QRKIEZ BUSINESS ASSOCIATE AGREEMENT (BAA)

Effective Date: January 25, 2026
Last Updated: January 25, 2026

This Business Associate Agreement (“BAA”) is entered into by and between QRKIEZ, Inc., a Delaware corporation (“Business Associate” or “Qrkiez”), and the service provider or organization accepting this BAA (“Covered Entity” or “Provider”).

This BAA supplements and is incorporated into the Qrkiez Provider Addendum and the Qrkiez Terms of Use (collectively, the “Underlying Agreements”). In the event of any conflict, this BAA governs solely with respect to Protected Health Information (PHI).

By accepting this BAA electronically, the Provider agrees to be bound by its terms.

1. Purpose and Scope

Qrkiez provides a technology platform that enables Providers to use certain non-clinical features, including intake forms, scheduling, messaging, and provider dashboards, which may involve the creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) on behalf of Providers.

This BAA applies only to PHI handled by Qrkiez in connection with Provider-directed use of these features.

For clarity, community posts, public content, social interactions, and parent-to-parent communications are not subject to this BAA. Qrkiez does not provide medical care, diagnosis, treatment, or clinical decision-making.

2. Definitions

Capitalized terms not otherwise defined in this BAA have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, and its implementing regulations, including Protected Health Information (PHI), Electronic Protected Health Information (ePHI), Breach, and Security Incident.

3. Permitted Uses and Disclosures of PHI

Qrkiez may use and disclose PHI solely as necessary to provide, operate, maintain, and support the platform features requested by the Provider, to carry out Qrkiez’s obligations under the Underlying Agreements, and to comply with applicable law.

Qrkiez shall not use PHI for diagnosis, treatment, or clinical decision-making; marketing or advertising; independent analytics unrelated to Provider services; or any purpose not expressly permitted by this BAA or required by law.

4. Safeguards

Qrkiez shall implement reasonable and appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of ePHI, consistent with the HIPAA Security Rule.

Qrkiez does not guarantee absolute security and is not responsible for safeguards outside the scope of the platform or under the Provider’s control.

5. Subcontractors

Qrkiez may engage subcontractors that create, receive, maintain, or transmit PHI on its behalf, provided that such subcontractors are subject to written agreements requiring protections for PHI that are substantially similar to those set forth in this BAA.

6. Reporting of Breaches and Security Incidents

Qrkiez shall notify Provider without unreasonable delay following discovery of a Breach of Unsecured PHI or a Security Incident involving PHI, to the extent required by HIPAA. Such notice will include information reasonably available to Qrkiez at the time of notification.

7. Provider Responsibilities

Provider is solely responsible for determining what PHI is collected through the platform, obtaining all required notices, consents, and authorizations from users, ensuring PHI is used in compliance with HIPAA and applicable laws, and responding to individual rights requests under HIPAA.

Qrkiez does not control, supervise, or direct Provider services or the Provider’s use of PHI.

8. Access, Amendment, and Accounting

To the extent required by HIPAA and applicable to Qrkiez’s role, Qrkiez shall make PHI available to Provider for access requests, assist with amendment requests, and assist with accounting of disclosures. All obligations under this section are limited to PHI maintained by Qrkiez on behalf of Provider within the platform.

9. Term and Termination

This BAA remains in effect for as long as Qrkiez maintains PHI on behalf of Provider. Either party may terminate this BAA for a material breach that is not cured within a reasonable time after written notice.

10. Effect of Termination

Upon termination of this BAA, Qrkiez shall, where feasible and at Provider’s direction, return or destroy PHI maintained on Provider’s behalf, or continue to protect PHI if return or destruction is not feasible.

11. Regulatory Cooperation

Qrkiez shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services as required by HIPAA.

12. No Third-Party Beneficiaries

Nothing in this BAA creates any rights in any third party, including users, patients, or members.

13. Limitation of Liability

To the maximum extent permitted by law, Qrkiez’s liability arising out of or relating to this BAA is subject to the limitations of liability set forth in the Qrkiez Provider Addendum (https://qrkiez.com/provider-addendum) and the Qrkiez Terms of Use.

14. Survival

The obligations relating to PHI protection survive termination of this BAA for so long as Qrkiez maintains PHI.

15. Governing Law

This BAA is governed by and construed in accordance with the laws of the State of California, without regard to conflict-of-laws principles.

Acceptance

By clicking “I Agree,” checking a box, or otherwise electronically accepting this Business Associate Agreement, the Provider acknowledges and agrees that this BAA is a legally binding agreement effective as of the Effective Date above.