CollagenDirect Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into by and between:

1. The "Covered Entity," defined below, and
2. CollagenDirect ("Business Associate"),

and is effective as of the date the Covered Entity (or its authorized representative) creates or is provisioned with an account on the CollagenDirect Provider Portal and affirmatively accepts this Agreement (the "Effective Date").

By creating or activating an account in the CollagenDirect Provider Portal, the individual submitting registration represents and warrants that they (a) are authorized to bind the Covered Entity (e.g. physician practice, clinic, facility) to this Agreement, and (b) are entering this Agreement on behalf of that Covered Entity.

The Parties enter this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules").

1. DEFINITIONS

Terms not otherwise defined in this Agreement shall have the meanings ascribed to them in the HIPAA Rules.

• "Breach" has the meaning given at 45 C.F.R. § 164.402.
• "Business Associate" refers to CollagenDirect.
• "Covered Entity" refers to the healthcare provider practice, clinic, or organization that registers with CollagenDirect and whose authorized representative accepts this Agreement.
• "Protected Health Information" or "PHI" has the meaning given at 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of or from Covered Entity.
• "Required By Law" has the meaning given at 45 C.F.R. § 164.103.
• "Secretary" means the Secretary of the U.S. Department of Health and Human Services or their designee.

2. PERMITTED USES AND DISCLOSURES OF PHI

2.1 Services

Business Associate may use and disclose PHI only as necessary to perform the services described in the CollagenDirect Terms of Service, including but not limited to: order processing, patient eligibility verification, insurance pre-authorization, shipment tracking, billing support, and related administrative functions.

2.2 Business Associate's Own Management and Administration

Business Associate may use PHI for its own proper management and administration or to carry out its legal responsibilities, provided that:

• Such disclosures are Required By Law, or
• Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and be used or further disclosed only as Required By Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any known breaches.

2.3 Data Aggregation

Business Associate may use PHI to provide data aggregation services relating to healthcare operations of Covered Entity, subject to applicable HIPAA Rules.

3. OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Compliance with HIPAA Rules

Business Associate agrees not to use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as permitted by this Agreement or Required By Law.

3.2 Safeguards

Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI (ePHI), to prevent use or disclosure of PHI other than as provided by this Agreement.

3.3 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, any Security Incident, and any Breach of unsecured PHI as soon as practicable but no later than 10 business days after discovery. "Discovery" is defined at 45 C.F.R. § 164.410(b).

3.4 Subcontractors and Agents

Business Associate shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate under this Agreement, including implementing reasonable and appropriate safeguards for ePHI.

3.5 Access to PHI

Business Associate shall make PHI available to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet Covered Entity's obligations under 45 C.F.R. § 164.524, within 15 business days of request.

3.6 Amendment of PHI

Business Associate shall make any amendments to PHI that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526, within 15 business days of notification.

3.7 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528, within 30 business days of request.

3.8 Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3.9 Minimum Necessary

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.502(b) and § 164.514(d).

4. OBLIGATIONS OF COVERED ENTITY

4.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices that affect Business Associate's use or disclosure of PHI.

4.2 Permissions and Restrictions

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures.

4.3 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.

4.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.

5. TERM AND TERMINATION

5.1 Term

This Agreement shall commence on the Effective Date and remain in effect until terminated as provided herein, or until all PHI provided by Covered Entity to Business Associate is destroyed or returned.

5.2 Termination for Cause

If either party determines the other has materially breached a provision of this Agreement, the non-breaching party may:

• Provide written notice and an opportunity to cure within 30 days, or
• If cure is not feasible, immediately terminate this Agreement and the underlying service relationship.

5.3 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall:

• Return or destroy all PHI received from Covered Entity that Business Associate maintains in any form, and retain no copies, or
• If return or destruction is not feasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

6. BREACH NOTIFICATION

6.1 Discovery and Reporting

Business Associate shall, following the discovery of a Breach of unsecured PHI, notify Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410. Notification shall be made without unreasonable delay and in no case later than 10 business days after discovery.

6.2 Content of Notice

Business Associate's notification shall include, to the extent known:

• The identification of each Individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
• A brief description of what happened, including the date of the Breach and the date of discovery;
• A description of the types of unsecured PHI involved in the Breach;
• Any steps Individuals should take to protect themselves from potential harm;
• A brief description of what Business Associate is doing to investigate, mitigate harm, and prevent further breaches; and
• Contact information for Individuals to ask questions.

6.3 Investigation and Mitigation

Business Associate shall conduct a prompt investigation of any suspected or known Breach, take reasonable steps to mitigate any harmful effects, and cooperate with Covered Entity in fulfilling Covered Entity's breach notification obligations under 45 C.F.R. § 164.404 through § 164.408.

7. INDEMNIFICATION

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

• Business Associate's breach of this Agreement;
• Business Associate's violation of the HIPAA Rules;
• Business Associate's negligent or wrongful acts or omissions; or
• Any Breach caused by Business Associate or its subcontractors.

8. MISCELLANEOUS

8.1 Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

8.2 Amendment

The parties agree to amend this Agreement to the extent necessary to allow either party to comply with changes in federal or state law relating to the privacy and security of PHI. CollagenDirect may update this Agreement by posting a new version with an updated version date. Continued use of the platform constitutes acceptance of the updated terms.

8.3 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Rules.

8.4 Survival

The respective rights and obligations under Sections 3.8 (Books and Records), 5.3 (Effect of Termination), 6 (Breach Notification), and 7 (Indemnification) shall survive termination of this Agreement.

8.5 No Third-Party Beneficiaries

Nothing express or implied in this Agreement is intended to confer upon any person other than the parties and their successors or assigns, any rights, remedies, obligations, or liabilities.

8.6 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, and federal law where applicable.

8.7 Severability

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

9. CONTACT INFORMATION

For questions regarding this Business Associate Agreement or HIPAA compliance matters, please contact:

---