Business Associate Agreement (BAA)

This HIPAA Business Associate Agreement ("BAA") is entered into between Bioscope.ai, Inc. ("Bioscope.ai") and the medical group or medical practice that has agreed to the Master Services Agreement (the “Covered Entity” or “Customer”), and supplements, amends, and is incorporated into the Master Services Agreement (the “Agreement”) solely with respect to Covered Services (defined below). This BAA will be effective as of the date Customer executes an Order (the “BAA Effective Date”).

Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).

You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not execute an Order referencing this BAA.

1. Definitions

“Breach” has the definition given to it under HIPAA.

“Business Associate” has the definition given to it under HIPAA.

“Covered Entity” has the definition given to it under HIPAA.

“Covered Services” means the Bioscope.ai products and/or services specifically listed in Attachment 1 to this BAA, as may be updated from time to time by Bioscope.ai with notice to Customer. Bioscope.ai may only remove a Covered Service from Attachment 1 with at least twelve (12) months prior notice.

“Designated Record Set” has the definition given to it under HIPAA.

“Genetic Data” means Protected Health Information concerning an individual’s genetic characteristics, including raw sequence data from whole genome sequencing, processed variant data, genetic test results, Lab Results, and any information derived from the analysis of such genetic information.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including the Privacy Rule, Security Rule, and Breach Notification Rule.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.

“Individual” has the definition given to it under HIPAA and includes a person who qualifies as a personal representative under HIPAA.

“Lab Results” means the raw genomics and microbiomics data and any resulting reports, findings, or derivations thereof generated by Bioscope.ai’s designated lab testing facility as a result of processing a Patient’s biological sample.

“Patient” means an Individual who is a patient of Customer and for whom Customer is using the Covered Services in connection with treatment.

“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Licensee Data to which Bioscope.ai has access through the Covered Services in connection with Customer’s permitted use of Covered Services. PHI includes Genetic Data where applicable.

“Required by Law” has the definition given to it under HIPAA.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services or their designee.

“Security Incident” has the definition given to it under HIPAA.

“Subcontractor” means a person or entity to whom Bioscope.ai delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI.

2. Applicability

This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Bioscope.ai, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer.

Customer acknowledges that this BAA does not apply to: (a) any Bioscope.ai product, service, or feature that is not a Covered Service; (b) any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services; or (c) services provided by third parties that are not Subcontractors of Bioscope.ai, including without limitation any third-party applications or integrations that Customer elects to use.

If Customer is not a Covered Entity and does not act as a Business Associate, Customer shall comply with the Data Processing Agreement available at https://security.bioscope.ai/legal/data-processing-agreement/ in lieu of this BAA.

3. Permitted Use and Disclosure of PHI

3.1 General Limitations

Except as otherwise stated in this BAA, Bioscope.ai may use and disclose PHI only (i) as permitted or required by the Agreement and/or this BAA; (ii) as Required by Law; or (iii) as otherwise permitted under HIPAA.

3.2 Proper Management and Administration

Bioscope.ai may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if: (a) Required by Law; or (b) Bioscope.ai obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Bioscope.ai will be notified of any Breach or Security Incident.

3.3 Data Aggregation and De-Identification

Subject to the terms of the Agreement, Bioscope.ai may: (a) use PHI to provide data aggregation services relating to the health care operations of Customer; and (b) de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c). Once de-identified in compliance with HIPAA, such data is no longer PHI and is not subject to this BAA.

3.4 AI and Machine Learning Processing

Customer acknowledges that the Covered Services include AI-powered analysis features that process PHI, including Genetic Data, to provide genomic insights and health analysis. Such processing is considered part of the clinical decision support operations for which Customer has engaged Bioscope.ai. Bioscope.ai will not use PHI to train or improve AI models except to the extent such PHI has been de-identified in accordance with Section 3.3.

3.5 Communications Regarding Research Opportunities

Covered Entity authorizes Business Associate to use PHI, including Individual contact information, to communicate with Individuals regarding opportunities to participate in research studies, clinical programs, or similar initiatives. Such communications shall:

(a) Be made only to Individuals who have consented to receive such communications from Business Associate;
(b) Describe the nature of the opportunity in general terms;
(c) Not disclose PHI to any third party as part of the communication;
(d) Not condition treatment, payment, enrollment, or eligibility on the Individual’s response; and
(e) Inform the Individual that participation is voluntary and that any participation would require separate authorization.

4. Customer Obligations

4.1 Permissible Requests

Customer will not request that Bioscope.ai or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).

4.2 Implementation and Configuration

For Authorized Users that use the Covered Services in connection with PHI, Customer will use controls available within the Covered Services to ensure its use of PHI is limited to the Covered Services. Customer acknowledges that Customer is solely responsible for ensuring that its and its Authorized Users’ use of the Covered Services complies with HIPAA and HITECH.

4.3 Patient Consents

Customer is solely responsible for obtaining all necessary authorizations and consents from Patients as required by HIPAA and other applicable laws prior to submitting PHI, including Genetic Data, through the Covered Services. Bioscope.ai will provide genetic testing consent forms to Patients on Customer’s behalf as described in the Agreement, but Customer remains responsible for ensuring all required authorizations are obtained.

4.4 Minimum Necessary

Customer will ensure that its disclosures of PHI to Bioscope.ai are limited to the minimum necessary to accomplish the intended purpose, except for disclosures for treatment purposes.

5. Appropriate Safeguards

Bioscope.ai and Customer will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services.

Bioscope.ai will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains, or transmits on behalf of Customer, in accordance with 45 C.F.R. Part 164, Subpart C. Such safeguards include, without limitation:

(a) Encryption of PHI at rest using AES-256 or equivalent; (b) Encryption of PHI in transit using TLS 1.3 or higher; (c) Access controls limiting access to PHI to authorized personnel; (d) Multi-factor authentication for access to systems containing PHI; (e) Audit logging of access to PHI; (f) Regular security assessments and penetration testing; (g) Workforce training on privacy and security requirements; and (h) Additional safeguards for Genetic Data given its particularly sensitive nature.

6. Reporting and Related Obligations

6.1 Breach Notification

Bioscope.ai will promptly notify Customer of: (a) any Security Incident of which Bioscope.ai becomes aware, subject to Section 6.3; and (b) any Breach that Bioscope.ai discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than forty-eight (48) hours after confirmation of such Breach.

6.2 Notification Contents

Notifications made under this section will describe, to the extent possible: (a) the nature of the Breach or Security Incident, including the categories and approximate number of Individuals affected and the categories and approximate number of PHI records affected; (b) the steps taken to mitigate the potential risks; (c) steps Bioscope.ai recommends Customer take to address the Breach or Security Incident; and (d) contact information for Bioscope.ai’s designated security contact.

6.3 Unsuccessful Security Incidents

Notwithstanding Section 6.1, this Section 6.3 will be deemed as notice to Customer that Bioscope.ai periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Bioscope.ai’s systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident, Bioscope.ai will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6.3.

6.4 Notification Method

Bioscope.ai will send any applicable notifications to the notification email address provided by Customer in the Order or via direct communication with Customer’s designated administrator.

7. Subcontractors

Bioscope.ai will take appropriate measures to ensure that any Subcontractors used by Bioscope.ai to perform its obligations under the Agreement that require access to PHI on behalf of Bioscope.ai are bound by written obligations that provide the same material level of protection for PHI as this BAA. Such Subcontractors include, without limitation, Bioscope.ai’s designated laboratory testing facility for processing genetic samples.

Bioscope.ai maintains a current list of Subcontractors at https://security.bioscope.ai/legal/subprocessors, which Bioscope.ai shall update prior to engaging any new Subcontractor that will have access to PHI. To the extent Bioscope.ai uses Subcontractors in its performance of obligations hereunder, Bioscope.ai will remain responsible for their performance as if performed by Bioscope.ai.

8. Access and Amendment

Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services.

Bioscope.ai will provide Customer with access to Customer’s PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment. Bioscope.ai will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI, except to the extent such assistance is requested by Customer and Bioscope.ai is reasonably able to provide such assistance.

Customer is responsible for managing its use of the Covered Services to appropriately respond to Individual requests, including requests for access to Genetic Data and Lab Results.

9. Accounting of Disclosures

Bioscope.ai will document disclosures of PHI by Bioscope.ai and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under 45 C.F.R. § 164.528. Upon Customer’s reasonable request, Bioscope.ai will provide information necessary for Customer to respond to an Individual’s request for an accounting of disclosures within thirty (30) days of such request.

10. Access to Records

To the extent required by law, and subject to all applicable legal privileges, Bioscope.ai will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Bioscope.ai on behalf of Customer, available to the Secretary for the purpose of the Secretary determining compliance with this BAA and HIPAA.

11. Expiration and Termination

11.1 Term

This BAA will terminate on the earlier of: (a) a permitted termination in accordance with Section 11.2; or (b) the expiration or termination of all Orders under which Customer has access to a Covered Service.

11.2 Termination for Breach

If either party materially breaches this BAA, the non-breaching party may terminate this BAA on thirty (30) days’ written notice to the breaching party unless the breach is cured within the thirty-day period. If a cure under this Section 11.2 is not reasonably possible, the non-breaching party may immediately terminate this BAA. If neither termination nor cure is reasonably possible under this Section 11.2, the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

11.3 Effect of Early Termination

If this BAA is terminated earlier than the Agreement, Customer may continue to use the Covered Services in accordance with the Agreement, but must delete any PHI it maintains in the Covered Services and cease to further create, receive, maintain, or transmit such PHI to Bioscope.ai.

12. Return/Destruction of Information

On termination of the Agreement, Bioscope.ai will return or destroy all PHI received from Customer, or created or received by Bioscope.ai on behalf of Customer; provided, however, that if such return or destruction is not feasible, Bioscope.ai will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

Bioscope.ai may retain PHI to the extent required by applicable law, in which case Bioscope.ai will isolate and protect such PHI from any further processing except as required by law and will delete such PHI when no longer required to be retained.

13. Miscellaneous

13.1 Survival

Sections 10 (Access to Records), 12 (Return/Destruction of Information), and 13 (Miscellaneous) will survive termination or expiration of this BAA.

13.2 Regulatory Changes

The parties agree to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for compliance with changes in HIPAA or other applicable law.

13.3 Interpretation

Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA. In the event of any conflict between this BAA and the Agreement with respect to PHI, this BAA will govern.

13.4 Effect of BAA

This BAA is subject to the governing law and dispute resolution provisions in the Agreement. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect.

13.5 No Third-Party Beneficiaries

Nothing in this BAA is intended to confer any rights or remedies on any person other than the parties hereto, except that Individuals may exercise their rights under HIPAA as provided by law.

13.6 Entire Agreement

This BAA, together with the Agreement and any applicable Orders, constitutes the entire agreement between the parties with respect to the subject matter hereof.

Contact Information

For questions about this Business Associate Agreement, please contact:

Privacy Inquiries: privacy@bioscope.ai

Security Inquiries: security@bioscope.ai

General Support: support@bioscope.ai

Mailing Address:

Bioscope.ai, Inc. Attn: Privacy Officer 880 Monon Green Blvd Carmel, IN 46032

Last Updated: December 5, 2025