Business Associate Addendum

If the parties have agreed for Customer to provide Lumos AI Labs with PHI under Section 2.5 of the Master Services Agreement, then this Business Associate Addendum (“BAA”) is entered into as of the Effective Date by and between Customer and Lumos AI Labs, Corp. (“Business Associate”) and will form part of the Agreement.

WHEREAS, Business Associate performs certain services for or on behalf of Customer, and in performing said services, Business Associate creates, receives, maintains, or transmits Protected Health Information (“PHI”);

WHEREAS, the Parties intend to protect the privacy and provide for the security of the PHI Disclosed (as defined below) by Customer to Business Associate, or created, received, maintained, or transmitted by Business Associate, when providing services. Such PHI will be protected in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary of the U.S. Department of Health and Human Services (“Secretary”) (collectively, the “HIPAA Regulations”); and

WHEREAS, Customer is a covered entity or business associate as such terms are defined under the HIPAA Regulations and as such is required to comply with the requirements thereof regarding confidentiality and privacy of PHI. Accordingly, to the extent Business Associate is functioning as a business associate (or subcontractor business associate, as applicable) of Customer, Business Associate agrees to comply with this BAA.

WHEREAS, this BAA applies only to the extent the customer identified above is a “covered entity” or “business associate” as those terms are defined in the HIPAA Regulations.

In consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
  1. DEFINITIONS. The following terms shall have the respective meanings set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in the HIPAA Regulations.

    1.1. “Breach” shall have the meaning given to such term under 45 C.F.R. § 164.402.

    1.2. “Designated Record Set” shall have the meaning given to such term under 45 C.F.R. § 164.501.

    1.3. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103,

    1.4. “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.

    1.5. “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, provided by Customer to Business Associate, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.

    1.6. “Required by Law” shall have the meaning given to such term under 45 C.F.R. § 164.103.

    1.7. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.

    1.8. “Services” shall mean the services or functions performed by Business Associate for or on behalf of Customer pursuant to any service agreement(s) between Customer and Business Associate which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a “business associate” relationship, as set forth in 45 C.F.R. § 160.103.

    1.9. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.

    1.10. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103.

    1.11. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.
  1. OBLIGATIONS OF BUSINESS ASSOCIATE

    2.1. Permitted Uses and Disclosures of PHI. Business Associate shall not Use or Disclose PHI created, received, maintained, or transmitted for or on behalf of Customer except to perform the Services required by the Underlying Agreement, or as permitted by this BAA or Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Customer. Without limiting the generality of the foregoing, Business Associate is permitted to (i) Use and Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use or further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (ii) Use PHI for Data Aggregation purposes; and (iii) Use PHI to create de-identified information in accordance with the requirements outlined in the HIPAA Regulations. Data that has been de-identified will no longer be subject to the terms of this BAA.

    2.2. Appropriate Safeguards of PHI. Business Associate agrees to use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to e-PHI, to prevent use or disclosure of the information other than as provided for by this BAA.

    2.3. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.

    2.4. Reporting Breaches, Security Incidents, and Non-Permitted Uses or Disclosures. Business Associate shall promptly notify Customer of any Use or Disclosure by Business Associate or its Subcontractors that is not permitted by this BAA and each Security Incident, including Breaches of Unsecured PHI. Notwithstanding the foregoing, Business Associate and Customer acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Customer acknowledges and agrees that no additional notification to Customer of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Customer without unreasonable delay and no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Customer shall be in accordance with 45 C.F.R. § 164.410(c).

    2.5. Delegated Responsibilities. To the extent that Business Associate carries out one or more of Customer’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to Covered Entities in the performance of such obligations.

    2.6. Availability of Internal Practices, Books, and Records to Government. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Customer’s PHI available to the Secretary for purposes of determining Customer’s compliance with the HIPAA Regulations.

    2.7. Access to and Amendment of Protected Health Information. To the extent that Business Associate maintains a Designated Record Set on behalf of Customer, Business Associate shall (i) make the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Set available to Customer for inspection and copying to enable Customer to fulfill its obligations under 45 C.F.R. § 164.524 within fifteen (15) business days of a written request by Customer; and (ii) amend the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Sets to enable Customer to fulfill its obligations under 45 C.F.R. § 164.526 within fifteen (15) business days of a written request by Customer.

    2.8. Accounting. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall provide to Customer or, at the request of Customer directly to an individual, in the time and manner designated by Customer, but in no event longer than fifteen (15) days after Business Associate’s receipt of a written request from Customer, information collected in accordance this Section 2.8 of this BAA, to permit Customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

    2.9. Use of Subcontractors. Business Associate shall require each of its Subcontractors that creates, receives, maintains, or transmits PHI on behalf of Business Associate, to execute a written agreement that includes substantially the same restrictions and conditions that apply to Business Associate under this BAA with respect to PHI.

    2.10. Minimum Necessary. Business Associate (and its Subcontractors) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.

    2.11. Permissible Requests. Customer shall not request Business Associate to use or disclose PHI in a manner that would violate applicable federal and state laws if such use or disclosure were made by Customer. Customer shall be compliant with all applicable laws and regulations pertaining to PHI Customer sends, or directs to be sent, to Business Associate.
  1. TERM AND TERMINATION

    3.1. Term. The term of this BAA shall be effective as of the Effective Date and shall remain in effect until all of the PHI provided by Customer to Business Associate, or created or received by Business Associate on behalf of Customer, is destroyed or returned to Customer, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 3.3 of this BAA.

    3.2. Termination for Cause. In addition to and notwithstanding the termination provisions set forth in any Underlying Agreement, upon Customer’s or Business Associate’s knowledge of a material breach or violation of this BAA by the other Party, the non-breaching Party shall notify the breaching Party of the breach in writing, and provide an opportunity for the breaching Party to cure the breach or end the violation within thirty (30) days of such notification; provided that if the breaching Party fails to cure the breach or end the violation within such time period to the satisfaction of the non-breaching Party, the non-breaching Party may immediately terminate this BAA upon written notice to the breaching Party.

    3.3. Disposition of PHI Upon Termination. Upon termination or expiration of this BAA, Business Associate shall either return or destroy all PHI received from, or created or received by Business Associate on behalf of Customer, that Business Associate still maintains in any form and retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall continue to extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.
  1. MISCELLANEOUS

    4.1. Customer’s Obligations. Customer shall notify Business Associate in writing of any of the following, to the
    extent that such limitation, change, revocation, or restriction may affect Business Associate’s Use orDisclosure of PHI: (i) any limitation(s) in Customer’s notice of privacy practices; (ii) any changes in, or revocation of, permission by an individual to Use or Disclose PHI; or (iii) any restriction to the Use or Disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522. Customer will obtain any consent or authorization that may be required by the HIPAA Regulations, or applicable state
    law, prior to furnishing Business Associate with PHI.

    4.2. Amendment to Comply with Law. To the extent applicable, amendments or modification to the HIPAA Regulations may require amendments to certain provisions of this BAA. Amendments shall only be effective if executed in writing and signed by a duly authorized representative of each Party.

    4.3. Relationship to Underlying Agreement Provisions. In the event that a provision of this BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement.

    4.4. Limitation of Liability. Each Party’s (and each of its affiliate’s) liability taken together in the aggregate, arising out of or related to the BAA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Underlying Agreement, except to the extent such liability cannot be limited under applicable laws.

    4.5. Notices. Any notices or communications hereunder shall be in writing by email to the email addresses provided below in the signature blocks.

    4.6. Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Business Associate is an independent contractor and not an agent of Customer under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.

    4.7. Interpretation. This BAA shall be interpreted as broadly as necessary to implement and comply with the HIPAA Regulations. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with such laws and regulations.

    4.8. Regulatory References. A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required.

    4.9. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

PRODUCTS

Experts Data

Self-Serve Expert Hiring

RESOURCES

Privacy Policy

CONTACT

ross@thelumos.ai

COPYRIGHT © 2025

PRODUCTS

Experts Data

Self-Serve Expert Hiring

RESOURCES

Privacy Policy

CONTACT

ross@thelumos.ai

COPYRIGHT © 2025

PRODUCTS

Experts Data

Self-Serve Expert Hiring

RESOURCES

Privacy Policy

CONTACT

ross@thelumos.ai

COPYRIGHT © 2025