Business Associate Addendum

Unless a separate Business Associate Agreement has been executed by Pearly and the Provider, this Business Associate Addendum (the “Addendum”) supplements the underlying agreement, including the Terms of Use, Order Form, Privacy Policy, Disclosure Statement, and Cookie Policy (collectively “The Agreements”), between Pearly Technology Inc. and its affiliates (“Pearly”, "Company", "We", "Us") and its customer ("Customer" or “Provider”), and is intended to and shall be interpreted to ensure the parties’ compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, 45 C.F.R. Part 164 (collectively “HIPAA Regulations”). The terms in The Agreements shall also apply to the parties’ performance under this Addendum to the extent the terms are not inconsistent with this Addendum.

Terms used, but not otherwise defined in this Addendum, shall have the same meaning as those terms are used in the HIPAA Regulations or in The Agreements.

1. OBLIGATIONS OF PEARLY

1.1 Pearly agrees to not use or disclose Protected Health Information other than as permitted or required by this Addendum or as required by law.

1.2 Pearly agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.

1.3 Pearly agrees to report to Provider any use or disclosure of the Protected Health Information not provided for by this Addendum of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410. Pearly also agrees to report to Provider any security incident, including all data breaches, related to Protected Health Information of which Pearly becomes aware; provided that the reporting requirement shall not apply to routine, unsuccessful security incidents such as port scans, pings, etc., that do not pose a material threat to the Protected Health Information.

1.4 Pearly agrees to provide access, at the request of Provider and during normal business hours, to Protected Health Information in a Designated Record Set to Provider or, as directed by Provider, to an Individual in order to meet the requirements under 45 C.F.R. §164.524, provided that Provider delivers to Pearly a written notice at least five (5) business days in advance of requesting such access.

1.5 Pearly agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Provider directs or agrees to pursuant to 45 C.F.R. §164.526, at the request of Provider or an Individual.

1.6 To the extent Pearly carries out one or more of Provider’s obligations under Subpart E of 45 C.F.R. Part 164, Pearly agrees to comply with the requirements of Subpart E that apply to Provider in the performance of such obligations.

1.7 Pearly agrees to maintain and, on request of Provider, provide to Provider documentation necessary to permit Provider to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.‍

2. PERMITTED USES AND DISCLOSURES BY PEARLY‍

2.1 Except as otherwise limited by this Addendum, Pearly may make any uses and disclosures of Protected Health Information necessary to perform the Pearly Services for and on behalf of Provider and Member in accordance with the terms of The Agreements and to otherwise meet its obligations under this Addendum.

2.2 Except as otherwise limited in this Addendum, Pearly may use Protected Health Information for the proper management and administration of the Pearly, including internal analytics for Pearly’s own product development, or to carry out the legal responsibilities of Pearly Services.

2.3 Except as otherwise limited in this Addendum, Pearly may disclose Protected Health Information as required by law.

2.4 Except as otherwise limited in this Addendum, Pearly may use Protected Health Information: (i) to provide Data Aggregation Pearly Services relating to the health care operations of Provider as permitted by 45 C.F.R. §164.504(e)(2)(i)(B), and (ii) to de identify such Protected Health Information in accordance with 45 C.F.R. 164.514(a) – (c).

3. OBLIGATIONS OF PROVIDER

3.1 If and to the extent that Provider has imposed or agreed to any limitation on the use or disclosure of Protected Health Information that is more restrictive than HIPAA, Provider shall notify Pearly of any such limitation(s) that Provider has imposed.

3.2 Provider shall immediately notify Pearly of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Pearly’s use or disclosure of Protected Health Information.

3.3 Provider shall not request Pearly to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Regulations if done by the Provider, except as permitted by other terms in this Addendum.

4. TERM AND TERMINATION

4.1 The Term of this Addendum shall be effective upon execution of the Underlying Agreement (“Effective Date”) and shall remain in effect until (i) this Addendum is terminated, and (ii) all Protected Health Information is either returned or destroyed in accordance with Section 4.3.

4.2 This Addendum shall terminate: (i) upon termination of the Underlying Agreement; (ii) upon 30 days’ prior written notice to the breaching party if either party breaches a material term of this Addendum and the breaching party fails to cure the breach by the end of the 30-day notice period; or (iii) the HIPAA Regulations are amended or Provider agrees to restrictions on the use or disclosure of Protected Health Information such that Pearly determines that performance of these Terms may cause Pearly to incur unanticipated costs to comply or face adverse regulatory action.

4.3 Upon termination of this Addendum for any reason, Pearly, with respect to Protected Health Information received from Provider or created, maintained, or received by Pearly on behalf of Provider, shall: 1) Retain only the Protected Health Information which is necessary for Pearly to continue its proper management and administration or to carry out its legal responsibilities; 2) Return to Provider or destroy the remaining Protected Health Information that Pearly still maintains in any form; and 3) If and to the extent that such return or destruction is impractical, continue to use appropriate safeguards and comply with the HIPAA Regulations as to any Protected Health Information that Pearly retains.

‍