Business Associate hereby agree as follows:

1. DEFINITIONS

Capitalized terms used herein without definition shall have the respective meanings assigned to such terms under the HIPAA Rules.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Not use or disclose Protected Health Information other than as permitted or required by these Business Associate Terms or as Required By Law;

(b) Use appropriate safeguards and comply, where applicable, with subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by these Business Associate Terms;

(c) Report to the Plan any Use or Disclosure of Protected Health Information not provided for by these Business Associate Terms of which it becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware as soon as reasonably possible, but in no case later than within ten (10) business days. Notice is hereby deemed provided, and no further notice will be provided, of unsuccessful attempts at such unauthorized access, use or disclosure, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access to, or use or disclosure of, the Plan's electronic PHI;

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information, including Electronic Protected Health Information, on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

(e) Make available Protected Health Information in a Designated Record Set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;

(f) Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Plan pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;

(g) Maintain and make available the information required to provide an accounting of Disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;

(h) To the extent the Business Associate is to carry out one or more of the Plan’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s); and

(i) Make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the Plan available to the Secretary for purposes of determining the Plan’s compliance with the HIPAA Rules.

3 Permitted Uses and Disclosures by Business Associate

(a) General Use and Disclosure Provisions

Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, the Plan, as specified in the Master Services Agreement, as amended or renewed from time to time, provided that such Use or Disclosure would not violate the HIPAA Rules.

(b) Specific Use and Disclosure Provisions

Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided either that the Disclosures are Required By Law, or that Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and furthermore, that the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Business Associate may use Protected Health Information to provide Data Aggregation services to the Plan as permitted by 45 CFR 164.504(e)(2)(i)(B).

Business Associate may use or disclose Protected Health Information as Required By Law.

Business Associate agrees to use reasonable efforts to limit Protected Health Information when making Uses and Disclosures and requests for Protected Health Information to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or request, in accordance with 45 CFR 164.502(b).

Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Plan, except for the specific Uses and Disclosures set forth above.

4 Obligations of Plan

(a) The Plan shall notify Business Associate of any limitation(s) in its Notice of Privacy

Practices under 45 CFR 164.520, to the extent that such limitation may affect Business

Associate's Use or Disclosure of Protected Health Information.

(b) The Plan shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate's Use or Disclosure of Protected Health Information.

(c) The Plan shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that the Plan has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.

(d) The Plan shall not request Business Associate to use or disclose Protected Health

Information in any manner that would not be permissible under Subpart E of 45 CFR

Part 164 if done by the Plan, except for any Use or Disclosure for data aggregation or

management and administration and legal responsibilities of the Business Associate.

5. Term and Termination‍‍

(a) Term

The Term of these Business Associate Terms shall terminate upon termination of the Master Services Agreement (including any amendment or renewal thereof), or on the date the Plan terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

(b) Termination for Cause

Business Associate authorizes termination of these Business Associate Terms by the Plan, if the Plan determines Business Associate has violated a material term of these Business Associate Terms and Business Associate has not cured the breach or ended the violation within the time specified by the Plan.

Upon termination of these Business Associate Terms, for any reason, Business Associate, with respect to Protected Health Information received from the Plan, or created, maintained or received by Business Associate on behalf of the Plan, shall:

Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

Return to the Plan, or destroy, all remaining Protected Health Information that the Business Associate still maintains in any form;

Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;

Not use or disclose the Protected Health Information retained by Business Associate other than for purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3, paragraphs (b)(i) and (b)(ii), which applied prior to termination; and

Return to the Plan, or destroy, the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to the Plan notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections provided for in this Section to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

(d) Survival. The obligations of Business Associate under this Section shall survive the termination of these Business Associate Terms.

6. Miscellaneous‍

(a) Regulatory References

A reference in these Business Associate Terms to a section in the HIPAA Rules means the section as in effect or as amended.

(b) Amendment

Business Associate will use best efforts to take such action as is necessary to amend these Business Associate Terms from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Accordingly, these Business Associate Terms may be amended by Business Associate from time to time, in compliance with the requirements of the HIPAA Rules and any other applicable law.

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

(d) Integration

These Business Associate Terms represent the entire agreement of the parties with respect to the subject matter hereof. If Business Associate and Plan Sponsor have entered into a separate Business Associate Agreement, the terms of that Business Associate Agreement will supersede these Business Associate Terms.

(e) Assignment

These Business Associate Terms are binding on, and shall inure to, the benefit of the Plan and Business Associate and their respective legal representatives, successors and permitted assigns.

(f) Conflicts

To the extent required under the HIPAA Rules, the terms and conditions of these Business Associate Terms shall prevail in the event these Business Associate Terms conflict with any provision of the Master Services Agreement.