Business Associate Agreement

Preamble

This Business Associate Agreement ("BAA") is entered into by and between the healthcare organization identified in the applicable Order Form ("Covered Entity") and EvanstonTEC LLC, doing business as LIAM Platform ("Business Associate"), effective as of the date of the last signature below (the "Effective Date").

This BAA supplements and is incorporated into the Terms of Service and any applicable Order Form between the parties. In the event of a conflict between this BAA and the Terms of Service regarding the handling of Protected Health Information, this BAA shall control.

1. Definitions

Capitalized terms used but not defined in this BAA shall have the meanings assigned to them under HIPAA, the HITECH Act, and their implementing regulations (collectively, "HIPAA Rules"). The following terms have the specific meanings set forth below:

"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103, that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media, as defined in 45 CFR § 160.103.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the underlying service agreement, or as required by law. Business Associate may use or disclose PHI: (a) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the service agreement; (b) for the proper management and administration of Business Associate; and (c) to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).

2.2 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, in accordance with 45 CFR Part 164, Subpart C. These safeguards include but are not limited to: AES-256 encryption at rest for all PHI stored in databases and file systems; TLS 1.2 or higher for all PHI in transit; role-based access controls with the principle of least privilege; multi-factor authentication for all personnel accessing PHI; comprehensive audit logging of all PHI access and modifications; automated threat detection and incident response; regular vulnerability scanning and penetration testing; and multi-tenant data isolation with cryptographic verification.

2.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI as required by 45 CFR § 164.410. Business Associate shall report any Breach within twenty-four (24) hours of discovery, which is more protective than the sixty (60) day HIPAA requirement. Reports shall include: the nature and extent of the PHI involved; the identification of each individual whose PHI has been or is reasonably believed to have been accessed; a description of what Business Associate is doing to investigate, mitigate, and prevent future occurrences; and contact information for individuals who can provide additional information.

2.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA. Business Associate maintains a current list of subcontractors with access to PHI, available upon request.

2.5 Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, within fifteen (15) business days of a request, to satisfy Covered Entity's obligations under 45 CFR § 164.524.

2.6 Amendment of PHI

Business Associate shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity within fifteen (15) business days, in accordance with 45 CFR § 164.526.

2.7 Accounting of Disclosures

Business Associate shall maintain and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain such information for a period of six (6) years from the date of the disclosure.

3. Obligations of Covered Entity

Covered Entity shall: (a) notify Business Associate of any limitations in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI; (b) notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI; (c) notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522; and (d) not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

4. Term and Termination

This BAA shall be effective as of the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 4.3 below.

Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA. The non-breaching party shall provide written notice of the breach and allow thirty (30) days for the breaching party to cure. If the breach is not cured within thirty (30) days, the non-breaching party may terminate this BAA.

Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within thirty (30) days. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

5. LIAM Platform-Specific Provisions

The following provisions are specific to the LIAM platform's role in healthcare monitoring:

Remote Patient Monitoring Data: When the LIAM platform is used for remote patient monitoring (RPM) in connection with SASH Homes or similar healthcare deployments, PHI includes vital sign measurements, device readings, patient identifiers, care plan data, and clinical notes. Business Associate shall process this data only for the purposes of providing RPM services, generating clinical alerts, and supporting Medicare billing documentation.

AI Processing: The LIAM platform uses artificial intelligence for threat detection, anomaly identification, and predictive analytics. When AI models process PHI, Business Associate ensures that: PHI is not used to train general-purpose AI models; AI processing occurs within the same security boundary as other PHI processing; and AI-generated insights are treated as PHI when they contain or are derived from individually identifiable health information.

Multi-Tenant Isolation: The LIAM platform operates in a multi-tenant architecture. Business Associate ensures that each Covered Entity's PHI is logically isolated from other tenants' data through organization-scoped database queries, tenant-specific encryption keys, and the Cross-Tenant Isolation Proof system that provides cryptographic verification of data boundary integrity.

6. Miscellaneous

Regulatory References. Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended. The parties agree to take such action as is necessary to amend this BAA to comply with changes in the HIPAA Rules.

Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

Governing Law. This BAA shall be governed by the laws of the State of Illinois, to the extent not preempted by federal law.

7. Execution

To execute this BAA, please contact: