BUSINESS ASSOCIATE AGREEMENT

IMPORTANT – PLEASE READ CAREFULLY
This Business Associate Agreement (“BAA”) is a legally binding contract between you, on behalf of the dental practice or other Covered Entity you represent (“Covered Entity”), and PepCare, LLC (“Business Associate” or “PepCare”). By checking the acceptance box during registration or account setup on the PepCare platform (pepcare.com), you: (1) represent that you have authority to bind the Covered Entity to this Agreement; (2) acknowledge that you have read and understand this Agreement; and (3) agree to be bound by all terms and conditions set forth herein. If you do not agree, do not check the box and do not use the PepCare platform.

PepCare, LLC (“PepCare” or “Business Associate”) is a Wisconsin limited liability company with its principal place of business at 28034 Silver Lake Road, Salem, WI 53168, that operates a cloud-based software platform providing dental practices with collaboration, secure communication, and referral-sharing services (the “Platform” or “Services”).
‍
In providing the Services, PepCare may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity, making PepCare a “Business Associate” as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).
‍
The parties therefore enter into this Agreement to satisfy the requirements of HIPAA, including the Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E), the Security Rule (45 C.F.R. Parts 160, 162, and 164, Subpart C), and the HITECH Act (Subtitle D of Pub. L. 111-5).
‍
NOW, THEREFORE, the parties agree as follows:

Capitalized terms used but not defined herein have the meanings ascribed to them under HIPAA. As used in this Agreement:
‍
1.1 “Acceptance Date” means the date on which Covered Entity checks the acceptance checkbox confirming agreement to this BAA during registration or account setup on the PepCare platform.
‍
1.2 “Business Associate” has the meaning set forth at 45 C.F.R. § 160.103, and refers to PepCare, LLC.
‍
1.3 “Covered Entity” has the meaning set forth at 45 C.F.R. § 160.103, and refers to the dental practice or other healthcare provider that accepts this Agreement through the PepCare platform. When the accepting party is an organization that operates or manages multiple dental practices (e.g., a DSO or OSO), this Agreement applies to and covers all dental practices and affiliated providers operating under that organization’s authority.
‍
1.4 “Effective Date” means the Acceptance Date, as recorded in PepCare’s systems.
‍
1.5 “Minimum Necessary” means the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, as defined by HHS.
‍
1.6 “Platform” or “Services” means the PepCare software-as-a-service platform and related services, including collaboration tools, secure messaging, and referral management functionality, made available at pepcare.com.
‍
1.7 “Protected Health Information” or “PHI” has the meaning set forth at 45 C.F.R. § 160.103, and includes Electronic Protected Health Information (“ePHI”) as defined therein.
‍
1.8 “Services Agreement” means the PepCare Terms of Service or subscription agreement governing Covered Entity’s use of the Platform, as may be amended from time to time.

2.1 Permitted Uses and Disclosures.
 (a) PepCare may use and disclose PHI only as necessary to perform the Services on behalf of Covered Entity, as required by law, or as otherwise permitted under this Agreement. PepCare shall not use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity.
  (b) PepCare shall limit its use, disclosure, and requests for PHI, to the extent practicable, to a Limited Data Set or, if needed, to the Minimum Necessary amount to accomplish the intended purpose.
  (c) Unless otherwise limited herein, PepCare may use or disclose PHI: (i) for its own proper management and administration; or (ii) to fulfill its legal responsibilities, provided such disclosure is Required by Law or PepCare obtainswritten assurances from the recipient that PHI will be held confidentially and used only for the purpose for which it was disclosed.
‍
2.2 Prohibited Uses and Disclosures.
  (a) Sale of PHI. PepCare shall not sell PHI or receive direct or indirect remuneration in exchange for PHI.
  (b) Marketing. PepCare shall not use or disclose PHI for marketing purposes without a valid Individual authorization, except as permitted under HIPAA.
  (c) Non-Disclosure Requests. PepCare shall abide by any restriction request from an Individual pursuant to 45 C.F.R. § 164.522(a) that Covered Entity has communicated to PepCare.
‍
2.3 Security Safeguards. PepCare shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and ePHI as required by the Security Rule (45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, and 164.316). PepCare shall prevent use or disclosure of PHI other than as permitted by this Agreement.
‍
2.4 Breach Reporting.
  (a) PepCare shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which it becomes aware, including any Breach of Unsecured PHI as required by 45 C.F.R. § 164.410, and any successful Security Incident, without unreasonable delay and in no case later than thirty (30) calendar days after discovery. Such report shall include: (i) a description of the incident; (ii) the PHI involved; (iii) the identity of persons involved (if known); (iv) corrective actions taken or planned; and (v) steps taken to mitigate harm.
  (b) PepCare shall report to Covered Entity the aggregate number of unsuccessful, unauthorized attempts to access or destroy ePHI, no more than once per month, unless the parties agree otherwise in writing.
‍
2.5 Subcontractors. PepCare may engage subcontractors as necessary to perform the Services. PepCare will require that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to substantially similar restrictions, conditions, and requirements as those that apply to PepCare under this Agreement, and shall disclose only the Minimum Necessary PHI.
‍
2.6 Individual Access. Within ten (10) calendar days of written request from Covered Entity, PepCare shall make available any PHI in its custody or control required to fulfill Covered Entity’s obligations under 45 C.F.R. § 164.524. Where PHI is maintained in an Electronic Health Record, PepCare shall provide it in electronic format within five (5) calendar days.

2.7 Amendment of PHI. Within fifteen (15) calendar days of written request, PepCare shall amend PHI in its custody, or provide Covered Entity access to do so, as required by 45 C.F.R. § 164.526.
‍
2.8 Accounting of Disclosures.
  (a) Disclosure Tracking. PepCare shall maintain a record of each PHI disclosure to a third party as required by HIPAA, including: (i) disclosure date; (ii) recipient name and address; (iii) description of PHI; and (iv) purpose of disclosure.
  (b) Disclosure Accounting. PepCare shall provide an accounting of disclosures to Covered Entity or its designee within fifteen (15) calendar days of written request, as required by 45 C.F.R. § 164.528.
‍
2.9 Performance of Covered Entity Obligations. To the extent PepCare carries out any obligation of Covered Entity under the Privacy Rule, PepCare shall comply with the requirements of the Privacy Rule applicable to Covered Entity in performing such obligation.
‍
2.10 Books and Records. PepCare shall make its internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity and to HHS to determine compliance with HIPAA.
‍
2.11 Mitigation. PepCare shall, to the extent practicable, mitigate any harmful effect known to PepCare resulting from a use or disclosure of PHI in violation of this Agreement or HIPAA.
‍
2.12 Subpoenas and Legal Process. PepCare shall notify Covered Entity in writing within forty-eight (48) hours of receipt of any subpoena or other legal process seeking PHI received from or created on behalf of Covered Entity, or otherwise relating to the
provision of Services.

3.1 Term. This Agreement shall commence on the Effective Date (i.e., the Acceptance Date) and shall remain in effect until terminated in accordance with this Article III or until the Services Agreement is terminated, whichever occurs first.
‍
3.2 Termination by Covered Entity. Covered Entity may terminate this Agreement and its use of the Platform at any time by providing written notice to PepCare. Termination shall be effective upon receipt of such notice.
‍
3.3 Termination for Breach. Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within a reasonable period designated in the notice. PepCaremay also suspend access to the Platform pending cure of a material breach by Covered
Entity.
‍
3.4 Return or Destruction of PHI. Upon termination of this Agreement for any reason, PepCare shall, at its own expense, return or destroy all PHI in its possession or control, including any PHI held by its subcontractors. PepCare shall retain no copies of PHI unless Covered Entity expressly authorizes retention in writing. If return or destruction is not feasible, PepCare shall notify Covered Entity and extend the protections of this Agreement to any retained PHI indefinitely.
‍
3.5 Injunctive Relief. In the event of a material breach of this Agreement, either party shall be entitled to seek injunctive or other equitable relief without the necessity of proving actual damages or posting a bond.

4.1 Indemnification. PepCare shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any claims, liabilities, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees) arising from any non-permitted use or disclosure of PHI, or any other material breach of this Agreement, by PepCare or its subcontractors or agents.
‍
4.2 Insurance. PepCare shall maintain, throughout the term of this Agreement, liability insurance adequate to cover claims arising from unauthorized use or disclosure of PHI in violation of HIPAA or applicable state privacy laws. Upon written request,
PepCare shall provide Covered Entity with a certificate of insurance evidencing such
coverage.

5.1 Electronic Acceptance and Record-Keeping. This Agreement is entered into electronically. PepCare shall maintain a record of each Covered Entity’s acceptance, including the name and email address of the accepting user, the Acceptance Date and
timestamp, the IP address from which acceptance was made, and the version of this BAA accepted. This record shall constitute the binding agreement between the parties and shall be made available to Covered Entity upon written request.
‍
5.2 Amendments and Updates. PepCare may update this Agreement from time to time to reflect changes in applicable law or its Services. PepCare shall provide Covered Entity with at least thirty (30) days’ advance written notice (by email to the address on
file) of any material amendment. Continued use of the Platform after the effective date of an amendment constitutes acceptance of the updated Agreement. If Covered Entity doesnot agree to an amendment, it must cease use of the Platform and provide written notice of termination prior to the amendment’s effective date.
‍
5.3 Conflicts. In the event of a conflict between this Agreement and the Services Agreement or any other agreement between the parties, this Agreement shall control with respect to PHI and HIPAA obligations. All non-conflicting terms of the Services Agreement remain in full force and effect.
‍
5.4 Construction. This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA. Any ambiguity shall be resolved in favor of a meaning that complies with HIPAA.
‍
5.5 No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer any rights, remedies, or obligations upon any person other than Covered Entity, PepCare, and their respective successors and permitted assigns.
‍
5.6 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Wisconsin, without regard to its conflict of laws principles. The parties consent to the jurisdiction of state and federal courts located in
Wisconsin for any disputes arising hereunder.
‍
5.7 Survival. Sections 2.4, 2.8, 3.4, 3.5, 4.1, 5.1, 5.6, and this Section 5.7 shall survive the termination or expiration of this Agreement.
‍
5.8 Entire Agreement. This Agreement, together with the Services Agreement and any applicable PepCare policies incorporated herein by reference, constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes
all prior agreements, representations, and understandings relating to this subject matter.

5.9 Contact Information. Notices to PepCare under this Agreement shall be sent to: PepCare, LLC, 28034 Silver Lake Road, Salem, WI 53168, Attn: Privacy Officer. Notices to Covered Entity shall be sent to the email address on file with PepCare at the
time of notice.

By checking the acceptance box during account registration or setup on the PepCare platform, the individual accepting this Agreement represents and warrants that: (i) they are duly authorized to enter into this Agreement on behalf of the Covered Entity; (ii) the Covered Entity is a “Covered Entity” as defined under HIPAA; (iii) they have read, understand, and agree to be bound by all terms of this Business Associate Agreement; and (iv) checking the box constitutes a legally binding electronic signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN) and applicable state law.