BUSINESS ASSOCIATE ADDENDUM

(for US Customers only)

This Business Associate Addendum (“BAA”), effective as of the effective date of the underlying Services Agreement (the “Agreement”), supplements, and is made part of the Agreement by and between ImPACT Applications, Inc., a Delaware corporation (“Business Associate”) and the counterparty to the Agreement (“Covered Entity”). Business Associate and Covered Entity are referred to collectively as the “Parties” and individually as a “Party”. To the extent that Covered Entity discloses Protected Health Information to Business Associate (or Business Associate handles Protected Health Information on Covered Entity’s behalf) in connection with services or products provided to Covered Entity, or as otherwise required or allowed by the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, codified at 42 U.S.C. §1320d through d-9, as amended (“HIPAA”), and only to the extent required by law, Covered Entity and Business Associate agree to the following terms and conditions, which are intended to comply with HIPAA, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their respective implementing regulations:

1. Definitions.

1.1. “Business Associate” will generally have the same meaning as the term “business associate” at 45 C.F.R. §160.103, and in reference to the party to this BAA, will mean ImPACT Applications, Inc.

1.2. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. §160.103, and in reference to the party to this BAA, will mean the entity that has entered into a Services Agreement with Business Associate.

1.3. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.

1.4. “Services Agreement” means the agreement between the Parties in which Business Associate performs functions or activities on behalf of Covered Entity. This BAA is an integral part of the Services Agreement as if fully set forth therein.

1.5. Other definitions: The following terms used in this BAA will have the same meaning as those in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (to the extent such Protected Health Information is received, used, disclosed, accessed or maintained by Business Associate), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Other terms will have the definitions set forth in this BAA.

2. Obligations and Activities of Business Associate

2.1. Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this BAA, as Required by Law, or as contemplated by the Terms of Use.

2.2. Business Associate agrees to use appropriate safeguards, including compliance with Subpart C of 45 C.F.R. Part 164, with respect to electronic Protected Health Information to prevent Use or Disclosure of the electronic Protected Health Information other than as permitted by this BAA.

2.3. Business Associate agrees to report to Covered Entity’s Privacy Official any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. For reports of incidents constituting a Breach, the report will include, to the extent available, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or Disclosed during such Breach. Security Incidents that do not result in any unauthorized access, Use, Disclosure, modification, destruction of information, or interference with system operations will be reported in the aggregate upon written request of Covered Entity in a manner and frequency mutually acceptable to the Parties. Business Associate hereby reports to Covered Entity that incidents such as ping sweeps or other common network reconnaissance techniques, attempts to log on to a system with an invalid password or user name, and denial of service attacks that do not result in a server being taken off line may occur from time to time.

2.4. In accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply under this BAA to Business Associate with respect to such information.

2.5. To the extent Business Associate has Protected Health Information in a Designated Record Set, and only to the extent required by HIPAA, Business Associate agrees to make available Protected Health Information in a Designated Record Set, to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.524. The Parties agree and acknowledge that it is Covered Entity’s responsibility to respond to all such requests.

2.6. Business Associate agrees to make Protected Health Information available for purposes of any amendment to Protected Health Information in its possession contained in a Designated Record Set as agreed to by Covered Entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.526. The Parties agree and acknowledge that it is Covered Entity’s responsibility to respond to all such requests.

2.7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.528. The Parties agree and acknowledge that it is Covered Entity’s responsibility to respond to all such requests.

2.8. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164 of the HIPAA Rules, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).

2.9. Business Associate agrees to make its internal practices, books, and records related to Business Associate’s Use and Disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures of Protected Health Information by Business Associate

3.1. Business Associate may Use or Disclose Protected Health Information as necessary to perform the services set forth in the Terms of Use, as permitted in this BAA and the Terms of Use, and as otherwise permitted by the HIPAA Rules.

3.2. Business Associate may Use or Disclose Protected Health Information as Required By Law.

3.3. Business Associate agrees to make Uses and Disclosures and requests for Protected Health Information consistent with the requirements in the HIPAA Rules regarding Minimum Necessary Uses and Disclosures. Covered Entity represents and warrants that its Minimum Necessary policies and procedures and the Notice of Privacy Practices are consistent with, and not more stringent than, the HIPAA Rules or, to the extent that Covered Entity’s Notice of Privacy Practices or policies and procedures regarding the Minimum Necessary requirements of the HIPAA Rules impose additional particular restrictions on Business Associate, Covered Entity agrees to provide such policies to Business Associate in writing prior to requesting that Business Associate perform a particular function or activity on behalf of Covered Entity that would be affected by such policies and procedures.

3.4. Business Associate may create de-identified information that may be Used and Disclosed by Business Associate as Business Associate deems appropriate, provided that the information is de-identified in accordance with the HIPAA Rules.

3.5. Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity. Business Associate may also Use Protected Health Information to create, Use, and Disclose a Limited Data Set consistent with the HIPAA Rules.

3.6. Business Associate may Use and Disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, in a manner consistent with the HIPAA Rules.

3.7. Business Associate may not Use or Disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth below.

3.8. Business Associate may Use Protected Health Information for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities.

3.9. Business Associate may Disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; provided, the Disclosures are Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and used or further Disclosed only as Required By Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4. Obligations of Covered Entity

4.1. Covered Entity will notify Business Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. §164.520 and its policies regarding the “minimum necessary” requirements in 45 C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information, and will notify Business Associate of any material changes thereof.

4.2. Covered Entity will notify Business Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by an Individual to Use or Disclose that person’s Protected Health Information, if such changes may affect Business Associate’s Use or Disclosure of Protected Health Information.

4.3. Covered Entity will notify Business Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to which Covered Entity has agreed or is required to abide by under 45 C.F.R.§164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.

4.4. Covered Entity agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit Protected Health Information to Business Associate and to enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BAA and the Terms of Use.

4.5. Covered Entity may not ask Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the HIPAA Rules, if done by Covered Entity, except that Business Associate may Use or Disclose Protected Health Information for its proper management and administration, data aggregation, and other activities specifically permitted by this BAA.

5. Term and Termination

5.1 Term

Except as otherwise provided herein, the term of this BAA will coincide with the Terms of Use and will terminate in accordance with the termination provisions of the Terms of Use, or the date either Party terminates for cause, as authorized in paragraph (b) of this Section, whichever is sooner.

5.2 Termination for Cause

Upon a Party’s knowledge of a material breach by the other, the non-breaching Party will provide written notice to the breaching Party and may terminate this BAA if the breaching Party does not cure the breach or end the violation within 30 days of receipt of such notice.

5.3 Effect of Termination

Upon Covered Entity’s written instruction following termination of this BAA for any reason , Business Associate will return or destroy, all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form subject to Business Associate’s disaster recovery data retention policies and except as required under applicable law, regulation, court order, subpoena, or similar legal process. Following the destruction, Business Associate will retain no copies of the Protected Health Information; provided, the deletion of the Protected Health Information contained in disaster recovery data storage will follow Business Associate’s disaster recovery retention schedule.

If no written request from the Covered Entity is received, Business Associate shall:

5.1. Retain only that Protected Health Information that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

5.2. Dispose of all Protected Health Information in accordance with Business Associate’s standard medical records retention schedule as outlined in detail in Business Associate’s “Privacy Notice” (available here: https://impacttest.com/privacy-notice/);

5.3. Continue to use appropriate safeguards to comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;

5.4. Not Use or Disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3(h) and Section 3(i) above which applied prior to termination; and

5.5. Return to Covered Entity or destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

5.6. Business Associate’s obligations under this Section will survive the termination of this BAA.

6. Interpretation and Amendment of this BAA

A regulatory reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended. Any ambiguity or inconsistency in this BAA will be interpreted to permit compliance with the HIPAA Rules. This BAA supersedes any and all prior representations, understandings, or agreements, written or oral, concerning the subject matter herein, including conflicting provisions of the Terms of Use. The Parties hereto agree to negotiate in good faith to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA or any other applicable law and regulations and for Business Associate to provide services to Covered Entity. However, no change, amendment, or modification of this BAA will be valid unless set forth in writing and signed by both Parties. When provisions of this BAA are different than those in the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this BAA will control. Any ambiguity in this BAA will be resolved to permit the Parties to comply with the HIPAA Rules.

7. No Third-Party Rights/Independent Contractors

The terms and conditions of this BAA are intended for the sole benefit of the Parties and do not create any third-party rights. The Parties declare that they are independent contractors and not agents of each other, except as otherwise required by law or regulation.

8. Notices

Any notice required or permitted by this BAA to be given or delivered will be in writing and will be deemed given or delivered if delivered in person, or sent by courier or expedited delivery service, or sent by registered or certified mail, postage prepaid, return receipt requested, or sent by facsimile (if confirmed), to the address on record. Either Party may change its address for purposes of this BAA by written notice to the other Party.

9. Governing Law

To the extent not preempted by federal law, this BAA will be governed and construed in accordance with the state laws governing the Terms of Use, without giving effect to choice of law or conflicts of law provisions thereunder.

10. Binding Nature and Benefits

This BAA binds and benefits the Parties, and their respective successors, and their permitted assigns.

11. Severability

Whenever possible, each provision of this BAA will be interpreted so as to be effective and valid under applicable law. If any provision of this BAA should be prohibited or found invalid under applicable law, such provision will be ineffective to the extent of such prohibition or invalidity without invalidating the other of such provision or the remaining provisions of this BAA; provided, however, that if any such invalid provision is material to an extent that a Party would not have entered into the BAA absent such provision, then that Party may terminate the BAA upon ninety (90) calendar days’ prior written notice to the other Party.

ImPACT Applications Inc Logo

ImPACT Applications, Inc., a Riverside Insights® company, is the maker of ImPACT, ImPACT Pediatric, and ImPACT Quick Test, all FDA cleared medical devices that assist in the assessment and management of concussion. See our milestones here and access our press releases here.

TOOLS:

ImPACT®
ImPACT Pediatric®
ImPACT Quick Test®

TRAINING:

ConcussionCareTraining

GUIDES:

Concussion 101
Concussion Protocol 101
Concussion Care 101

PROVIDERS:

ConcussionCareProviders

APPS:

ImPACT Passport®
ImPACT Toolkit™

RESOURCES:

ConcussionCareResources

Help
Download ImPACT Passport
Help
Download ImPACT Passport
Button

TOOLS:

ImPACT®
ImPACT Pediatric®
ImPACT Quick Test®

TRAINING:

ConcussionCareTraining

APPS:

ImPACT Passport®
ImPACT Toolkit™

Button

GUIDES:

Concussion 101
Concussion Protocol 101
Concussion Care 101

PROVIDERS:

ConcussionCareProviders

RESSOURCES:

ConcussionCareResources

ImPACT Applications Inc Logo

ImPACT Applications, Inc., a Riverside Insights® company, is the maker of ImPACT, ImPACT Pediatric, and ImPACT Quick Test, all FDA cleared medical devices that assist in the assessment and management of concussion. See our milestones here and access our press releases here.

Copyright ImPACT Applications Inc. ©2026. All Rights Reserved | Terms of Use | Privacy Notice | Sitemap