Business Associate Agreement (HIPAA BAA)

1. Definitions

As used in this Business Associate Agreement ("BAA"), the following terms shall have the meanings set forth below, consistent with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d et seq., and the regulations promulgated thereunder, 45 CFR Parts 160, 162, and 164 (collectively, the "HIPAA Rules"):

1.1 HIPAA-Defined Terms

• Breach: The unauthorized acquisition, access, use, or disclosure of Protected Health Information that compromises the security or privacy of such information. Unauthorized acquisition, access, or use shall not constitute a Breach if an individual acting under the authority of a Covered Entity or Business Associate has a good faith determination that unauthorized persons have not acquired the information.
• Covered Entity: Any person or organization subject to the HIPAA Standards, including health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
• Business Associate: As defined in 45 CFR §160.103, which includes any person or organization, other than a Covered Entity or a workforce member, that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity.
• Protected Health Information (PHI): Individually identifiable health information as defined in 45 CFR §160.103 and §164.501(b). PHI includes information in a medical record or health plan that identifies a patient or individual, or could reasonably be used to identify a patient or individual, and relates to past, present, or future physical or mental health conditions, provision of healthcare, or payment for healthcare.
• Electronic Protected Health Information (ePHI): Protected Health Information that is stored electronically or transmitted electronically in any form.
• Privacy Rule: Standards for privacy of individually identifiable health information, set forth in 45 CFR Parts 160 and 164, Subpart E.
• Security Rule: Standards for security of electronic protected health information, set forth in 45 CFR Parts 160 and 164, Subpart C.
• Breach Notification Rule: Standards for notification of security breaches of unsecured PHI, set forth in 45 CFR Parts 160 and 164, Subparts D and E.
• Minimum Necessary: The limit on the use, disclosure, and request of PHI to the extent reasonably necessary to accomplish the intended purpose of use, disclosure, or request as defined in 45 CFR §164.502(b) and §164.514(d).
• Subcontractor: Any person or organization that creates, receives, maintains, or transmits PHI on behalf of a Business Associate.

2. Parties and Effective Date

This BAA is entered into by and between AimwellBio, Inc., a Delaware corporation ("Business Associate"), and the Covered Entity identified in the purchase order or agreement to which this BAA is attached ("Covered Entity"). This BAA is effective as of March 30, 2026, and shall continue for the duration of the underlying service agreement, unless earlier terminated as provided herein.

3. Scope of Services

The Business Associate shall provide the following services to the Covered Entity:

• Cloud-based platform hosting for biopharmaceutical intelligence and analytics
• Data storage, processing, and analysis services
• Reporting, visualization, and dashboard functionality
• System administration and technical support
• Backup, disaster recovery, and business continuity services

The Business Associate shall only use, disclose, and request PHI in the manner specified in this BAA and as minimally necessary to perform the services described above.

4. Permitted Uses and Disclosures of PHI by Business Associate

4.1 Use of PHI

The Business Associate shall use PHI only to the extent necessary to perform the services described above. The Business Associate shall not use or disclose PHI except:

• As authorized by this BAA
• As required by law
• To manage and conduct its operational and administrative activities related to providing the services
• To support the Covered Entity's compliance with HIPAA obligations

4.2 Minimum Necessary

The Business Associate shall implement and maintain policies and procedures to ensure that all uses and disclosures of PHI are limited to the Minimum Necessary to accomplish the stated purpose. The Business Associate shall:

• Limit access to PHI to workforce members and authorized users who require such access to perform job functions
• Use de-identified data to the greatest extent practicable
• Request from the Covered Entity, and only use or disclose, the minimum data elements necessary to accomplish the intended purpose

4.3 Permissible Disclosures

The Business Associate may disclose PHI:

• To the Covered Entity for the Covered Entity's use consistent with applicable law
• To subcontractors acting as Business Associates, subject to Section 7 of this BAA
• When authorized by law or court order, provided that the Business Associate notifies the Covered Entity of such requirement unless legally prohibited from doing so
• For data aggregation purposes, provided such aggregated information does not identify individuals
• For business associate operations only when de-identified in accordance with 45 CFR §164.514

4.4 Prohibited Uses and Disclosures

The Business Associate shall not use or disclose PHI:

• For marketing purposes without prior written authorization from the Covered Entity
• To sell PHI under any circumstances
• For any purpose other than those specified in this BAA or the underlying service agreement
• To any person or entity except as expressly authorized by this BAA

5. Obligations of the Business Associate

5.1 Safeguarding of PHI

The Business Associate shall implement and maintain comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and ePHI in compliance with 45 CFR §164.308, §164.310, and §164.312. These safeguards shall include:

Administrative Safeguards

• Security Management Process: Identify risks to the confidentiality, integrity, and availability of ePHI and implement policies and procedures to protect against such risks
• Workforce Security: Implement policies and procedures to manage system access and authorization; verify workforce members' eligibility for access before granting access to ePHI
• Information Access Management: Limit access to ePHI based on the principle of least privilege; implement mechanisms to grant or revoke access rights; maintain access logs
• Security Awareness Training: Provide all workforce members with security awareness training addressing HIPAA requirements, PHI protection, password management, log-in monitoring, and incident reporting
• Security Incident Procedures: Maintain formal processes for identifying, reporting, investigating, and responding to security incidents and breaches
• Contingency Planning: Implement and test backup and recovery procedures, emergency access procedures, and disaster recovery plans
• Business Associate Contracts: Obtain written agreements from all subcontractors agreeing to implement equivalent safeguards

Physical Safeguards

• Facility Access Controls: Implement policies and procedures to limit physical access to facilities containing servers or systems that process ePHI to authorized individuals only
• Workstation Use and Security: Establish policies governing workstation use, placement, and physical security for all workstations that access ePHI
• Device and Media Controls: Implement procedures for oversight of devices and digital media that contain PHI; define appropriate disposal methods to prevent unauthorized access

Technical Safeguards

• Access Controls: Implement role-based access control; require unique user identifiers; enforce strong password requirements; implement automatic logoff; require multi-factor authentication for administrative access
• Encryption: Encrypt all ePHI at rest using AES-256 encryption; encrypt all ePHI in transit using TLS 1.2 or higher
• Audit Controls: Maintain comprehensive, tamper-resistant logs recording all access to ePHI; retain logs for a minimum of six (6) years
• Integrity Controls: Implement mechanisms to verify that ePHI has not been improperly altered or destroyed
• Transmission Security: Implement technical means to protect ePHI transmitted electronically across open networks
• Vulnerability Management: Perform regular vulnerability assessments; conduct annual security risk analyses; maintain intrusion detection systems; implement security patches and updates

5.2 Breach Notification and Reporting

Upon discovery or reasonable suspicion of a Breach of unsecured PHI, the Business Associate shall:

• Notify the Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the Breach, as required by 45 CFR §164.404
• Provide notice by email, encrypted portal, or other secure means containing:
  • Date of Breach discovery
  • Description of the Breach and ePHI involved
  • Steps individuals should take to protect themselves
  • Summary of Business Associate's investigation and remedial actions
  • Contact information for questions or additional information
• Cooperate fully with the Covered Entity's Breach notification obligations to affected individuals and the U.S. Department of Health and Human Services
• Preserve evidence related to the Breach for regulatory investigation and inspection
• Conduct a thorough investigation and provide a written incident report to the Covered Entity within thirty (30) days of Breach discovery

5.3 Return or Destruction of PHI

Upon termination of the service agreement or Covered Entity's request, the Business Associate shall, at the Covered Entity's election:

• Return all PHI to the Covered Entity in the original format or a mutually agreed-upon electronic format within thirty (30) days; or
• Securely destroy all PHI in a manner that ensures:
  • All ePHI is destroyed using methods that render data unrecoverable
  • Destruction is performed by a certified third party if outsourced
  • Written certification of destruction is provided to the Covered Entity
  • All backup copies are identified and destroyed

The Business Associate may retain PHI only if required by applicable law, and only in a manner that maintains strict confidentiality and security.

5.4 Access to PHI and Records

The Business Associate shall:

• Provide the Covered Entity with access to PHI and records relating to the care and services provided by the Business Associate, consistent with 45 CFR §164.524 and §164.526
• Provide copies of requested PHI and records within thirty (30) days of request
• Provide records of disclosures made pursuant to Covered Entity requests
• Implement mechanisms for individuals to request access to, amendment of, or accounting of disclosures of their PHI

5.5 Amendment and Correction of PHI

The Business Associate shall:

• Assist the Covered Entity in responding to requests from individuals to amend their PHI, as required by 45 CFR §164.526
• Notify other Business Associates and Covered Entities as directed by the Covered Entity
• Implement a process for individuals to request amendments within the timeframes specified by HIPAA

5.6 Accounting of Disclosures

The Business Associate shall maintain a complete and accurate accounting of all disclosures of PHI made by the Business Associate or its workforce members, as required by 45 CFR §164.528. The Business Associate shall:

• Maintain disclosures in a standardized format that identifies the date, recipient, purpose, and content of each disclosure
• Provide the Covered Entity with a written accounting of disclosures within thirty (30) days of request
• Exclude disclosures made for treatment, payment, and health care operations (TPO) that are not required to be accounted for under HIPAA

5.7 Subcontractor Management

The Business Associate shall:

• Enter into written Business Associate Agreements with any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate
• Ensure that all subcontractors implement safeguards equivalent to those required of the Business Associate
• Remain liable to the Covered Entity for breaches or violations by subcontractors
• Provide the Covered Entity with a current list of subcontractors upon request
• Notify the Covered Entity of any changes to subcontractors, including additions, terminations, or material changes, at least thirty (30) days in advance

5.8 Compliance with HIPAA Requirements

The Business Associate shall comply with all applicable requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if the Covered Entity were to engage in such use or disclosure directly.

5.9 Cooperation with Regulators

The Business Associate shall:

• Cooperate fully with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and state attorneys general in investigations and compliance activities
• Make available to HHS all books, records, systems, and safeguards relating to PHI processing
• Permit HHS and OCR to conduct audits, inspections, and investigations at any time during the agreement term and for six (6) years thereafter
• Provide written assurance of compliance with HIPAA upon request

6. Obligations of the Covered Entity

The Covered Entity shall:

• Provide the Business Associate with written instructions regarding the use and disclosure of PHI
• Notify the Business Associate of any changes in its use or disclosure requirements that would affect the Business Associate's obligations
• Ensure that authorization from individuals for use and disclosure has been obtained where required by HIPAA
• Promptly notify the Business Associate of any suspected or discovered Breach or misuse of PHI
• Maintain records of all requests for access, amendment, or accounting of disclosures

7. Sub-contractors and Business Associates

7.1 Sub-contractor Oversight

The Business Associate has implemented safeguards to ensure compliance with HIPAA through the following operational arrangements:

• Cloud infrastructure and database services are provided through vendors with comprehensive HIPAA compliance programs
• All subcontractors have executed written Business Associate Agreements requiring implementation of equivalent safeguards
• The Business Associate remains fully liable to the Covered Entity for any breach or non-compliance by subcontractors

7.2 Subcontractor Changes

The Business Associate shall notify the Covered Entity of any material changes to subcontractors at least thirty (30) days in advance, providing opportunity for the Covered Entity to review and object to such changes on grounds relating to data protection or HIPAA compliance.

8. Security Measures and Standards

8.1 Technical Security Standards

The Business Associate implements the following technical safeguards consistent with 45 CFR §164.312:

• Encryption at Rest: All ePHI stored on Business Associate systems is encrypted using AES-256 encryption with industry-standard key management
• Encryption in Transit: All ePHI transmitted between systems is protected using TLS 1.2 or higher protocols
• Access Controls: Multi-factor authentication is required for all administrative access; role-based access control limits access to necessary personnel
• Audit Logging: All access to ePHI is logged in tamper-resistant logs retained for a minimum of six (6) years
• Intrusion Detection: Systems include real-time monitoring for unauthorized access attempts and security anomalies
• System Integrity: All systems are regularly scanned for vulnerabilities; security patches and updates are applied promptly

8.2 Administrative Safeguards

The Business Associate implements the following administrative safeguards consistent with 45 CFR §164.308:

• Workforce Security: Access is granted only to workforce members who require it to perform their duties; access is revoked immediately upon termination
• Information Access Management: Periodic reviews confirm that access privileges remain appropriate
• Security Awareness Training: All workforce members receive annual HIPAA and data security training
• Security Incident Procedures: Documented procedures address identification, investigation, mitigation, and remediation of security incidents

8.3 Physical Safeguards

The Business Associate implements the following physical safeguards consistent with 45 CFR §164.310:

• Facility Access: Data centers housing ePHI are protected by multiple layers of physical security including biometric controls, surveillance, and continuous monitoring
• Workstation Security: Workstations with access to ePHI are secured with locks, surveillance, and strict access controls
• Media Destruction: All media containing PHI is physically destroyed using certified methods when no longer needed

9. Audit Rights and Compliance Verification

The Covered Entity and HHS shall have the right to:

• Audit and inspect all areas and systems of the Business Associate relating to PHI processing
• Request and review policies, procedures, and documentation demonstrating compliance with HIPAA
• Interview workforce members regarding safeguards and security practices
• Conduct such audits upon reasonable notice during normal business hours, or without notice if required by HHS for investigation purposes

The Business Associate shall cooperate fully with all audit and compliance activities and shall remediate any identified deficiencies within the timeframes specified by the Covered Entity or HHS.

10. Data Breach and Incident Notification

10.1 Breach Discovery and Investigation

The Business Associate shall implement procedures to discover breaches of unsecured PHI, including regular security assessments, audit log reviews, and incident response protocols. Upon discovery of any unauthorized access, acquisition, use, or disclosure of PHI, the Business Associate shall:

• Immediately take action to contain the breach and prevent further unauthorized access
• Preserve all evidence and forensic data relating to the breach
• Conduct a thorough investigation to determine the scope, impact, and cause of the breach

10.2 Notification Timeline

The Business Associate shall provide notice to the Covered Entity within sixty (60) calendar days of discovery of a Breach, as required by 45 CFR §164.404 (as modified by the HITECH Act). This notice shall include all information necessary for the Covered Entity to fulfill its notification obligations to affected individuals.

10.3 Breach Assessment and Risk Evaluation

The Business Associate shall conduct a risk assessment to determine whether the Breach poses a significant risk of harm. For purposes of this BAA, the Business Associate shall document:

• Nature and scope of the ePHI involved
• Who had access or likely access to the ePHI
• Whether ePHI was acquired or accessed
• Extent to which risk of compromise has been mitigated

10.4 Mitigation

The Business Associate shall take prompt action to mitigate the impact of a Breach and prevent recurrence, including:

• Implementing corrective measures to address the cause of the breach
• Notifying the Covered Entity of the Business Associate's remedial actions
• Providing the Covered Entity with sufficient information to satisfy notification and regulatory obligations

11. Term, Termination, and Effect of Termination

11.1 Term

This BAA shall be effective as of March 30, 2026, and shall continue throughout the term of the underlying service agreement, unless earlier terminated as provided herein.

11.2 Termination Rights

This BAA may be terminated:

• By either party upon material breach by the other party if the breach is not cured within thirty (30) days of written notice
• By the Covered Entity immediately if the Business Associate materially violates any HIPAA requirement
• By either party upon termination of the underlying service agreement

11.3 Effect of Termination

Upon termination of this BAA:

• The Business Associate shall cease use and disclosure of all PHI within five (5) business days
• The Business Associate shall return or destroy all PHI in accordance with Section 5.3 of this BAA within thirty (30) days
• The Business Associate shall provide written certification of return or destruction
• The Business Associate shall not retain PHI except as required by law

11.4 Survival

The provisions of this BAA regarding obligations of the Business Associate under Sections 5.1 (Safeguarding), 5.2 (Breach Notification), 5.3 (Return or Destruction), 5.4 (Access to PHI), and Section 10 (Data Breach Notification) shall survive termination of this BAA with respect to any PHI retained following termination.

12. Amendments

The Business Associate may amend this BAA to comply with changes in HIPAA requirements. The Business Associate shall notify the Covered Entity of material amendments at least thirty (30) days in advance. The Covered Entity's continued use of the platform following the amendment notice period shall constitute acceptance of the amendments unless the Covered Entity notifies the Business Associate of its objection in writing.

13. Governing Law and Jurisdiction

This BAA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles. The parties consent to the jurisdiction of the federal and state courts located in Delaware for resolution of any disputes relating to this BAA. Notwithstanding the foregoing, this BAA shall be interpreted in accordance with, and shall be subject to, all applicable HIPAA requirements and regulations promulgated by HHS.

14. Regulatory Changes

The parties acknowledge that HIPAA regulations and standards may change. The Business Associate shall update safeguards and policies as required by HHS guidance and regulatory changes. If changes are required that materially affect the Business Associate's obligations or costs, the Business Associate shall notify the Covered Entity with reasonable advance notice. The parties may mutually agree to amend this BAA to reflect such regulatory changes.

15. Entire Agreement

This BAA, together with the underlying service agreement to which it is attached, constitutes the entire agreement between the parties relating to the protection and handling of PHI. No other agreements, understandings, or representations, whether oral or written, are valid unless incorporated in a writing signed by both parties.

16. Contact Information

For questions, concerns, or to report a suspected breach relating to this BAA, please contact:

• Compliance Officer: compliance@aimwellbio.com
• Address: AimwellBio, Inc., Delaware, United States

17. Acknowledgment

By executing the underlying service agreement that incorporates this BAA, both the Covered Entity and the Business Associate acknowledge that they have read and understand the terms of this Business Associate Agreement and agree to be bound by its provisions.