Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is entered into by and between the entity subscribing to the Compliance Pro platform (“Covered Entity”) and Ali Management Group LLC, a Delaware limited liability company, with its principal place of business at 2810 N Church St #501279, Wilmington, DE 19802 (“Business Associate”).

Effective Date: This Agreement is effective as of March 9, 2026, or the date the Covered Entity first accesses the Service, whichever is later.

1. Recitals

WHEREAS, the Covered Entity is a home care agency or other entity that is subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and regulations promulgated thereunder, including the Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E), the Security Rule (45 CFR Part 164, Subpart C), and the Breach Notification Rule (45 CFR Part 164, Subpart D) (collectively, the “HIPAA Rules”);

WHEREAS, the Business Associate provides the Compliance Pro platform (compliancepro.live), a cloud-based compliance management software service, and in the course of providing this service, may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the Covered Entity;

WHEREAS, the parties wish to establish the terms and conditions pursuant to which the Business Associate will use and disclose PHI in compliance with the HIPAA Rules;

NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, the parties agree as follows:

2. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164). The following terms shall have the meanings set forth below:

• “Breach” shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR 164.402.
• “Business Associate” shall mean Ali Management Group LLC.
• “Covered Entity” shall mean the entity subscribing to the Compliance Pro platform.
• “Designated Record Set” shall have the meaning set forth in 45 CFR 164.501.
• “Electronic Protected Health Information” or “ePHI” shall mean PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103.
• “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
• “Protected Health Information” or “PHI” shall have the meaning set forth in 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
• “Required by Law” shall have the meaning set forth in 45 CFR 164.103.
• “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
• “Security Incident” shall have the meaning set forth in 45 CFR 164.304.
• “Service” shall mean the Compliance Pro platform and all related services provided by Business Associate.
• “Subcontractor” shall mean a person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Business Associate’s workforce.
• “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.

3. Permitted Uses and Disclosures of PHI

3.1 Service Performance

Business Associate may use or disclose PHI only as necessary to perform the services specified in the Service Agreement between the parties, including compliance management, form management, credential tracking, training management, reporting, and related functions.

3.2 Business Associate Operations

Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that:

• The disclosures are Required by Law; or
• Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

3.3 De-Identification

Business Associate may use PHI to create de-identified information in accordance with 45 CFR 164.514(a)-(c). De-identified information is not subject to the terms of this Agreement.

3.4 Minimum Necessary

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in compliance with 45 CFR 164.502(b) and 164.514(d).

4. Obligations of the Business Associate

Business Associate agrees to:

1. Safeguards. Implement appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, in compliance with the Security Rule (45 CFR Part 164, Subpart C).
2. Reporting. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410, without unreasonable delay and in no case later than 60 days after discovery.
3. Subcontractors. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, by entering into a written agreement with each Subcontractor that complies with 45 CFR 164.504(e).
4. Access. Make available PHI in a Designated Record Set to the Covered Entity or, as directed by the Covered Entity, to an Individual, in order to meet the requirements of 45 CFR 164.524.
5. Amendment. Make any amendment(s) to PHI in a Designated Record Set as directed by the Covered Entity or as agreed to by the Covered Entity pursuant to 45 CFR 164.526.
6. Accounting. Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528.
7. Compliance. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
8. Mitigation. To the extent practicable, mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
9. Encryption. Encrypt all ePHI at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
10. Audit Controls. Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

5. Obligations of the Covered Entity

Covered Entity agrees to:

1. Provide Business Associate with the notice of privacy practices that the Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.
2. Inform Business Associate of any limitation(s) in the notice of privacy practices of the Covered Entity that may affect Business Associate’s use or disclosure of PHI.
3. Inform Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, if such changes affect Business Associate’s permitted uses or disclosures.
4. Inform Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.

6. Term and Termination

6.1 Term

This Agreement shall be effective as of the Effective Date and shall continue in effect until all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section.

6.2 Termination for Cause

Upon either party’s knowledge of a material breach by the other party, the non-breaching party shall provide written notice to the breaching party. The breaching party shall have 30 days from receipt of such notice to cure the breach. If the breach is not cured within the 30-day period, the non-breaching party may terminate this Agreement.

6.3 Obligations Upon Termination

Upon termination of this Agreement for any reason, Business Associate shall:

• Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, within 90 days of termination. This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
• Retain no copies of the PHI, except as necessary for Business Associate’s proper management and administration or to carry out its legal responsibilities.
• If return or destruction of PHI is infeasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

7. Miscellaneous Provisions

7.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, and the applicable provisions of HIPAA.

7.2 Amendment

This Agreement may not be modified or amended except in writing signed by both parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of the HIPAA Rules.

7.3 Survival

The respective rights and obligations of the parties under Sections 4 (Obligations of Business Associate) and 6.3 (Obligations Upon Termination) shall survive the termination of this Agreement.

7.4 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of a conflict between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, the HIPAA Rules shall control.

7.5 No Third-Party Beneficiaries

Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

7.6 Entire Agreement

This Agreement, together with the Service Agreement between the parties, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral, between the parties with respect to the subject matter hereof.

7.7 Notices

All notices required or permitted under this Agreement shall be in writing and shall be sent to the addresses set forth below, or to such other address as either party may designate in writing.

8. Signature Blocks

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.