Business Associate Agreement

This Business Associate Agreement (the "BAA") is entered into as of May 11, 2026 by and between:

23blocks Inc., a Delaware corporation ("Business Associate" or "23blocks"), and

[CUSTOMER LEGAL NAME] ("Covered Entity" or "Customer").

This BAA supplements and is part of the Terms of Service or Master Services Agreement and any applicable Order Document(s) between 23blocks and Customer (collectively, the "Services Agreement").

Recitals

A. Covered Entity is a HIPAA "Covered Entity" or a HIPAA "Business Associate" with respect to certain protected health information ("PHI") as those terms are defined in 45 C.F.R. § 160.103.

B. 23blocks provides services to Covered Entity that may involve creating, receiving, maintaining, or transmitting PHI on Covered Entity's behalf. In the course of those services, 23blocks may be deemed a HIPAA "Business Associate" within the meaning of 45 C.F.R. § 160.103.

C. The Parties enter into this BAA to comply with HIPAA, the HITECH Act, and the implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules").

NOW, THEREFORE, the Parties agree as follows.

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings given to them in the HIPAA Rules. The following terms have the meanings below:

• "Breach" has the meaning given in 45 C.F.R. § 164.402.
• "Designated Record Set" has the meaning given in 45 C.F.R. § 164.501.
• "Electronic PHI" or "ePHI" has the meaning given in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
• "Individual" has the meaning given in 45 C.F.R. § 160.103.
• "PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
• "Required by Law" has the meaning given in 45 C.F.R. § 164.103.
• "Security Incident" has the meaning given in 45 C.F.R. § 164.304.
• "Subcontractor" has the meaning given in 45 C.F.R. § 160.103.
• "Unsecured PHI" has the meaning given in 45 C.F.R. § 164.402.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted by this BAA or as Required by Law. Specifically:

(a) Business Associate may use and disclose PHI to perform the services described in the Services Agreement.

(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out Business Associate's legal responsibilities.

(c) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out Business Associate's legal responsibilities, provided that disclosures are Required by Law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient notifies Business Associate of any breach.

(d) Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as that term is defined in 45 C.F.R. § 164.501.

(e) Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c) and use the de-identified data for any lawful purpose.

2.2 Prohibited Uses and Disclosures

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as set forth in §2.1.

2.3 Safeguards

Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA. With respect to ePHI, Business Associate shall comply with 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316.

2.4 Reporting

(a) Use or Disclosure Not Permitted. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, of which Business Associate becomes aware, without unreasonable delay and in no event more than ten (10) business days of becoming aware.

(b) Security Incidents. Business Associate shall report to Covered Entity any Security Incident affecting ePHI of which Business Associate becomes aware. The Parties acknowledge that there may be unsuccessful Security Incidents (e.g., pings or port scans on Business Associate's firewall) that occur frequently; Business Associate's reporting of such unsuccessful incidents is satisfied by this paragraph as the standing notice; only successful Security Incidents involving actual unauthorized acquisition, access, use, or disclosure of ePHI need be specifically reported under §2.4(c).

(c) Breach. Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event more than thirty (30) calendar days from the date Business Associate discovers the Breach. Business Associate's report shall include, to the extent then known:

• (i) identification of each Individual whose Unsecured PHI was Breached;
• (ii) a description of what happened;
• (iii) a description of the types of Unsecured PHI involved;
• (iv) any steps Individuals should take to protect themselves;
• (v) what Business Associate is doing to investigate, mitigate, and prevent recurrence; and
• (vi) contact information.

2.5 Subcontractors

In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.

A current list of Business Associate's Subcontractors that have access to PHI is available at 23blocks.com/legal/subprocessors. Business Associate may add or change Subcontractors with thirty (30) days' written notice; Covered Entity may object on reasonable grounds, in which case Business Associate will use commercially reasonable efforts to address the concern, failing which Covered Entity's exclusive remedy is to terminate the affected Service Line.

2.6 Access to PHI

Within fifteen (15) business days of a written request by Covered Entity for access to the PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity (or, as directed by Covered Entity, to the Individual) so that Covered Entity can comply with 45 C.F.R. § 164.524.

2.7 Amendment of PHI

Within thirty (30) business days of a written request by Covered Entity for amendment of PHI in a Designated Record Set, Business Associate shall make such amendment to the PHI so that Covered Entity can comply with 45 C.F.R. § 164.526.

2.8 Accounting of Disclosures

Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. Within thirty (30) business days of Covered Entity's written request, Business Associate shall provide Covered Entity with such information.

2.9 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining Covered Entity's compliance with the HIPAA Rules.

2.10 Mitigation

Business Associate shall use reasonable efforts to mitigate any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.

2.11 Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.502(b).

3. Obligations of Covered Entity

3.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 and any changes to such notice that may affect Business Associate's use or disclosure of PHI.

3.2 Permissions

Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures.

3.3 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI.

3.4 Permissible Requests

Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

3.5 PHI Submitted to Services

Covered Entity shall ensure that PHI is submitted to the 23blocks Services only through the channels and configurations agreed in writing for handling PHI. Covered Entity shall not place PHI in deployment options, regions, or workflows not agreed in writing.

4. Term and Termination

4.1 Term

This BAA is effective on the Effective Date and continues for the duration of the Services Agreement and until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity in accordance with §4.4.

4.2 Termination for Cause

Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide written notice to Business Associate. Business Associate has thirty (30) days to cure the breach or end the violation. If Business Associate does not cure within the thirty-day period, Covered Entity may terminate this BAA and the Services Agreement to the extent it relates to PHI.

4.3 Reciprocal

Business Associate has reciprocal cure-and-terminate rights for material breach by Covered Entity.

4.4 Effect of Termination

Upon termination of this BAA, Business Associate shall, at Covered Entity's election:

(a) Return all PHI in Business Associate's possession to Covered Entity in a mutually agreed format; OR

(b) Destroy all PHI per 45 C.F.R. § 164.310(d)(2)(i)–(ii) and provide written certification of destruction.

If return or destruction is infeasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.

5. Indemnification

Customer indemnifies 23blocks per ToS §22.2 for HIPAA-related claims arising out of (a) Customer's placement of PHI in the Services in violation of this BAA or the Services Agreement, (b) Customer's failure to comply with Covered Entity's HIPAA obligations, or (c) Customer's actions or omissions that result in a Breach not caused by Business Associate.

6. Miscellaneous

6.1 Regulatory References

A reference to a section in the HIPAA Rules is a reference to that section as it may be amended.

6.2 Amendments

The Parties shall amend this BAA from time to time as necessary to comply with changes in the HIPAA Rules. The Parties will negotiate in good faith.

6.3 Survival

The respective rights and obligations of the Parties under §4.4 (Effect of Termination), §5 (Indemnification), and §6 (Miscellaneous) survive termination of this BAA.

6.4 Interpretation

Any ambiguity in this BAA shall be resolved to permit the Parties to comply with the HIPAA Rules.

6.5 Inconsistencies

In the event of any inconsistency between this BAA and the Services Agreement, this BAA controls solely with respect to the use, disclosure, and protection of PHI. The Services Agreement controls in all other respects.

6.6 Notices and Governing Law

Notices follow ToS §25.8. Governing law follows ToS §25.10 (Delaware).

6.7 No Third-Party Beneficiaries

This BAA does not create any rights in any third party, including Individuals.

7. Acceptance and Signatures