Version 3.0 - April 2024

This Business Associate Agreement (the "Agreement") is between the “Customer" identified on the “Order Form” and Anagram Inc. ("Anagram"). Customer and Anagram, collectively, may be referred to herein as the "Parties."

Customer and Anagram enter into this Agreement to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 ("HITECH"), as amended, and other applicable federal and state laws (collectively the "HIPAA Rules").

This Agreement is intended to ensure that Anagram will establish and implement appropriate safeguards for certain individually identifiable Protected Health Information relating to patients of Customer, if Customer is a Covered Entity, or of Customer's Covered Entity client(s) of whom Customer is a Business Associate ("PHI" as that term is defined below) that Anagram may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Anagram performs for Customer. The functions, activities and services that Anagram performs for Customer are defined in one or more agreements between the Parties (the "Underlying Agreements"). These Underlying Agreements, this Agreement, and any Terms of Service as amended by this Agreement or any Underlying Agreement, (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Agreement by reference.

"Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information created, received, maintained or transmitted by Anagram from or on behalf of Customer.

"Individual" shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

"Protected Health Information" or "PHI" shall have the meaning given to such term in 45 C.F.R. 160.103, limited to the information created, received, maintained or transmitted by Anagram from or on behalf of Customer.

"Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E. 2.2.5 "Required by Law" shall have the meaning given to such term in 45 C.F.R. 164.103.

"Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.

"Security Rule" shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

Anagram agrees not to use or disclose PHI, other than as permitted or required by this Agreement the Underlying Agreement or Terms of Service or as Required By Law. To the extent Anagram is carrying out one or more of Customer's obligations under the Privacy Rule pursuant to the terms of the Underlying Agreements, Terms of Service or this Agreement, Anagram shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation(s).

Anagram shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.

Anagram agrees to mitigate, to the extent practicable, any harmful effect that is known to Anagram as a result of a use or disclosure of PHI by Anagram in violation of this Agreement's requirements or that would otherwise cause a Breach of Unsecured PHI.

Anagram shall report to Customer any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Anagram to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Customer by Anagram shall be required only upon request. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Anagram's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Anagram's notification to Customer of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Anagram to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Customer would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.

In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Anagram shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of the Anagram for services provided to Customer, which provides that the agent agrees to the same restrictions, conditions and requirements that apply to the Anagram with respect to such information.

Anagram agrees to provide access to PHI in a Designated Record Set to the Customer. If an Individual makes a request for access pursuant to 45 C.F.R. §164.524 directly to Anagram, or inquires about his or her right to access, Anagram, at its sole discretion, may either forward it to Customer or respond to the request directly. If Anagram forwards the request to Customer, any response to such request shall be the responsibility of Customer (or its Covered Entity client). Anagram will make PHI in its possession available to Customer as necessary for Customer (or its Covered Entity client) to respond to such request.

Anagram agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

Anagram agrees to make PHI contained in a Designated Record Set available to Customer for amendment pursuant to 45 C.F.R. § 164.526. If an Individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Anagram, or inquires about his or her right to access, Anagram shall forward it to Customer. Any response to such request shall be the responsibility of Customer (or its Covered Entity client).

Anagram shall provide to Customer information collected in accordance with Section 3.11 of this Agreement, to permit Customer (or its Covered Entity client) to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Anagram, Anagram shall forward such request to Customer. Any response to such request shall be the responsibility of Customer (or its Covered Entity client).

Anagram agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Customer, or created or received by the Anagram on behalf of Customer, available to the Secretary for the purpose of Customer or the Secretary determining compliance with the HIPAA Rules.

Anagram shall document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Anagram shall document, at a minimum, the following information ("Disclosure Information"): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.

Anagram agrees to receive, create, use or disclose PHI only as permitted by this Agreement or as necessary to perform the services set forth in the Underlying Agreements, to communicate about discount payment programs that Customer (or its Covered Entity client) may participate in, or as set forth in and in compliance with the Terms of Service, the HIPAA Rules, and only in connection with providing services to Customer; provided that the use or disclosure would not violate the Privacy Rule if done by Customer (or its Covered Entity client), except as set forth in this Article 4.

Anagram may use or disclose PHI as Required By Law.

Use PHI for the proper management and administration of Anagram, or to carry out its legal responsibilities.

Anagram agrees to make uses and disclosures and requests for PHI consistent with Customer's minimum necessary policies and procedures.

Disclose PHI for the proper management and administration of Anagram or carry out legal responsibilities of Anagram, provided that the disclosures are Required by Law, or Anagram obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Anagram of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the breach notification requirements of this Agreement.

Use PHI to provide Data Aggregation Services to Customer as permitted under the HIPAA Rules.

De-identify PHI received or created by Anagram for or on behalf of Customer in accordance with 45 C.F.R. §§ 164.514(a)-(c). Customer acknowledges that such de-identified information no longer constitutes PHI and is not subject to this BAA or the HIPAA Rules.

Notify Anagram of any limitation(s) in its Notice of Privacy Practices (or that of its Covered Entity client) in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Anagram's use or disclosure of PHI.

Notify Anagram of any restriction to the use or disclosure of PHI that Customer (or its Covered Entity client) has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Anagram's use or disclosure of PHI.

Notify Anagram of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Anagram's permitted or required uses and disclosures of PHI.

Customer shall not request Anagram to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Customer (or its Covered Entity client), except as provided under Article 4 of this Agreement.

This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:

Either party terminates for cause as authorized under Section 6.2;

All PHI received from Customer, or created or received by Anagram on behalf of Customer, is destroyed or returned to Customer. If it is determined, to be infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 6.3;

The Underlying Agreement is terminated.

Termination for Cause. Upon Customer's knowledge of material breach by Anagram, Customer shall provide an opportunity for Anagram to cure the breach or end the violation. If Anagram does not cure the breach or end the violation within thirty (30) days unless otherwise specified by Customer, or if a material term of this Agreement has been breached and a cure is not possible, Customer may terminate this Agreement and the Underlying Agreement(s), if any, upon written notice to Anagram.

Obligations of Anagram Upon Termination. Upon termination of this Agreement for any reason, Anagram, with respect to PHI received from Customer, or created, maintained, or received by Anagram on behalf of Customer, shall:

Retain only that PHI that is necessary for Anagram to continue its proper management and administration or to carry out its legal responsibilities;

Return to Customer or, if agreed to by Customer in writing, destroy the remaining PHI that Anagram still maintains in any form;

Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 6.3, for as long as Anagram retains the PHI;

Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Anagram maintains such PHI;

Return to Customer or destroy the PHI retained by Anagram when it is no longer needed by Anagram for its proper management and administration or to carry out its legal responsibilities.

The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the HIPAA Rules and any other applicable law.

The respective rights and obligations of Anagram under Article 6 of this Agreement shall survive the termination of this Agreement.

A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.

This Agreement shall be interpreted in the following manner:

Any ambiguity shall be resolved in favor of a meaning that permits Customer to comply with the HIPAA Rules.

Any inconsistency between the Agreement's provisions and the HIPAA Rules, including all amendments, as interpreted by the Department of Health and Human Services, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the Department of Health and Human Services, the court or the regulatory agency.

Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.

This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement(s) or Terms of Service, if any, impose more stringent requirements related to the use and protection of PHI upon Anagram. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

This Agreement will be binding on the successors and assigns of Customer and Anagram. However, this Agreement may not be assigned by Anagram, in whole or in part, without the written consent of Customer. Any attempted assignment in violation of this provision shall be null and void.

This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.

Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state of Delaware.