Exhibit C to the MedGrid Platform Agreements
This Business Associate Agreement (this "BAA") is entered into as of June 10, 2026 (the "Effective Date") by and between MedGrid, LLC, a Delaware limited liability company ("Business Associate" or "MedGrid"), and the covered entity that is a party to the underlying Platform Agreement (the "Covered Entity"). Business Associate and Covered Entity are each a "Party" and together the "Parties."
This BAA supplements and is incorporated into the Physician Platform Participation and Services Agreement, the Clinic or Enterprise Agreement, or other underlying agreement between the Parties governing access to the MedGrid platform (the "Underlying Agreement"). This BAA governs the Parties' respective obligations with respect to Protected Health Information and is required by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, "HIPAA"). In the event of a conflict between this BAA and the Underlying Agreement with respect to Protected Health Information, this BAA controls.
Capitalized terms used but not otherwise defined in this BAA have the meanings given to them in HIPAA, including 45 C.F.R. Parts 160 and 164. The following terms have the meanings set forth below:
1.1 "Breach" has the meaning given in 45 C.F.R. Section 164.402.
1.2 "Protected Health Information" or "PHI" means individually identifiable health information, as defined in 45 C.F.R. Section 160.103, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity under the Underlying Agreement. PHI does not include information that has been de-identified in accordance with 45 C.F.R. Section 164.514(b).
1.3 "Security Incident" has the meaning given in 45 C.F.R. Section 164.304.
1.4 "Required by Law" has the meaning given in 45 C.F.R. Section 164.103.
1.5 "Electronic PHI" or "ePHI" means PHI that is transmitted by or maintained in electronic media as defined in 45 C.F.R. Section 160.103.
2.1 General. Business Associate may use and disclose PHI only as permitted or required by this BAA, the Underlying Agreement, or as Required by Law, and shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity, except as set forth in Sections 2.3 and 2.4.
2.2 Performance of Services. Business Associate may use and disclose PHI as necessary to perform the services described in the Underlying Agreement, including hosting, transmission, order facilitation, platform operation, and the provision of clinical-intelligence and outcomes-tracking functionality, in each case on behalf of and at the direction of Covered Entity.
2.3 Management and Administration. Business Associate may use PHI for its proper management and administration and to carry out its legal responsibilities. Business Associate may disclose PHI for such purposes only if the disclosure is Required by Law, or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient notifies Business Associate of any breach of confidentiality.
2.4 Data Aggregation. Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B).
2.5 De-Identification. Business Associate may de-identify PHI in accordance with 45 C.F.R. Section 164.514(b). Information that has been de-identified in conformance with that standard is no longer PHI and is not subject to this BAA, and Business Associate may use and disclose such de-identified information for any lawful purpose, including research, protocol development, and licensing, subject to the Underlying Agreement. Business Associate shall not attempt to re-identify de-identified information except as permitted by Covered Entity in writing or as Required by Law.
2.6 Sale of PHI; Marketing. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI except as permitted by 45 C.F.R. Section 164.502(a)(5)(ii) and pursuant to a valid authorization, and shall not use or disclose PHI for marketing except as permitted by HIPAA and pursuant to a valid authorization under 45 C.F.R. Section 164.508.
Business Associate shall:
3.1 Limit Uses and Disclosures. Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
3.2 Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule (45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316) with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this BAA, including conducting and maintaining a current security risk analysis.
3.3 Minimum Necessary. Make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose, consistent with 45 C.F.R. Section 164.502(b).
3.4 Report Improper Use or Disclosure. Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, and any Security Incident, without unreasonable delay and in no event later than ten (10) business days after discovery. Unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of ePHI (such as routine pings or scans) are reported on this aggregate, periodic basis only.
3.5 Breach Notification. Notify Covered Entity of any Breach of unsecured PHI without unreasonable delay and in no event later than seventy-two (72) hours after discovery, consistent with 45 C.F.R. Section 164.410. The notification shall include, to the extent known, the identification of each individual whose unsecured PHI was or is reasonably believed to have been involved, and the information Covered Entity is required to include in its notifications under 45 C.F.R. Section 164.404.
3.6 Mitigation. Mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this BAA.
3.7 Subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as restrictive as those that apply to Business Associate under this BAA, as required by 45 C.F.R. Sections 164.502(e)(1)(ii) and 164.308(b)(2).
3.8 Access. Within ten (10) business days of a request, make available PHI in a Designated Record Set to Covered Entity (or, as directed by Covered Entity, to an individual) as necessary to satisfy Covered Entity's obligations under 45 C.F.R. Section 164.524.
3.9 Amendment. Within ten (10) business days of a request, make any amendment to PHI in a Designated Record Set as directed by Covered Entity, consistent with 45 C.F.R. Section 164.526.
3.10 Accounting of Disclosures. Document and, within ten (10) business days of a request, make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. Section 164.528.
3.11 Access to Records by HHS. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.
3.12 Covered Entity Obligations. To the extent Business Associate is to carry out an obligation of Covered Entity under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of that obligation.
4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices, to the extent that the limitation may affect Business Associate's use or disclosure of PHI.
4.2 Changes in Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, a permission by an individual to use or disclose PHI, to the extent that the change may affect Business Associate's use or disclosure of PHI.
4.3 Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. Section 164.522, to the extent it may affect Business Associate's use or disclosure of PHI.
4.4 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as permitted under Sections 2.3 and 2.4 of this BAA.
5.1 Term. This BAA is effective as of the Effective Date and continues until all PHI provided by Covered Entity to Business Associate, or created, maintained, or received by Business Associate on behalf of Covered Entity, is destroyed or returned, or, if return or destruction is infeasible, until protections are extended to such PHI in accordance with Section 5.3.
5.2 Termination for Cause. Upon either Party's knowledge of a material breach of this BAA by the other Party, the non-breaching Party may provide written notice of the breach and an opportunity to cure within thirty (30) days. If the breaching Party does not cure within that period, the non-breaching Party may terminate this BAA and the Underlying Agreement. If cure is not feasible, the non-breaching Party may terminate immediately.
5.3 Effect of Termination. Upon termination of this BAA, Business Associate shall, if feasible, return or destroy all PHI received from, or created, maintained, or received on behalf of, Covered Entity that Business Associate still maintains, and shall retain no copies. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains the PHI. This Section survives termination.
6.1 Regulatory References. A reference in this BAA to a section of HIPAA means the section as in effect or as amended.
6.2 Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA and other applicable law.
6.3 Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA.
6.4 No Third-Party Beneficiaries. Nothing in this BAA confers any rights upon any person other than the Parties and their respective successors and permitted assigns.
6.5 Survival. The respective rights and obligations of Business Associate that by their nature should survive termination shall survive.
6.6 Governing Law and Dispute Resolution. This BAA is governed by the laws of the State of Delaware, and any dispute arising under this BAA is subject to the dispute resolution provisions of the Underlying Agreement, including good faith negotiation, mediation, and binding arbitration administered by JAMS in Miami Beach, Florida.
IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date.
BUSINESS ASSOCIATE: MedGrid, LLC
_______________________________________
Name / Title / Date
_______________________________________
Name / Title / Date