Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between Deploy Holdings, Inc., doing business as SleepVigil ("Business Associate"), and the healthcare provider or covered entity ("Covered Entity") that executes this agreement through the SleepVigil provider enrollment process.

1. Definitions

Terms used but not defined in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

• "Protected Health Information" (PHI) — individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• "Electronic PHI" (ePHI) — PHI maintained in or transmitted by electronic media.
• "Security Incident" — the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system.
• "Breach" — as defined in 45 CFR § 164.402.

2. Obligations of Business Associate

2.1 Permitted uses and disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, as required by law, or as otherwise authorized by the Covered Entity in writing.

2.2 Safeguards

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including:

• Encryption of ePHI at rest (AES-256) and in transit (TLS 1.3).
• Role-based access controls with unique user identification.
• Audit logging of all access to PHI.
• Regular vulnerability assessments and penetration testing.
• Workforce training on HIPAA Security and Privacy Rules.

2.3 Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate under this BAA.

2.4 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Security Incident or Breach. Reporting shall occur without unreasonable delay and in no event later than 30 calendar days after discovery.

2.5 Access to PHI

Business Associate shall make PHI available to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 CFR § 164.524 (individual access to PHI).

2.6 Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526.

2.7 Accounting of disclosures

Business Associate shall make information available as required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

2.8 HHS access

Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of HHS for determining Covered Entity's compliance with HIPAA.

3. Permitted uses and disclosures

Business Associate may use and disclose PHI as follows:

• Treatment, Payment, and Operations: To perform services on behalf of Covered Entity as described in the provider partnership agreement, including continuous SpO₂ monitoring, therapy verification, clinical alerting, and reporting.
• Management and administration: For proper management and administration of Business Associate, provided disclosures are required by law or Business Associate obtains reasonable assurances from the recipient.
• De-identification: To de-identify PHI in accordance with 45 CFR § 164.514(a)–(c) for quality improvement, research, and platform development.

4. Obligations of Covered Entity

• Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices that affect Business Associate's use or disclosure of PHI.
• Covered Entity shall notify Business Associate of any changes in, or revocation of, individual authorizations.
• Covered Entity shall not request Business Associate to use or disclose PHI in any manner not permissible under HIPAA.

5. Breach notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

• Notify Covered Entity within 30 calendar days of discovery.
• Include in such notification: identification of each individual affected, a description of the PHI involved, the date of the Breach, and steps taken to mitigate harm.
• Cooperate with Covered Entity in meeting notification obligations to affected individuals and HHS.

6. Term and termination

6.1 Term

This BAA is effective upon digital execution and shall remain in effect for the duration of the provider partnership agreement, unless terminated earlier as described below.

6.2 Termination for cause

Either party may terminate this BAA if the other party materially breaches its terms, provided the breaching party is given 30 days written notice and an opportunity to cure.

6.3 Return or destruction of PHI

Upon termination, Business Associate shall return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

7. Miscellaneous

• Governing law: This BAA shall be governed by federal HIPAA regulations and, to the extent not preempted, the laws of the State of Delaware.
• Amendment: This BAA may be amended only in writing signed by both parties. Regulatory changes that require modification of this BAA shall be deemed incorporated automatically.
• Survival: The obligations of Business Associate under Sections 2 and 5 shall survive termination of this BAA.
• No third-party beneficiaries: Nothing in this BAA shall confer rights upon any third party.

8. Contact

For questions about this BAA or HIPAA compliance:

SleepVigil Privacy Office — Deploy Holdings, Inc.
Email: privacy@sleepvigil.com
Security incidents: security@sleepvigil.com
Web: sleepvigil.com