Hint Health Partner BAA

LAST UPDATED: [February 12, 2026]

This Business Associate Agreement (“BAA”) is by and between Hint Health, Inc. (“Business Associate”) and the entity employing, contracting or retaining you, or on whose behalf you are providing services as described below (collectively, “Contractor”) (each a “Party” and collectively, the “Parties”). You represent, warrant and agree that you are authorized to enter into this Agreement on behalf of Contractor and to bind yourself and Contractor to the terms and conditions herein. This BAA is effective as of the date when Contractor first selects a box or button indicating acceptance of this Agreement (“Effective Date”).

RECITALS

WHEREAS, Contractor intends to integrate its services with Business Associate’s application programming interfaces and related technology in order to enable Covered Entities served by Business Associate to access Contractor’s services through Business Associate’s software, and in performing such integration and providing such services, Contractor may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Business Associate;

WHEREAS, the Parties intend to protect the privacy and provide for the security of the PHI Disclosed (as defined below) by Business Associate to Contractor, or created, received, maintained, or transmitted by Contractor, when providing services. Such PHI will be protected in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary of the U.S. Department of Health and Human Services (“Secretary”) (collectively, the “HIPAA Regulations”); and

WHEREAS, Business Associate is required under the HIPAA Regulations to enter into a Business Associate Agreement that meets certain requirements with respect to the Use (as defined below) and Disclosure of PHI, which are met by this BAA. Accordingly, Contractor agrees to comply with this BAA.

In consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:

DEFINITIONS

The following terms shall have the respective meanings set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in the HIPAA Regulations.

1. “Breach” shall have the meaning given to such term under 45 C.F.R. § 164.402 and applicable state law.

2. “Designated Record Set” shall have the meaning given to such term under 45 C.F.R. § 164.501.

3. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Contractor or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.

4. “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.

5. “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, provided by Business Associate to Contractor, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.

6. “Required by Law” shall have the meaning given to such term under 45 C.F.R. § 164.103.

7. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.

8. “Services” shall mean the services or functions performed by Contractor for or on behalf of Business Associate pursuant to any service agreement(s) between Business Associate and Contractor which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Contractor that constitute a “Contractor” relationship, as set forth in 45 C.F.R. § 160.103.

9. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.

10. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Contractor’s internal operations, as set forth in 45 C.F.R. § 160.103.

11. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.

OBLIGATIONS OF Contractor

2.1. Permitted Uses and Disclosures of Protected Health Information. Contractor shall not Use or Disclose PHI created, received, maintained, or transmitted for or on behalf of Business Associate except to perform the Services required by any Underlying Agreement, or as permitted by this BAA or Required by Law. Contractor shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Business Associate. Without limiting the generality of the foregoing, Contractor is permitted to Use and Disclose PHI for the proper management and administration of Contractor or to carry out the legal responsibilities of Contractor, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Contractor obtains a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use or further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Contractor to such person, and that such person will notify Contractor of any instances of which it is aware in which the confidentiality of the PHI has been breached. To the extent permitted in the Underlying Agreement or otherwise approved in writing by Business Associate, Contractor may Use PHI to provide data aggregation services to Business Associate relating to the health care operations of Business Associate. Contractor is permitted to Use PHI to create de-identified information, provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer PHI subject to this Agreement.

2.2. Adequate Safeguards of PHI. Contractor agrees to use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to e-PHI, to prevent use or disclosure of the information other than as provided for by this BAA.

2.3. Mitigation. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of PHI by Contractor in violation of the requirements of this BAA.

2.4. Reporting Security Incidents and Non-Permitted Uses or Disclosures. Contractor shall notify Business Associate of any Use or Disclosure by Contractor or its Subcontractors that is not permitted by this BAA and each Security Incident, including Breaches of Unsecured PHI, within five (5) calendar days of discovery, in accordance with the notice provisions set forth herein. Notwithstanding the foregoing, Contractor and Business Associate acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Business Associate acknowledges and agrees that no additional notification to Business Associate of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. Contractor shall investigate each unauthorized access, acquisition, Use or Disclosure of PHI that it creates, receives, maintains, or transmits for or on behalf of Business Associate. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Contractor shall comply with the requirements of Section 2.5 below.

2.5 Breach of Unsecured PHI. Contractor shall provide a written report to Business Associate of such Breach without unreasonable delay but no later than five (5) business days after discovery of the Breach. Contractor shall be deemed to have discovered a Breach as of the first day that the Breach is either known to Contractor or any of its Workforce or agents, other than the person who committed the Breach, or by exercising reasonable diligence should have been known to Contractor or any of its Workforce or agents, other than the person who committed the Breach. To the extent the information is available to Contractor, Contractor’s written notice shall include the information required by 45 C.F.R. §164.410(c). Contractor shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Contractor shall cooperate with Business Associate in meeting Business Associate’s obligations with respect to such Breach. Business Associate shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s), the Secretary and, if applicable, the media. Contractor shall reimburse Business Associate for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach.

2.6. Delegated Responsibilities. To the extent that Contractor carries out one or more of Business Associate’s obligations under Subpart E of 45 C.F.R. Part 164, Contractor must comply with the requirements of Subpart E that apply to Covered Entities in the performance of such obligations.

2.7. Availability of Internal Practices, Books, and Records to Government. Contractor agrees to make its internal practices, books and records relating to the Use and Disclosure of Business Associate’s PHI available to the Secretary for purposes of determining Business Associate’s compliance with the HIPAA Regulations. Contractor shall immediately notify Business Associate of any such requests by the Secretary and, upon Business Associate’s request, provide Business Associate with any copies of documents Contractor provided to the Secretary.

2.8. Access to and Amendment of Protected Health Information. To the extent that Contractor maintains a Designated Record Set on behalf of Business Associate and within ten (10) calendar days of such request by Business Associate, Contractor shall (a) make the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Set available to Business Associate for inspection and copying or, if requested by Business Associate, to an individual, to enable Business Associate to fulfill its obligations under 45 C.F.R. § 164.524; and (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Set to enable Business Associate to fulfill its obligations under 45 C.F.R. § 164.526. If Contractor maintains PHI in a Designated Record Set electronically, Contractor shall provide such information in the electronic form and format requested by Business Associate if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Business Associate to enable Business Associate to fulfill its obligations under 45 C.F.R. § 164.524(c)(2).

2.9. Accounting. Contractor agrees to document such disclosures of PHI and information related to such disclosures as would be required for Business Associate to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Within ten (10) calendar days of receipt of a request from Business Associate or an individual for an accounting of disclosures of PHI, Contractor and its Subcontractors shall make available to Business Associate the information required to provide an accounting of disclosures to enable Business Associate to fulfill its obligations under 45 C.F.R. § 164.528.

2.10. Use of Subcontractors. Contractor shall require each of its Subcontractors that creates, receives, maintains, or transmits PHI on behalf of Contractor, to execute a written agreement that includes the same restrictions and conditions that apply to Contractor under this BAA with respect to PHI.

2.11. Audit. Upon a 45-day advance written notice, but not more than once per year or in response to a suspected or confirmed Breach, Business Associate shall have the right to audit and monitor all applicable activities and records of Contractor to determine Contractor's compliance with the requirements relating to the creation or Use and Disclosure of PHI as it relates to the privacy and security sections of this BAA. Contractor shall promptly remedy any violation of any term of this BAA and shall certify the same to Business Associate in writing. The fact that Business Associate has the right to inspect, inspects, or fails to inspect Contractor’s facilities, systems, and procedures, does not relieve Contractor of its responsibility to comply with this BAA, regardless of whether Business Associate detects or fails to detect a violation by Contractor, nor does it constitute Business Associate’s acceptance of such practices or waiver of Business Associate’s rights under this BAA.

2.12. Minimum Necessary. Contractor (and its Subcontractors) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.

2.13 Assistance in Litigation or Administrative Proceedings. Contractor shall make itself, and any Subcontractors, employees, or agents assisting Contractor in the performance of its obligations under the Underlying Agreement, available to Business Associate, at no cost to Business Associate, to testify in any claim commenced against Business Associate, its directors, officers, or employees based upon claimed violation by Contractor or its agents or Subcontractors of the HIPAA Regulations, except where Contractor or its Subcontractor, employee, or agent is a named adverse party.

TERM AND TERMINATION

3.1. Term. The term of this BAA shall be effective as of the Effective Date and shall remain in effect until all of the PHI provided by Business Associate to Contractor, or created or received by Contractor on behalf of Business Associate, is destroyed or returned to Business Associate, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 3.3.

3.2. Termination for Cause. In addition to and notwithstanding the termination provisions set forth in any Underlying Agreement, upon Business Associate’s knowledge of a material breach or violation of this BAA by Contractor, Business Associate shall either: (a) Notify Contractor of the breach in writing, and provide an opportunity for the Contractor to cure the breach or end the violation within thirty (30) days of such notification; provided that if Contractor fails to cure the breach or end the violation within such time period to the satisfaction of Business Associate, Business Associate may immediately terminate this BAA upon written notice to Contractor; or (b) Upon thirty (30) days written notice to Contractor, immediately terminate this BAA and any Underlying Agreement if Business Associate determines that such breach cannot be cured.

3.3. Disposition of Protected Health Information Upon Termination. Upon termination or expiration of this BAA, Contractor shall either return or destroy all PHI received from, or created or received by Contractor on behalf of Business Associate, that Contractor still maintains in any form and retain no copies of such PHI. If Business Associate requests that Contractor return PHI, PHI shall be returned in a mutually agreed upon format and timeframe, at no additional charge to Business Associate. Upon request, Contractor shall certify in writing that all PHI has been returned or destroyed. In the event that Contractor believes that returning or destroying PHI is not feasible, Contractor shall notify Business Associate in writing of the condition that makes return or destruction infeasible. If Business Associate agrees that return or destruction of the PHI is infeasible, Contractor shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Contractor maintains such PHI. Contractor agrees that its obligation with regard to notifying Business Associate of any potential Breach will also extend indefinitely beyond the term of this BAA.

MISCELLANEOUS

4.1 Governing Law; Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law provisions. The parties agree that any dispute arising out of or relating to this Agreement shall be resolved exclusively in the state or federal courts located in the State of Delaware, and each party irrevocably submits to the personal jurisdiction and venue of such courts.

4.2. Amendment to Comply with Law. To the extent applicable, amendments or modification to the HIPAA Regulations may require amendments to certain provisions of this BAA. Amendments shall only be effective if executed in writing and signed by a duly authorized representative of each Party.

4.3. Relationship to Underlying Agreement Provisions. In the event that a provision of this BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement.

4.4. Indemnification. Notwithstanding anything to the contrary which may be contained in any Underlying Agreement, including but not limited to any limitations on liability contained therein, Contractor hereby agrees to indemnify and hold harmless Business Associate, its affiliates, and their respective officers, directors, managers, members, shareholders, employees and agents from and against any and all fines, penalties, damages, claims or causes of action and expenses (including, without limitation, court costs and attorney’s fees) arising from or related to (i) any acts or omissions in violation of the HIPAA Regulations, other applicable law, or this BAA by Contractor or its Workforce, agents, or Subcontractors; or (ii) a Breach. Business Associate shall be entitled to enjoin and restrain Contractor from any continued violation of this BAA.

4.5. Notices. Any notices or communications hereunder shall be in writing by certified mail, return receipt requested, or delivered by a nationally recognized courier service with delivery confirmation, such as FedEx, or by facsimile (with evidence of receipt) at the addresses that follow the signature blocks at the end of this BAA.

4.6. Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Contractor is an independent contractor and not an agent of Business Associate under this BAA. Contractor has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Contractor obligations under this BAA.

4.7. Interpretation. This BAA shall be interpreted as broadly as necessary to implement and comply with the HIPAA Regulations. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with such laws and regulations.

4.8. Regulatory References. A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required.

4.9. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

4.10. Insurance. In addition to any general and/or professional liability insurance required of Contractor, Contractor agrees to obtain and maintain, at its sole expense, liability insurance on an occurrence basis, covering any and all claims, liabilities, demands, damages, losses, costs and expenses arising from a breach of the obligations of Contractor, its Workforce, agents and Subcontractors under this BAA. Such insurance coverage will be maintained for the term of this BAA, and a copy of such policy or a certificate evidencing the policy shall be provided to Business Associate promptly upon request. Contractor shall notify Business Associate immediately in the event of a lapse, cancellation, or material modification of such coverage.

4.11. State Privacy Laws. Contractor shall comply with all applicable international, federal, and state data privacy and security laws.

4.12. Data Ownership. Contractor acknowledges that Contractor has no ownership rights with respect to the PHI and any information derived from the PHI.

4.13. No Offshore Work. In performing the functions, activities, or services for, or on behalf of, Business Associate, Contractor shall not, and shall not permit any of its Subcontractors, to transmit or make available any PHI to any entity or individual outside the United States without the prior written consent of Business Associate.

4.14. Counterparts; Electronic Signatures. This BAA may be executed in one or more counterparts, all of which together shall constitute only one agreement. If any signature is delivered by facsimile or email or is signed in any electronic format, such signature shall create a valid and binding obligation with the same force and effect as if such signature were handwritten.

4.15. Survival. The respective rights and obligations of the Parties under Sections 2.4, 2.5, 2.9, 2.13, 3.3, and 4.3 of this BAA shall survive the termination of this BAA.