Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into by and between Mente360, Inc. ("Business Associate") and the healthcare provider subscribing to Mente360 services ("Covered Entity"), effective as of the date the Covered Entity accepts these terms.

1. Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
• "Protected Health Information" (PHI) means individually identifiable health information as defined by HIPAA.
• "Electronic Protected Health Information" (ePHI) means PHI that is transmitted or maintained in electronic media.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate agrees to:

• Use or disclose PHI only as permitted or required by this Agreement, as required by law, or as otherwise authorized by Covered Entity
• Not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity
• Use appropriate safeguards and comply with the Security Rule to prevent unauthorized use or disclosure of ePHI

2.2 Safeguards

Business Associate agrees to:

• Implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of ePHI
• Ensure that any subcontractors agree to the same restrictions and conditions that apply to Business Associate
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement

2.3 Breach Notification

Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI within 30 days of discovery. The report shall include:

• Identification of individuals affected
• A description of what happened
• The types of PHI involved
• Steps taken to investigate and mitigate
• Contact information for questions

2.4 Access to PHI

Business Associate agrees to make PHI available to Covered Entity or individuals as required by HIPAA within 30 days of a request.

2.5 Amendment of PHI

Business Associate agrees to make amendments to PHI as directed by Covered Entity within 30 days of a request.

2.6 Accounting of Disclosures

Business Associate agrees to maintain and make available information required for Covered Entity to respond to requests for accounting of disclosures.

2.7 Government Access

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.

3. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, authorization by individuals
• Notify Business Associate of any restrictions on use or disclosure of PHI that Covered Entity has agreed to

4. Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

• To perform functions, activities, or services for Covered Entity as specified in the Mente360 Terms of Service
• For the proper management and administration of Business Associate, or to carry out legal responsibilities
• To provide Data Aggregation services relating to the healthcare operations of Covered Entity
• To de-identify PHI in accordance with 45 CFR 164.514(a)-(c)

5. Term and Termination

5.1 Term

This Agreement shall be effective upon acceptance and shall terminate when all PHI provided by Covered Entity to Business Associate is destroyed or returned.

5.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches this Agreement and fails to cure the breach within 30 days of notice.

5.3 Effect of Termination

Upon termination:

• Business Associate shall return or destroy all PHI received from Covered Entity
• If return or destruction is not feasible, protections of this Agreement shall extend to such PHI
• Business Associate may retain PHI as required by law

6. Miscellaneous

• Regulatory References: References to HIPAA Rules include any amendments thereto.
• Amendment: This Agreement may be amended by mutual written consent.
• Survival: The obligations of Business Associate under Section 5.3 shall survive termination.
• Interpretation: Any ambiguity shall be resolved in favor of a meaning that permits compliance with HIPAA Rules.

7. Contact Information

For questions about this BAA or to report a security incident:

• Privacy Officer: privacy@gomente360.com
• Security Officer: security@gomente360.com