HIPAA Business Associate Agreement

MARCON JOHN SOLUTIONS INC.

This Business Associate Agreement ("BAA") is entered into effective this 8th day of November 2023 ("Effective Date") by and between Marcon John Solutions Inc. ("Business Associate 1") and Vida Natura Technologies Inc. ("Business Associate 2") (each a "Party" and collectively, the "Parties").

RECITALS

WHEREAS, Business Associate 1 is a "Business Associate " as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, ("HIPAA"), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services ("Secretary"), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 ("HIPAA Regulations");

WHEREAS, Business Associate 2 seeks to perform Services for or on behalf of Business Associate 1, and in performing said Services; Business Associate 2 will create, receive, maintain, or transmit Protected Health Information ("PHI") or Electronic Protected Health Information ("ePHI");

WHEREAS, the parties intend to protect the privacy and provide for the security of PHI and ePHI disclosed by Business Associate 1 to Business Associate 2, or received or created by Business Associate 2, when providing Services in compliance with the HIPAA Act, regulations issued thereunder, applicable guidance issued by the Secretary of the Department of Health and Human Services (HHS), the Health Information Technology for Economic and Clinical Health Act ("the HITECH Act") and other applicable state and federal laws, all as amended from time to time; and

WHEREAS, as a Business Associate, Business Associate 1 is required under HIPAA to enter into a Business Associate Agreement (BAA) with Business Associate 2 that meets certain requirements with respect to the use and disclosure of PHI.

AGREEMENT

In consideration of above the recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:

DEFINITIONS

The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.

1. "Breach" shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
2. "Data Aggregation" shall have the meaning given under 45 CFR § 164.501.
3. "Designated Record Set" shall have the meaning given such term under 45 C.F.R. § 164.501.
4. "Disclose" and "Disclosure" mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate 2 or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103
5. "Electronic PHI" or "ePHI" means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
6. "Protected Health Information" and "PHI" mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and (b) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual. "Protected Health Information" shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes ePHI.
7. "Security Incident" shall have the meaning given to such term under 45 C.F.R. § 164.304.
8. "Services" shall mean the services for or functions on behalf of Business Associate 1 performed by Business Associate 2 pursuant to any service agreement(s) between Business Associate 1 and Business Associate 2(s) which may be in effect now or from time to time ("Underlying Agreement"), or, if no such agreement is in effect, the services or functions performed by Business Associate 2 that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103, Definition of "Business Associate."
9. "Subcontractor" means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of such Business Associate.
10. "Unsecured PHI" shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and Federal Register documents, including, but not limited to, Federal Register document 74; Federal Register 19006 (April 27, 2009); and 78 Federal Register 5565 (January 25, 2013).
11. "Use" or "Uses" mean, with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI within Business Associate 2’s internal operations, as set forth in 45 C.F.R. § 160.103.
12. "Workforce" shall have the meaning given to such term under 45 C.F.R. § 160.103.