HIPAA BUSINESS ASSOCIATE AGREEMENT (BAA)

This Business Associate Agreement (“Agreement“), forms part of the SAAS SERVICES ORDER AGREEMENT, (hereinafter referred to as the “Principal Agreement“) between Fairtility Ltd. (hereinafter referred as the “Fairtility“) acting on its own behalf and the legal entity that has entered into the Principal Agreement with Fairtility for the provision of Fairtility’s Services (hereinafter referred as the “Customer“) acting on its own behalf.

The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein, shall take the meaning ascribed to them by HIPAA. The terms of this Agreement will apply only to the extent that they are required under HIPAA. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

1.      Definitions

In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

“Subcontractor” means any subcontractor (including any third party) appointed by Fairtility to process Customer PHI on behalf of the Customer.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including the Privacy Rule, Security Rule, and Breach Notification Rule, as well as any applicable regulations issued under the HITECH Act.

“PHI” means as defined under HIPAA, including any information about an identifiable individual that relates to their health, health care and related identifying information. In the context of this Agreement, this term shall pertain to PHI provided by or on behalf of the Customer as part of the Services.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

“De-identified Data” means data derived from PHI that has undergone the de-identification process outlined in Annex 2 of this Agreement, or any other De-identified Data as defined under 45 CFR §164.514,

“Services” means the services to be supplied by Fairtility to the Customer pursuant to the Principal Agreement.

“Processing means any operation performed on PHI, including collection, use, storage, disclosure, or disposal.

Breach” means a Breach of Unsecured PHI (45 CFR §164.402) involving unauthorized access, use, or disclosure that compromises PHI security and privacy.

“Security Incident” means any attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI.

2.      Roles and Responsibility of the Parties

In the course of providing the Services to the Customer pursuant to the Principal Agreement, Fairtility shall process PHI on behalf of the Customer as per the terms of this Agreement. The parties hereby acknowledge and agree that, in relation to the processing of PHI, the Customer shall be deemed the Covered Entity under HIPAA, and Fairtility shall be deemed the Business Associate.

Each party shall comply with all applicable provisions of HIPAA.

In the event any applicable state or local laws impose additional requirements for the handling of PHI or personal data, the parties agree to comply with such requirements in addition to HIPAA.

3.      Customer Obligations

Customer represents and warrants that it has obtained and will maintain all necessary consents, authorizations, or other permissions required under HIPAA and applicable laws to allow for the lawful collection, processing, and transfer of PHI to Fairtility (or any Subcontractors) in accordance with this Agreement and the Principal Agreement. The Customer shall ensure that any PHI disclosed to Fairtility is limited to the minimum necessary to accomplish the intended purpose, as required by HIPAA.

Customer shall not request or require Fairtility or the Services to use or disclose PHI in any manner that would violate HIPAA if performed by Customer, unless expressly permitted under HIPAA for a Business Associate.

Customer agrees to indemnify, defend, and hold harmless Fairtility from and against any claims, damages, or liabilities arising from Customer’s failure to comply with HIPAA or other applicable data protection laws, including failure to obtain the necessary authorizations, consents, or permissions for the disclosure of PHI to Fairtility.

4.      Permitted Uses and Disclosures of PHI

Customer authorizes Fairtility to use and disclose PHI solely as necessary to provide the Services described in the Principal Agreement and as permitted or required under this Agreement and HIPAA. Fairtility shall not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as expressly permitted for a Business Associate. The permitted uses and disclosures of PHI are further detailed in Annex 2 (Description of Processing).

If Fairtility is required by applicable law to use or disclose PHI in a manner not expressly authorized by this Agreement, Fairtility shall notify Customer prior to such use or disclosure, unless prohibited by law.

Notwithstanding anything to the contrary in this Agreement or the above processing instructions, Fairtility may create and use De-identified Data for its internal business purposes, including but not limited to product development, research, data analytics, and regulatory submissions. Once de-identified in accordance with HIPAA, such data is no longer considered PHI and is not subject to the terms of this Agreement.

5.      Reliability and Non–Disclosure

Fairtility shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the PHI, ensuring in each case that access is strictly limited to those individuals who require access to the relevant PHI.

Fairtility must ensure that all individuals which have a duty to process PHI:

  • Are informed of the confidential nature of the PHI and are aware of Fairtility’s obligations under this Agreement and the Principal Agreement in relation to the PHI;
  • Have undertaken appropriate training in relation to data protection;
  • Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
  • Are subject to user authentication and login processes when accessing the PHI in accordance with this Agreement, the Principal Agreement and HIPAA.

 

6.      PHI Security

Fairtility shall implement reasonable and appropriate safeguards to protect PHI from unauthorized access, use, or disclosure. The safeguards include administrative, physical, and technical protections that comply with the HIPAA Security Rule. Fairtility shall conduct regular risk analyses to identify and address vulnerabilities in systems that handle PHI, as required under the HIPAA Security Rule. Details of Fairtility’s security measures are outlined in Annex 1.

7.      Subcontractors

Fairtility may engage Subcontractors to process PHI, provided that:

a)     Fairtility ensures that the subcontractor is bound by written obligations substantially equivalent to those imposed on Fairtility under this Agreement;

b)     The subcontractor implements adequate safeguards to protect PHI in compliance with HIPAA; and

c)     Fairtility remains fully liable to Customer for the acts and omissions of any subcontractor engaged in the processing of PHI.

8.      Individuals’ Rights Requests

Fairtility acknowledges that Customer is responsible for fulfilling individuals’ rights requests, including access, correction, and withdrawal of consent related to PHI.

In the event that Fairtility receives a request from an individual exercising their rights under HIPAA (including, but not limited to, requests for access to, correction of, or withdrawal of consent for their PHI), Fairtility shall promptly notify Customer and provide all reasonable assistance to enable Customer to respond to the request within the timelines set out by HIPAA, including:

(a) Providing Customer with information in its possession that is necessary to comply with individual     rights requests;

(b) Implementing any necessary technical or organizational measures to facilitate the exercise of     individual rights;

(c) Assisting in the correction or withdrawal of PHI if required by the Customer, in compliance with       HIPAA.

Fairtility shall not respond to any direct requests from individuals regarding their PHI unless explicitly authorized to do so by Customer or as otherwise required by HIPAA.

9.      Access and Amendment

Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI provided for the Services, including whether such PHI is maintained in a manner that facilitates compliance with HIPAA’s Designated Record Set (DRS) obligations.

Where applicable, Fairtility will provide Customer with access to PHI via the Services so that Customer may fulfill its obligations under HIPAA with respect to individuals’ rights of access and correction. However, Fairtility shall have no direct obligations to Customer or any individual regarding rights afforded under HIPAA’s DRS provisions, including rights of access, amendment, or deletion of PHI. Customer is responsible for managing its use of the Services to appropriately respond to such individual requests.

10.   Accounting of Disclosures

To the extent required by HIPAA, and only for disclosures for which an accounting is required under 45 C.F.R. § 164.528, Fairtility shall maintain documentation of such disclosures of PHI and, upon Customer’s written request, provide an accounting of such disclosures to Customer in accordance with HIPAA’s requirements for Business Associates.

11.   Access to Records

To the extent required by law, and subject to applicable legal privileges, Fairtility shall make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Fairtility on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) solely for the purpose of determining Customer’s compliance with HIPAA.

12.   Security Incident and Breach Notification

Fairtility shall promptly notify Customer of any Security Incident that Fairtility becomes aware of involving PHI, where such incident materially impacts the confidentiality, integrity, or availability of PHI. Such notice shall be made without unreasonable delay following discovery.

In the event of a Breach of Unsecured PHI, Fairtility shall provide notice to Customer without unreasonable delay and in no case later than 30 calendar days after discovery, in accordance with 45 CFR §164.410.

The Breach notification shall include, to the extent known and applicable:

  • A description of the Breach, including the categories and volume of PHI involved.
  • The date of the Breach and the date it was discovered.
  • Steps taken to mitigate potential harm.
  • Any recommended actions Customer should take in response.
  • Contact information for further inquiries.

Fairtility shall send notifications required under this Section to the notification email address provided by Customer in the Principal Agreement or via other direct communication.

13.   Audit Rights

Fairtility shall make available to the Customer, upon request, all documentation necessary to demonstrate compliance with this Agreement including security measures protecting PHI. Fairtility shall provide reasonable cooperation to the Customer for audits or inspections required by HIPAA or conducted in response to a Security Incident or Breach. Audits will take place during normal business hours and will not unreasonably interfere with or damage Fairtility’s business activities and information and network systems. Any audit performed by Customer or another auditor mandated by the Customer shall be subject to Fairtility’s confidentially obligations and shall not be more frequent than annually, unless a Breach occurs or there is a reasonably suspected breach of HIPAA or this Agreement by Fairtility. Customer shall bear the costs and expenses of audits, unless they are conducted due to a Breach caused by Faritility’s non-compliance.

14.   Destruction or Return of PHI

Upon request from Customer and/or upon expiration or termination of the Principal Agreement, within ninety (90) calendar days of receipt of the request or expiration or termination of the Principal Agreement, Fairtility will securely destroy or, if directed in writing by Customer, return and not retain, all or any PHI in its possession or control. Fairtility may temporarily retain one copy made for backup purposes in the ordinary course of business, provided that such an archive copy will be subject to the ongoing obligations contained herein and shall be destroyed upon the normal expiration of backup files in accordance with Fairtility’s backup procedures. Fairtility shall provide any such returned PHI in the format and media reasonably specified by Customer, together with information sufficient for Customer to interpret such information. Upon request, Fairtility will certify in writing that it has destroyed the PHI.

If any law, regulation, or government or regulatory authority requires Fairtility to retain any PHI that Fairtility would otherwise be required to return or destroy, Fairtility will notify Customer in writing of such retention requirement, to the extent legally permitted. In such an event, Fairtility shall retain such data in compliance with HIPAA obligations.

Notwithstanding the foregoing, Fairtility may retain and use anonymized data derived from PHI for its own internal legitimate business purposes at its own discretion, provided that: (i) Fairtility ensures that such data does not in any way identify and cannot be reasonably associated with a particular individual; (ii) Fairtility implements appropriate technical and organizational measures to safeguard the anonymization process and prevent any reasonably potential re-identification; and, (iii) Fairtility maintains and uses such data without attempting to re-identify it.

15.   Authorized User Data

Fairtility may collect and process personal information of authorized users of its Services (“Authorized Users”) (e.g., names, contact details, roles, login credentials and login and usage activity) for the purpose of providing the Services, maintaining system security, providing support and improving functionality and quality of the Services.

Depending on the scope of the Services, Fairtility may also collect and process personal information of staff members of Customer’s clinic (“Staff KPI Data”) (e.g., names, clinic activity logs, and performance insights), for the purpose of generating Key Performance Indicators (“KPIs”), as outlined in the Principal Agreement.

Data related to Authorized Users and Staff KPI Data shall not be considered PHI under this Agreement but will be processed in accordance with applicable privacy laws. Fairtility shall implement appropriate safeguards to protect such data, consistent with the standards outlined in Annex 1.

Customer is responsible for ensuring that all Authorized Users comply with this Agreement and relevant privacy and security requirements when using Fairtility’s platform.

16.     Regulatory Changes

If any amendment to HIPAA or other applicable laws or regulations affects either party’s obligations under this Agreement, the parties shall comply with such changes as required by law. If a modification to this Agreement is necessary to maintain compliance, the parties shall negotiate in good faith to amend the Agreement accordingly.

If the parties are unable to agree on an amendment after reasonable efforts, either party may terminate this Agreement upon at least sixty (60) days’ prior written notice to the other party, unless a shorter period is required by law.

17.   General Terms

Subject to this section, the parties agree that this Agreement shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by Fairtility with the Customer, pursuant to the Principal Agreement, whichever is later.

Any obligation imposed on Fairtility under this Agreement in relation to the Processing of PHI shall survive any termination or expiration of this Agreement.

This Agreement shall be governed by the governing law of Israel.

With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including but not limited to the Principal Agreement, the provisions of this Agreement shall prevail with regard to the PHI shared between the parties.

Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

This Agreement forms an integral part of the Principal Agreement between the parties and is effective and binding upon execution of the Principal Agreement. Signature of this Agreement is not mandatory for its validity.

ANNEX 1:  ORGANISATIONAL AND TECHNICAL MEASURES

  1. Organizational security measures

Security Management

  1. Security policy and procedures: Fairtility to document a security policy with regard to the processing of PHI.
  2. Roles and responsibilities:
    1. Roles and responsibilities related to the processing of PHI to be clearly defined and allocated in accordance with the security policy.
    2. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
  3. Access Control Policy: Specific access control rights are allocated to each role involved in the processing of PHI, following the need-to-know principle.
  4. Resource/asset management: Fairtility has a register of the IT resources used for the processing of PHI (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).
  5. Change management: Fairtility makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.

Incident response and business continuity

  1. Incidents handling / PHI breaches:
    1. An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining PHI.
    2. Fairtility will report without undue delay to Customer any security incident that has resulted in a loss, misuse or unauthorized acquisition of any PHI.
  2. Business continuity: Fairtility establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing PHI (in the event of an incident/PHI breach).

Human resources

  1. Confidentiality of personnel: Fairtility ensures that all employees understand their responsibilities and obligations related to the processing of PHI. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
  2. Training: Fairtility ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of PHI are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
  3. Technical security measures


Access control and authentication

  1. An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.
  2. The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
  3. When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to PHI only to those who require it for achieving Fairtility’s processing purposes.
  4. Where authentication mechanisms are based on passwords, Fairtility requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
  5. The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.

Logging and monitoring: Log files are activated for each system/application used for the processing of PHI. They include all types of access to data (view, modification, deletion).

Security of data at rest

  1. Server/Database security
    1. Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
    2. Database and applications servers only process the PHI that are actually needed to process in order to achieve its processing purposes.
  2. Workstation security:
    1. Users are not able to deactivate or bypass security settings.
    2. Anti-virus applications and detection signatures is configured on a regular basis.
  • Users don’t have privileges to install or deactivate unauthorized software applications.
  1. The system has session time-outs when the user has not been active for a certain time period.
  2. Critical security updates released by the operating system developer is installed regularly.

Network/Communication security:

  1. Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
  2. Traffic to and from the IT system is monitored and controlled through Firewalls and Intrusion Detection Systems.

Data Back-ups:

  1. Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.
  2. Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
  3. Execution of backups is monitored to ensure completeness.

Mobile/Portable devices:

  1. Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.
  2. Mobile devices that are allowed to access the information system is pre-registered and pre-authorized.

Application lifecycle security: During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards is followed.

Data deletion/disposal:

  1. Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction will be performed.
  2. Shredding of paper and portable media used to store PHI is carried out.

Physical security: The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) or organizational measures (e.g., security guard) shall be set in place to protect security areas and their access points against entry by unauthorized persons.

 

ANNEX 2: DETAILS OF THE DATA PROCESSING

 

a.      Embryo and Oocyte Images and Videos

b.      Patient Metadata and Related Clinical Information: Collected automatically through the clinics’ Time Lapse Incubator (TLI) devices or provided by the Customer, including but not limited to:

·       Fertility Treatment Clinical Data: clinic name/ID, country, TLI (device) ID, slide ID, patient ID, well ID, image/video ID, treatment ID, cycle ID, other IDs used by the clinic, date of treatment, date of fertilization, date of oocyte retrieval, date of transfer.

·       Patient and Donor Age: age of the patient (by month and year), age of the oocyte, age of the ovum donor (by month and year), where applicable.

·       Insemination and Embryo Details.

·       Clinical and Diagnostic Data: unidentified clinical information, medical results and demographics as determined by the Customer.

c.      Embryo and Oocyte AI Insights: data produced through Fairtility’s Services, including, but not limited to, AI-based predictions and insights, embryo and oocyte ranks, scores, and status.

d.      Additional Pseudonymized Patient Data: Any other pseudonymized patient data required for the provision of Services.

2.      Optional Data – Patient Direct Identifiers:

For clarification, the processing of any/all of the following data is optional, and is not enabled unless actively requested by the Customer:

a.      Name: First and last name, stored by default only in abbreviated form (first name and first letter of last name), or stored in full form per Customer’s active request;

b.      E-mail address.

The categories of individuals to whom the PHI relates Patients of the Customer: IVF treatment patients at the Customer’s clinic who are the subject of data processing.
The types of PHI 1. Pseudonymized Patient Data:
The nature and purpose of the processing Pseudonymized Patient Data is processed for the following purposes:

  1. Providing the Core Services: collection, storage and analysis of data through Fairtility’s artificial intelligence tools, to deliver embryo and oocyte quality assessments and other fertility-related insights and predictions as outlined in the Principal Agreement.
  2. Providing KPI Services: In addition, for customers using CHLOE KPI™, data will be aggregated and analysed for the generation of Key Performance Indicators (“KPIs”), intended to provide health care professionals with analytical insights into their lab and clinic operational performance, as outlined in the Principal Agreement.
  3. De-identification for Fairtility’s Legitimate Business Purposes: Pseudonymized Patient Data undergoes an additional de-identification process, as outlined below, after which such data is used for Fairtility’s legitimate business purposes, including without limitation product development and improvement (e.g., data annotation for machine learning and artificial intelligence model training), research and regulatory submissions.

De-identification Process (“De-identified Data”):

De-identified Data is Patient Data that undergoes a de-identification process which involves the following steps:

a.      Full removal of direct identifiers (name and email address, to the extent Customer chose to share such data).

b.      One-way hashing of pseudonymous patient identifiers used by the clinic to ensure irreversibility, including the hashing of: Slide ID; Patient ID; Well ID; Device ID; Clinic name/ID; Image/video name; Treatment ID; Cycle ID and any other internal ID that may be used by the clinic.

c.      Rounding down to full years of the date-based data points to further protect privacy, such as:

·       Patient age

·       Oocyte age

·       Treatment date

·       Oocyte retrieval date

·       Fertilization date

·       Transfer date

Safeguards Applied to De-identified Data

  1. Secure Data Storage: De-identified Data will be stored and accessed within a dedicated, fully secured environment to ensure data isolation and protection.
  2. Hash Key Security: One-way hashing keys will be safeguarded using industry-standard security measures to prevent unauthorized access.
  3. Irreversible Hashing: Hashing is strictly one-way, preventing any reversal from De-identified Data back to the original pseudonymized data, thereby ensuring data protection and privacy.
  4. Non-Identifiable Data Points: Inherently non-identifiable data points, such as fertilization type, country-level location, and hours post-insemination, will remain unchanged to preserve data utility without compromising privacy.
  5. Restricted Data Usage: Following the de-identification process, De-identified Data will be used solely for Fairtility’s legitimate business purposes.
  6. Key Deletion Upon Contract Termination: Upon contract termination, the one-way hashing key will be permanently deleted.

Patient Direct Identifiers (to the extent enabled by Customer) are processed for the following purposes:

  1. Identification and Usability: The patient’s name is processed to ensure that Platform Users can accurately associate data and insights with the correct patient, thereby minimizing errors and enhancing platform usability. To uphold data minimization principles and promote privacy, this name is displayed in abbreviated form unless otherwise specified by the Customer.
  2. Secure Data Sharing with Patient: The patient’s email address is processed to enable Platform Users to share Patient Data securely with the patient via the Platform’s data-sharing feature.