Business Associate Agreement

Unless otherwise specified, all capitalized terms used in this BAA shall have the meanings set forth in 45 C.F.R. Parts 160 and 164 (the "HIPAA Rules"). Key terms include:

• Covered Entity: The healthcare provider, health plan, or healthcare clearinghouse that subscribes to Adjuvex services.
• Business Associate: Adjuvex, Inc., which performs services on behalf of the Covered Entity that involve the use or disclosure of PHI.
• Protected Health Information (PHI): Individually identifiable health information created, received, maintained, or transmitted by Adjuvex on behalf of the Covered Entity.
• Electronic PHI (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.

Adjuvex may use or disclose PHI only as necessary to perform the services described in the subscription agreement, including:

• Claims processing, adjudication, billing, and audit functions on behalf of the Covered Entity.
• AI-assisted denial management and appeal generation using de-identified or minimum-necessary data.
• Quality assurance, performance measurement, and utilization review activities.
• As required by law, including disclosures to the Secretary of the Department of Health and Human Services ("HHS").

Adjuvex shall not use or disclose PHI for purposes other than those permitted or required by this BAA without prior written authorization from the Covered Entity.

Adjuvex implements and maintains comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI in compliance with 45 C.F.R. § 164.314:

• Encryption: All ePHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access Controls: Role-based access controls (RBAC) limit PHI access to authorized personnel only.
• Audit Logging: All access to and disclosures of PHI are logged and retained for a minimum of six years.
• Workforce Training: All Adjuvex personnel with access to PHI receive annual HIPAA training.
• Minimum Necessary: PHI access is limited to the minimum necessary to perform the required service.

Adjuvex shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Adjuvex agrees to the same restrictions and conditions that apply to Adjuvex under this BAA, pursuant to 45 C.F.R. § 164.314(a)(2)(i)(B). A list of current subprocessors is available upon written request.

In the event of a Breach of Unsecured PHI, Adjuvex shall:

• Notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery of the Breach, in accordance with 45 C.F.R. § 164.410.
• Provide all information required by 45 C.F.R. § 164.410(c), to the extent reasonably available at the time of notification.
• Cooperate with the Covered Entity in its investigation and required notifications to individuals and HHS.

To report a suspected breach or security concern, contact: security@adjuvex.com

Adjuvex shall assist the Covered Entity in fulfilling its obligations with respect to individuals' rights under the HIPAA Privacy Rule, including:

• Making PHI available for inspection and copying upon request.
• Amending PHI in a designated record set as directed by the Covered Entity.
• Providing an accounting of disclosures of PHI for the six years prior to the date of the request.
• Honoring restrictions on the use or disclosure of PHI where agreed by the Covered Entity.

This BAA is effective as of the date you first access Adjuvex services and remains in effect for the duration of the subscription agreement. Either party may terminate this BAA if the other party materially breaches a provision and fails to cure such breach within 30 days of written notice.

Upon termination, Adjuvex shall, at the Covered Entity's election, return or destroy all PHI received from or created on behalf of the Covered Entity. Where return or destruction is not feasible, Adjuvex shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

This BAA is governed by the laws of the United States (HIPAA/HITECH) and the state of Delaware. Adjuvex reserves the right to amend this BAA as necessary to comply with changes in applicable law or regulation. Material changes will be communicated to subscribers with at least 30 days prior notice.

By subscribing to Adjuvex services, you (as an authorized representative of the Covered Entity) acknowledge that you have read, understood, and agree to be bound by this Business Associate Agreement. This BAA constitutes a legally binding agreement between Adjuvex, Inc. and the Covered Entity.

Need a signed BAA for your organization's records? Contact legal@adjuvex.com to request a countersigned copy.