BUSINESS ASSOCIATE ADDENDUM

BY ENTERING INTO AN ORDER UNDER WHICH INFINX WILL BE GIVEN ACCESS TO AND/OR USE OF ANY PROTECTED HEALTH INFORMATION, CUSTOMER HEREBY ENTERS INTO THIS BUSINESS ASSOCIATE ADDENDUM (THIS “ADDENDUM”) AND IS LEGALLY BOUND THEREBY. THIS ADDENDUM IS HEREBY ATTACHED TO AND MADE A PART OF THE GENERAL TERMS AND CONDITIONS (“GENERAL TERMS”) SET FORTH AT HTTPS://WWW.INFINX.COM/TERMS-AND-CONDITIONS-FOR-CUSTOMER-AGREEMENTS BY AND BETWEEN THE CONTRACTING INFINX ENTITY PROVIDER DESIGNATED IN THE ORDER(S) ON BEHALF OF ITSELF AND ITS AFFILIATES (INCLUDING WITHOUT LIMITATION, ITS OFF-SHORE AFFILIATES WHICH INCLUDE INFINX SERVICES PVT. LTD., LOCATED IN INDIA, AND INFINX HEALTHCARE PHILIPPINES, INC., LOCATED IN THE PHILIPPINES) (COLLECTIVELY, “INFINX”), AND THE PURCHASING BUSINESS OR OTHER ENTITY (“CUSTOMER”) TO WHICH INFINX PROVIDES SERVICES AS A BUSINESS ASSOCIATE OR SUBCONTRACTOR (AS THOSE TERMS ARE DEFINED PURSUANT TO THE ADMINISTRATIVE SIMPLIFICATION PROVISIONS OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (“HIPAA”)), TO THE EXTENT CUSTOMER IS EITHER A COVERED ENTITY, OR A BUSINESS ASSOCIATE OR SUBCONTRACTOR TO CERTAIN OF CUSTOMER’S CLIENTS, AFFILIATES, AND/OR OTHER RELATED ENTITIES (COLLECTIVELY, “CLIENTS”) THAT ARE SUBJECT TO HIPAA. THE PARTIES ARE ENTERING INTO THIS ADDENDUM TO ASSIST CUSTOMER IN COMPLYING WITH HIPAA, AND TO SET FORTH BUSINESS ASSOCIATE’S OBLIGATIONS UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT OF 2009 (THE “HITECH ACT”), AND 45 CFR PARTS 160 AND 164, SUBPART C (THE “SECURITY RULE”), SUBPART D (THE “DATA BREACH NOTIFICATION RULE”), AND SUBPART E (THE “PRIVACY RULE”) (COLLECTIVELY, THE “HIPAA REGULATIONS”). CAPITALIZED OR UNCAPITALIZED TERMS USED BUT NOT DEFINED IN THIS ADDENDUM BUT DEFINED IN THE HIPAA REGULATIONS SHALL HAVE THE MEANINGS GIVEN THEM IN THE HIPAA REGULATIONS. THIS ADDENDUM APPLIES TO ANY PROTECTED HEALTH INFORMATION INFINX RECEIVES FROM CUSTOMER OR ITS CLIENTS, OR CREATES, RECEIVES OR MAINTAINS ON BEHALF OF CUSTOMER OR ITS CLIENTS, UNDER ITS AGREEMENTS WITH CUSTOMER, WHICH MAY INCLUDE, WITHOUT LIMITATION, THOSE TERMS AND CONDITIONS SET FORTH IN THE APPLICABLE ORDER, MASTER SERVICES AGREEMENT AND/OR SIMILAR AGREEMENT (EACH, AN “ORDER”). THE PERSON EXECUTING THE ORDER(S) ON BEHALF OF CUSTOMER REPRESENTS AND WARRANTS TO INFINX THAT THEY HAVE FULL LEGAL AUTHORITY TO ACCEPT THE TERMS OF THIS ADDENDUM. ALL CAPITALIZED TERMS USED IN THIS ADDENDUM BUT NOT DEFINED WILL HAVE THE SAME MEANINGS GIVEN IN THE GENERAL TERMS, THE APPLICABLE ORDER OR THE HIPAA REGULATIONS. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THIS ADDENDUM, THE GENERAL TERMS AND THE ORDER, THE FOLLOWING DESCENDING ORDER OF PRECEDENCE WILL CONTROL: THE ORDER, THIS ADDENDUM AND THE GENERAL TERMS, EXCEPT TO THE EXTENT PROVIDED IN SECTION 9 BELOW. THIS ADDENDUM SHALL BE EFFECTIVE AS OF THE DATE ON WHICH CUSTOMER FIRST RECEIVES PRODUCTS OR SERVICES FROM INFINX THAT INVOLVE ACCESS TO OR CUSTODY OF PROTECTED HEALTH INFORMATION BY INFINX OR ITS SUBCONTRACTORS (“EFFECTIVE DATE”), AND IN THE EVENT SUCH EFFECTIVE DATE IS PRIOR TO THE EFFECTIVE DATE OF ANY APPLICABLE ORDER, THE PARTIES HEREBY AGREE THAT THE GENERAL TERMS APPLY TO THIS ADDENDUM FROM ITS EFFECTIVE DATE.

AGREEMENT

Infinx may use and disclose the Protected Health Information to provide the products and/or services contemplated by the Orders. Except as expressly provided below, this Addendum does not authorize Infinx to make any use or disclosure of Protected Health Information that Customer would not be permitted to make.
Infinx will:

Not use or further disclose the Protected Health Information except as permitted by the Orders or this Addendum, or as required by law;
Use appropriate safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by the Orders or this Addendum;
Promptly report to Customer any use or disclosure of the Protected Health Information not provided for by the Orders or this Addendum of which it becomes aware, including breaches of unsecured Protected Health Information as required by the Data Breach Notification Rule (45 CFR § 164.410), and any Security Incident of which Infinx becomes aware. Notwithstanding the foregoing, Customer and Infinx hereby agree that Infinx receives frequent, routine, unsuccessful attempts to penetrate or compromise its systems, including pings, port scans and log on attempts, and that this constitutes Infinx’s report and notification to Customer of such events, and no further reporting of such Security Incidents is required unless these attempts result in an unauthorized access to, use, disclosure, destruction or loss of electronic Protected Health Information.
Ensure that any of Infinx’s subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Infinx agree in writing to the same or substantially similar restrictions and conditions that apply to Infinx with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic Protected Health Information;
Make any Protected Health Information in a designated record set available to Customer to enable Customer (or its Client as applicable) to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
Make any Protected Health Information in a designated record set available for amendment and incorporate any amendments to Protected Health Information as directed by Customer pursuant to 45 CFR § 164.526;
Make available to Customer the information concerning disclosures that Infinx makes of the Protected Health Information as required to enable Customer (or its Client as applicable) to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
To the extent that Infinx carries out Customer’s (or its Client’s as applicable) obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Customer (or to its Client as applicable) in the performance of such obligations;
To the extent Infinx performs Medicare eligibility or related revenue cycle services involving ASC X12 270/271 (HIPAA health care eligibility inquiry and response) transactions, Infinx acknowledges the HIPAA Eligibility Transaction System (HETS) Rules of Behavior and agrees to comply with such rules as applicable to Infinx’s performance of those services on behalf of Customer.
Upon expiration or termination of the Orders, promptly return or destroy all of the Protected Health Information that Infinx still maintains in any form and retain no copies of such information or, if return or destruction is not feasible, extend the protections of this Addendum to that information and limit further use and disclosure to those purposes that make the return or destruction of the information infeasible.

If a Party determines that the other Party has violated a material term of this Addendum, and if other Party fails to cure such violation within 30 days of delivery of written notice thereof, the non-violating Party may immediately terminate this Addendum upon notice to other Party.
Infinx may use the Protected Health Information for the management and administration of Infinx’s company and to carry out Infinx’s own legal responsibilities, and Infinx may disclose the information for these purposes if Infinx is required to do so by law, or if Infinx obtains reasonable assurances from the recipient of the information (a) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (b) that the recipient will notify Infinx of any instances of which the recipient is aware in which the confidentiality of the information is breached.
Infinx may use the Protected Health Information for data aggregation, as permitted by the Privacy Rule.
Infinx may de-identity the Protected Health Information, in compliance with the requirements of 45 C.F.R. Section 164.514. Infinx shall be the owner of such de-identified data.
Infinx shall make its internal practices, books and records relating to the use and disclosure of the Protected Health Information available to the Secretary of the United States Department of Health and Human Services, or his or her designee for purposes of determining Customer’s (or its Client’s as applicable) compliance with the HIPAA standards. Records requested that are not protected by applicable legal privilege will be made available in the time and manner specified by the Secretary.
This Addendum applies to all present and future contracts and relationships between Customer and Infinx, written or unwritten, formal or informal, in which Customer provides or makes available any Protected Health Information to Infinx in any form whatsoever. As of the Effective Date, this Addendum automatically amends all existing agreements between Infinx and Customer involving the use or disclosure of Protected Health Information. This Addendum shall automatically be incorporated in all subsequent agreements between Infinx and Customer involving the use or disclosure of Protected Health Information, in which a business associate or subcontractor relationship exists, whether or not specifically referenced therein.
This Addendum is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time. The terms of this Addendum shall prevail in the case of any conflict with the terms of any Orders to the extent necessary to allow Customer to comply with the Privacy Rule.
Nothing in this Addendum shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. Subject to Section 2(d) above, Infinx may delegate its obligations under this Addendum without consent of the Infinx, including without limitation to subcontractors located outside of the United States.
This Addendum contains the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersedes any prior or contemporaneous written or oral agreements, representations and warranties between them respecting the subject matter hereof.

Business Associate Addendum, Version 1.2, Promulgated May 7, 2026.

Patient Access

HIM & Medical Coding

Revenue Integrity

Medical Billing

Revenue Acceleration

Healthcare Contact Center

Full Service RCM Optimization

Healthcare Revenue OS

Revenue Cycle Agent Platform

EMR, EHR, PMS, LIS, RIS Integrations

Payer, Clearinghouse & Benefit Manager Connections

Security & Compliance

Custom Solutions

Document Capture Plus

Patient Access Plus

RCM Plus

Revenue Cycle Agent Platform

Agent Catalogs

Tackling RCM Challenges Unique To Specific Specialties

Ambulatory Surgery Centers (ASC)

Acute Care Hospitals

Rural Hospitals

Physician Groups

LTC Pharmacies

Dental Practices

ROI Assessment Tools

Webinars

How We Help Our Clients

Articles

White Papers

Revenue Cycle Optimized Podcast

Free Tools

Trade Shows

Weekly Office Hours

Our Mission

Our Partners

Our Results

Media

BUSINESS ASSOCIATE ADDENDUM

Subscribe To Newsletter

Request A Demo

Office Hours