Holistic Practice Management LLC Business Associate Agreement

EXHIBIT A: SCOPE OF SERVICES

HPM provides virtual receptionist, administrative support, and practice growth services tailored to each practice's needs. Services may include any or all of the following:

Reception and Administrative Services

• Answering incoming calls and providing professional phone reception

• Scheduling and confirming patient appointments

• Scheduling and confirming non-patient appointments (vendors, sales representatives, etc.)

• Managing practice calendars and scheduling systems

• Managing patient portal activity including messages and appointment requests

• Preparing daily and/or weekly to-do lists and follow-up lists for providers

• Contacting and establishing new vendor accounts (pharmaceutical companies, supply companies, etc.)

• Coordinating with building property management on office suite or facility issues

• Managing text messaging platforms (Google Voice, etc.) for patient and non-patient communication

• Handling incoming and outgoing fax activity

• Managing new patient intake processes, information collection, and coordination

• Conducting patient recall campaigns (6-month, annual, or other intervals)

• Processing prescription refill requests and coordinating with pharmacies

• Handling pharmacy clarification calls and medication-related inquiries

• Managing patient billing and collections

• Processing insurance verifications and authorizations

• Handling patient payment processing

• Coordinating referrals to and from other healthcare providers

• Managing medical records requests

• Maintaining and updating patient demographic information

• Ordering office and medical supplies

Communication and Technology Services

• Practice Communication Platform setup and management

• Marketing and texting line provisioning

• Texting registration (A2P compliance)

• EMR integration and support

• WhatsApp integration for patient communication

• AI website chatbot setup and management

• Practice setup, workflow design, and automation

Marketing and Growth Services

• Contact list management and maintenance

• Content marketing

• Local listings management

• SEO audit, optimization, and ongoing monitoring

• Google and Meta ads integration

• Ads campaign setup and management

• Marketing analytics setup and reporting

• Landing page creation

• Website updates and maintenance

• Social media integration assistance

• Other services as mutually agreed upon

The specific services provided to Client will be determined based on practice needs and may be adjusted from time to time by mutual agreement.

EXHIBIT C: BUSINESS ASSOCIATE AND PATIENT PRIVACY AGREEMENT

RECITALS

WHEREAS, to the extent that Client is a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the regulations promulgated thereunder (collectively, the "HIPAA Rules"), Client and HPM are required to enter into a Business Associate Agreement;

WHEREAS, even where Client may not meet the definition of a Covered Entity under HIPAA, both parties recognize the importance of protecting patient health information and agree to uphold the standards set forth in this Exhibit as a matter of best practice and professional responsibility;

WHEREAS, HPM provides virtual receptionist, appointment scheduling, patient communication, and related administrative services to Client;

WHEREAS, in the course of providing such services, HPM may create, receive, maintain, use, or transmit patient health information on behalf of Client; and

WHEREAS, the parties desire to establish the terms and conditions under which HPM will protect all patient health information entrusted to it in the course of providing Services.

NOW, THEREFORE, in consideration of the mutual promises and covenants contained in the Service Agreement and this Exhibit, the Parties agree to the following terms with respect to patient health information:

Applicability. Where Client is a Covered Entity under HIPAA, the terms of this Exhibit shall constitute a Business Associate Agreement as required by 45 C.F.R. § 164.504(e). Where Client is not a Covered Entity, the terms of this Exhibit shall constitute a binding patient privacy and data protection agreement between the parties, and references to HIPAA, the HIPAA Rules, and related regulatory provisions shall be understood as the standard of care to which both parties voluntarily agree to be held.

1. DEFINITIONS

Terms used but not otherwise defined in this Exhibit shall have the same meaning as those terms in the HIPAA Rules, to the extent applicable. For purposes of this Exhibit:

• "Breach" shall have the meaning given to such term under the HITECH Act and HIPAA Rules at 45 C.F.R. § 164.402, or, where Client is not a Covered Entity, shall mean any unauthorized acquisition, access, use, or disclosure of patient health information.

• "Protected Health Information" or "PHI" shall have the meaning given to such term under the HIPAA Rules at 45 C.F.R. § 160.103, limited to the information created, received, maintained, used, or transmitted by HPM from or on behalf of Client. Where Client is not a Covered Entity under HIPAA, PHI shall mean any individually identifiable patient health information entrusted to HPM in the course of providing Services.

• "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media.

• "Individual" shall mean any patient or other person whose health information is created, received, maintained, used, or transmitted by HPM on behalf of Client.

• "Required by Law" shall have the meaning given to such term under the HIPAA Rules at 45 C.F.R. § 164.103, or any other applicable federal, state, or local law.

• "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.

• "Security Incident" shall have the meaning given to such term under the HIPAA Rules at 45 C.F.R. § 164.304, or, where Client is not a Covered Entity, shall mean any attempted or successful unauthorized access, use, disclosure, modification, or destruction of patient health information or interference with system operations in an information system.

• "Subcontractor" shall mean any person or entity to whom HPM delegates a function, activity, or service involving the use or disclosure of PHI.

• "Unsecured Protected Health Information" shall have the meaning given to such term under the HITECH Act and HIPAA Rules at 45 C.F.R. § 164.402, or, where Client is not a Covered Entity, shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS guidance.

2. PERMITTED USES AND DISCLOSURES OF PHI

2.1 General Use and Disclosure. HPM may only use or disclose PHI as necessary to perform the Services for or on behalf of Client as specified in this Agreement, or as otherwise permitted or required by this Exhibit or Required by Law. HPM shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Rules if so used or disclosed by a Covered Entity.

2.2 Specific Uses and Disclosures. HPM may:

• Use and disclose PHI to perform functions, activities, or services for, or on behalf of, Client as specified in the Service Agreement;

• Use PHI for the proper management and administration of HPM or to carry out the legal responsibilities of HPM;

• Disclose PHI for the proper management and administration of HPM, provided that the disclosure is Required by Law or HPM obtains reasonable written assurances from the recipient that the PHI will be held confidentially;

• Use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

2.3 Minimum Necessary. HPM shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

2.4 Prohibition on Sale of PHI. HPM shall not directly or indirectly receive remuneration in exchange for any PHI, except with the prior written consent of Client and as permitted by applicable law.

2.5 Prohibition on Marketing. HPM shall not use or disclose PHI for marketing purposes without the prior written consent of Client.

2.6 Remote Access and Data Location. HPM may access PHI remotely from outside the United States in the ordinary course of providing Services. HPM represents that all such access occurs through encrypted connections and that no PHI is stored on non-U.S. servers, systems, or devices. All PHI data storage shall be maintained on servers physically located within the United States.

3. OBLIGATIONS OF HPM

3.1 Safeguards. HPM shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to ePHI, HPM shall comply with the Security Rule at Subpart C of 45 C.F.R. Part 164 to the extent applicable. At a minimum, HPM shall implement:

• Multi-factor authentication (MFA) for all systems and accounts that access PHI;

• Encryption of PHI both at rest and in transit using industry-standard encryption protocols;

• Annual risk assessments to identify and address potential vulnerabilities to the confidentiality, integrity, and availability of ePHI;

• Logging and audit trails of all access to and use of PHI, with logs retained for a minimum of six (6) years;

• Regular security awareness training for all workforce members who have access to PHI;

• Documented incident response procedures for addressing suspected or confirmed security incidents.

3.2 Reporting of Improper Use or Disclosure. HPM shall report to Client any use or disclosure of PHI not provided for by this Agreement, including any Security Incident (excluding unsuccessful attempts such as pings, port scans, failed logins, or other common Internet background noise that do not result in unauthorized access, acquisition, use, or disclosure of PHI) or Breach of Unsecured PHI, of which HPM becomes aware. Such report shall be made without unreasonable delay and in no case later than ten (10) calendar days after HPM becomes aware of such use, disclosure, Security Incident, or Breach.

3.3 Breach Notification. Following the discovery of a Breach of Unsecured PHI, HPM shall:

• Notify Client without unreasonable delay and in no case later than ten (10) calendar days after discovery of the Breach;

• Provide Client with all information necessary for Client to meet any applicable notification obligations, including identification of affected Individuals, description of PHI involved, date of Breach, steps to mitigate harm, and contact procedures;

• Cooperate with Client in meeting any applicable obligations under the HIPAA Breach Notification Rule at 45 C.F.R. § 164.404-414;

• Take prompt corrective action to cure any deficiencies and mitigate any harmful effects.

3.4 Subcontractors. HPM shall ensure that any Subcontractors or agents to whom it provides PHI agree in writing to the same restrictions, conditions, and requirements that apply to HPM with respect to such PHI. HPM shall remain liable for any acts or omissions of its Subcontractors.

3.5 Access to PHI. Within fifteen (15) calendar days of a request by Client, HPM shall make available to Client or to an Individual, information contained in any records maintained by HPM on behalf of Client, to the extent necessary for Client to meet its obligations under applicable law, including 45 C.F.R. § 164.524 where applicable.

3.6 Amendment of PHI. Within fifteen (15) calendar days of receipt of a request from Client, HPM shall make any amendments to PHI in records maintained by HPM as directed by Client.

3.7 Accounting of Disclosures. Within fifteen (15) calendar days of notice by Client, HPM shall make available to Client the information required to provide an accounting of disclosures of PHI as necessary for Client to meet any applicable obligations under 45 C.F.R. § 164.528.

3.8 Books and Records. HPM shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules, to the extent applicable.

3.9 Compliance. HPM shall comply with all applicable requirements of the HIPAA Rules, including those provisions of the HITECH Act and its implementing regulations that are directly applicable to Business Associates, to the extent applicable.

3.10 Mitigation. HPM shall mitigate, to the extent practicable, any harmful effect that is known to HPM of a use or disclosure of PHI in violation of this Agreement.

4. OBLIGATIONS OF CLIENT

4.1 Notice of Privacy Practices. To the extent applicable, Client shall notify HPM of any limitation(s) in its notice of privacy practices that may affect HPM's use or disclosure of PHI.

4.2 Permission Changes. Client shall notify HPM of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect HPM's use or disclosure of PHI.

4.3 Restrictions. Client shall notify HPM of any restriction on the use or disclosure of PHI that Client has agreed to, to the extent that such restriction may affect HPM's use or disclosure of PHI.

4.4 Permissible Requests. Client shall not request HPM to use or disclose PHI in any manner that would not be permissible under applicable law.

5. TERM AND TERMINATION

5.1 Term. This Exhibit shall become effective on the Effective Date of the Service Agreement and shall continue until all PHI is destroyed or returned to Client, or until termination of the Service Agreement, whichever is later.

5.2 Effect of Termination. Upon termination of this Agreement for any reason, HPM shall, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(H) where applicable, return to Client or destroy all PHI received from Client, or created or received by HPM on behalf of Client. HPM shall retain no copies of the PHI.

If return or destruction of PHI is not feasible, HPM shall notify Client in writing, extend the protections of this Agreement to such PHI, limit further uses and disclosures to those purposes that make return or destruction infeasible, and continue to use appropriate safeguards.

6. INDEMNIFICATION

HPM shall indemnify, defend, and hold harmless Client and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

• Any breach by HPM of its obligations under this Agreement;

• Any violation by HPM of the HIPAA Rules or other applicable privacy law;

• Any unauthorized use or disclosure of PHI by HPM or its Subcontractors or agents;

• Any Breach of Unsecured PHI caused by HPM or its Subcontractors or agents.

HPM shall, at its own expense, defend Client against any claim, action, or proceeding brought against Client arising from HPM's breach of this Agreement or violation of applicable privacy law.

7. MISCELLANEOUS

7.1 Regulatory References. A reference in this Exhibit to a section in the HIPAA Rules means the section as in effect or as amended.

7.2 Amendment. The Parties agree to amend this Exhibit from time to time as necessary to comply with the requirements of the HIPAA Rules and any other applicable law.

7.3 Survival. The rights and obligations set forth in this Exhibit shall survive the termination of this Agreement.

7.4 Interpretation. Any ambiguity in this Exhibit shall be resolved in favor of a meaning that best protects patient health information and, where applicable, permits Client to comply with the HIPAA Rules.

7.5 Relationship to Service Agreement. This Exhibit is incorporated into and made a part of the Service Agreement. In the event of any conflict between this Exhibit and other provisions of the Service Agreement with respect to PHI, the provisions of this Exhibit shall control.