42 CFR Part 2 and Qualified Service Organization Addendum

SECTION 01Definitions

Except as otherwise defined in this Part 2 Addendum, capitalized terms shall have the definitions set forth in 42 CFR Part 2, the BAA (where in effect), or the Agreement. If a term is defined in both 42 CFR Part 2 and HIPAA, the 42 CFR Part 2 definition controls for purposes of this Part 2 Addendum.

• Part 2The federal regulations at 42 CFR Part 2 governing the confidentiality of substance use disorder patient records, as amended from time to time, including by the Confidentiality of Substance Use Disorder Patient Records Final Rule published by the U.S. Department of Health and Human Services on February 16, 2024, and any subsequent amendments.
• Part 2 ProgramShall have the same meaning as the term "part 2 program" in 42 CFR § 2.11.
• Part 2 Program CustomerA Customer that is itself a Part 2 Program.
• Lawful HolderA person or entity that has received Part 2 Records pursuant to a valid patient consent meeting the requirements of 42 CFR § 2.31, or as otherwise authorized under 42 CFR Part 2.
• HIPAA Lawful Holder CustomerA Customer that is a Lawful Holder and is itself a HIPAA covered entity or business associate, but is not itself a Part 2 Program.
• Non-HIPAA Lawful Holder CustomerA Customer that is a Lawful Holder but is neither a HIPAA covered entity or business associate nor a Part 2 Program.
• Patient Identifying InformationShall have the same meaning as the term "patient identifying information" in 42 CFR § 2.11.
• Part 2 Records or Records"Records" as defined in 42 CFR § 2.11, in any form, that are received by FortaTech Security, LLC from, or created, received, maintained, or transmitted by FortaTech Security, LLC on behalf of, Customer through the use of the Services, and that are subject to 42 CFR Part 2.
• Qualified Service Organization or QSOShall have the same meaning as the term "qualified service organization" in 42 CFR § 2.11.
• Qualified Service Organization Agreement or QSOAA written agreement satisfying the requirements of 42 CFR § 2.11 and the disclosure conditions of 42 CFR § 2.12(c)(4).
• Contract AgentA person or entity engaged by FortaTech Security, LLC to assist in providing the Services described in this Part 2 Addendum, who receives Part 2 Records only as necessary to provide such assistance and who further discloses Part 2 Records only back to FortaTech Security, LLC or to the originating Part 2 Program or Lawful Holder, consistent with SAMHSA's longstanding interpretation of permissible QSO redisclosure to contract agents and with 42 CFR § 2.33(c) for lawful holder contractor flow-down.
• § 2.32 StatementOne of the two written statements prescribed by 42 CFR § 2.32(a), namely (i) the longer statement set forth at § 2.32(a)(1), or (ii) the abbreviated statement set forth at § 2.32(a)(2): "42 CFR part 2 prohibits unauthorized use or disclosure of these records."

SECTION 02Acknowledgments by FortaTech Security, LLC

a. Part 2 Program Customers — Qualified Service Organization Acknowledgments

With respect to any Part 2 Records that a Part 2 Program Customer transmits to or through the Services, or that FortaTech Security, LLC otherwise receives from, or creates, maintains, or transmits on behalf of, a Part 2 Program Customer through the use of the Services, FortaTech Security, LLC acknowledges and agrees that:

1. FortaTech Security, LLC is providing services to Customer of the type described in 42 CFR § 2.11, which may include data processing, hosting, secure storage, transcription, summarization, artificial intelligence assisted drafting, and related administrative and technical services;
2. FortaTech Security, LLC is a Qualified Service Organization (QSO) under 42 CFR § 2.11 with respect to Customer;
3. In receiving, storing, processing, or otherwise dealing in any manner with Part 2 Records, FortaTech Security, LLC is fully bound by 42 CFR Part 2; and
4. If necessary, FortaTech Security, LLC will resist in judicial proceedings any efforts to obtain access to Patient Identifying Information related to substance use disorder diagnosis, treatment, or referral for treatment, except as expressly permitted by 42 CFR Part 2.

This Part 2 Addendum is intended to constitute a Qualified Service Organization Agreement (QSOA) within the meaning of 42 CFR § 2.11 and to satisfy the written-agreement condition for disclosures from a Part 2 Program to a QSO under 42 CFR § 2.12(c)(4).

b. HIPAA Lawful Holder Customers — HIPAA Pathway Acknowledgments

With respect to any Part 2 Records that a HIPAA Lawful Holder Customer transmits to or through the Services, or that FortaTech Security, LLC otherwise receives from, or creates, maintains, or transmits on behalf of, a HIPAA Lawful Holder Customer through the use of the Services, FortaTech Security, LLC acknowledges and agrees that:

1. The redisclosure of Part 2 Records from Customer to FortaTech Security, LLC is governed by HIPAA pursuant to 42 CFR § 2.33(b)(1), and where a BAA is in effect, the BAA governs the relationship between Customer and FortaTech Security, LLC as a HIPAA business associate; the § 2.33(c) contractor framework does not apply to this redisclosure pathway;
2. Notwithstanding the HIPAA-aligned redisclosure pathway, Part 2 Records received by FortaTech Security, LLC remain subject to all protections of 42 CFR Part 2 by virtue of their character as Part 2 Records;
3. FortaTech Security, LLC is bound by 42 CFR Part 2 with respect to Part 2 Records it handles on Customer's behalf, including the safeguards of 42 CFR § 2.16, the notice and consent-documentation requirements of 42 CFR § 2.32 applicable to consent-based disclosures, the duty to provide prompt notification to Customer of breaches of Part 2 Records consistent with 42 CFR § 2.16(b) and to cooperate with Customer's own reporting obligations under the HIPAA Breach Notification Rule (as aligned with § 2.16(b) by the 2024 Final Rule), and the prohibition on the use of Part 2 Records in any civil, criminal, administrative, or legislative proceeding against a patient except pursuant to a court order under 42 CFR § 2.64 or § 2.65; and
4. If necessary, FortaTech Security, LLC will resist in judicial proceedings any efforts to obtain access to Patient Identifying Information related to substance use disorder diagnosis, treatment, or referral for treatment, except as expressly permitted by 42 CFR Part 2.

This Part 2 Addendum supplements the BAA (where in effect) with respect to the Part 2-specific protections that travel with Part 2 Records received from a HIPAA Lawful Holder Customer.

c. Non-HIPAA Lawful Holder Customers — § 2.33(c) Contractor Acknowledgments

With respect to any Part 2 Records that a Non-HIPAA Lawful Holder Customer transmits to or through the Services, or that FortaTech Security, LLC otherwise receives from, or creates, maintains, or transmits on behalf of, a Non-HIPAA Lawful Holder Customer through the use of the Services, FortaTech Security, LLC acknowledges and agrees that:

1. FortaTech Security, LLC is a contractor of Customer engaged to assist Customer in carrying out the payment, health care operations, and related activities permitted under 42 CFR § 2.33(b)(3) and Customer's applicable patient consents;
2. FortaTech Security, LLC is fully bound by 42 CFR Part 2 upon receipt of any Part 2 Records or Patient Identifying Information;
3. FortaTech Security, LLC shall implement appropriate safeguards to prevent unauthorized uses and disclosures of Part 2 Records, consistent with 42 CFR § 2.16;
4. FortaTech Security, LLC shall promptly report any unauthorized uses, disclosures, or breaches of Part 2 Records to Customer to support Customer's own notification obligations, in accordance with Section 4(c); and
5. If necessary, FortaTech Security, LLC will resist in judicial proceedings any efforts to obtain access to Patient Identifying Information related to substance use disorder diagnosis, treatment, or referral for treatment, except as expressly permitted by 42 CFR Part 2.

This Part 2 Addendum is intended to constitute the written contract required under 42 CFR § 2.33(c) for redisclosures by a Non-HIPAA Lawful Holder to its contractors and subcontractors.

d. Concurrent Application

To the extent a Customer is, or transitions among, more than one of the categories described in this Section 2 (for example, a Customer that is both a Part 2 Program and a HIPAA covered entity), the corresponding subsections apply concurrently with respect to applicable Part 2 Records, and the more protective provisions of this Part 2 Addendum control.

SECTION 03Permitted Uses and Disclosures of Part 2 Records

a. Performance of the Services

FortaTech Security, LLC may Use and Disclose Part 2 Records only as necessary to provide the Services to Customer under the Agreement, and only in a manner that would be permissible under 42 CFR Part 2 if performed by Customer.

For clarity, FortaTech Security, LLC may process Part 2 Records through artificial intelligence or machine-learning functionality only as transient, Customer-directed processing necessary to generate outputs for Customer through the Services. Such processing does not permit FortaTech Security, LLC or any third party to retain or use Part 2 Records or information derived from Part 2 Records for model training, fine-tuning, evaluation, development, validation, benchmarking, testing, or improvement.

b. No Redisclosure Without Consent or Authorization

FortaTech Security, LLC shall not Use or Disclose Part 2 Records for any purpose other than providing the Services, and shall not redisclose Part 2 Records to any person or entity except:

1. Pursuant to a valid written patient consent that meets the requirements of 42 CFR § 2.31;
2. Pursuant to a court order issued in compliance with 42 CFR Part 2 Subpart E;
3. For a medical emergency, in compliance with 42 CFR § 2.51;
4. To a Subcontractor or Contract Agent that has entered into an agreement satisfying Section 4(d) of this Part 2 Addendum; or
5. As otherwise expressly permitted by 42 CFR Part 2.

c. Prohibited Uses

FortaTech Security, LLC shall not Use or Disclose Part 2 Records, or any information derived from Part 2 Records, for any of the following purposes:

1. Marketing, advertising, or fundraising;
2. Sale of Part 2 Records;
3. Training, fine-tuning, evaluation, development, validation, benchmarking, testing, or improvement of any artificial intelligence model, machine-learning model, foundation model, large language model, speech-recognition model, embedding model, analytics model, or similar technology, whether operated by FortaTech Security, LLC or any third party, using Part 2 Records or any information derived from Part 2 Records. This prohibition applies regardless of whether the Part 2 Records are included in prompts, uploads, audio, transcripts, outputs, metadata, logs, embeddings, feedback, annotations, de-identified data sets, aggregated data sets, or other derived materials;
4. Use in any civil, criminal, administrative, or legislative proceeding against a patient, except pursuant to a court order that complies with 42 CFR Part 2 Subpart E; or
5. Any other purpose not expressly authorized by this Part 2 Addendum, the Agreement, the BAA (where in effect), or 42 CFR Part 2.

d. Notice and Consent Documentation Requirements for Disclosures

The notice and consent-documentation requirements that accompany Disclosures of Part 2 Records under 42 CFR Part 2 depend on the type of Disclosure being made. The Parties agree as follows:

(i) Consent-Based Disclosures

Any Disclosure of Part 2 Records by FortaTech Security, LLC made pursuant to a patient's written consent under 42 CFR § 2.31 shall be accompanied by:

1. A § 2.32 Statement, in either the longer form set forth at 42 CFR § 2.32(a)(1) or the abbreviated form set forth at 42 CFR § 2.32(a)(2); and
2. A copy of the patient's consent or a clear explanation of the scope of the consent provided, as required by 42 CFR § 2.32(b).

(ii) § 2.33(c) Subcontractor and Contract Agent Disclosures

Where FortaTech Security, LLC, acting as a contractor of a Non-HIPAA Lawful Holder Customer under 42 CFR § 2.33(c), redisclosed Part 2 Records to a Subcontractor or Contract Agent as permitted under Section 4(d)(3), FortaTech Security, LLC shall furnish the Subcontractor or Contract Agent with a § 2.32 Statement, consistent with the requirement in 42 CFR § 2.33(c) that lawful holders making such redisclosures furnish recipients with the notice required under § 2.32. The copy-of-consent or scope-explanation requirement under § 2.32(b) does not apply to these redisclosures.

(iii) Other Permitted Disclosures

Disclosures permitted under this Part 2 Addendum or 42 CFR Part 2 on bases other than written consent or § 2.33(c) — including Disclosures pursuant to a court order under 42 CFR Part 2 Subpart E, Disclosures in a medical emergency under § 2.51, and Disclosures to Contract Agents under Section 4(d)(1) where FortaTech Security, LLC is acting as a QSO of a Part 2 Program Customer — are subject to the notice, documentation, and procedural requirements specific to those Disclosures under 42 CFR Part 2, rather than the requirements of § 2.32, although FortaTech Security, LLC may include a § 2.32 Statement with any such Disclosure where doing so does not conflict with applicable law.

SECTION 04Responsibilities of FortaTech Security, LLC with Respect to Part 2 Records

a. Safeguards

FortaTech Security, LLC shall implement and maintain administrative, physical, and technical safeguards that comply with 42 CFR § 2.16 and that are designed to prevent unauthorized Use or Disclosure of Part 2 Records. These safeguards shall be at least as protective as those required of FortaTech Security, LLC under the HIPAA Security Rule and, where a BAA is in effect, the BAA.

b. Resistance to Compulsory Process

If FortaTech Security, LLC receives a subpoena, civil investigative demand, court order, warrant, or other legal process from a governmental authority or third party seeking Part 2 Records, FortaTech Security, LLC shall, to the extent permitted by applicable law:

1. Promptly notify Customer in writing before disclosing any Part 2 Records, so that Customer may seek a protective order or other appropriate relief;
2. Resist the request to the extent the request does not comply with 42 CFR Part 2, including the order requirements of 42 CFR Part 2 Subpart E;
3. Reasonably cooperate, at Customer's expense, with Customer's efforts to limit, quash, or challenge the request; and
4. Disclose only the minimum Part 2 Records legally required to comply with the request, and only after applicable Part 2 Subpart E requirements have been satisfied.

c. Breach Reporting to Customer

FortaTech Security, LLC shall promptly report to Customer any acquisition, access, Use, or Disclosure of Part 2 Records in a manner not permitted by this Part 2 Addendum, the Agreement, the BAA (where in effect), or 42 CFR Part 2, in order to enable Customer to comply with Customer's own notification obligations under 42 CFR § 2.16(b), the HIPAA Breach Notification Rule (as aligned with § 2.16(b) by the 2024 Final Rule), and any other applicable law.

FortaTech Security, LLC shall reasonably cooperate with Customer's breach investigation, mitigation, and notification activities. Where the same event constitutes both a Breach of Unsecured Protected Health Information under HIPAA and a breach of Part 2 Records, a single combined notification that satisfies the requirements of both rules will be sufficient. Nothing in this Section 4(c) shall be construed to require FortaTech Security, LLC to make notifications directly to HHS, patients, or the media, all of which remain the responsibility of Customer (or, where applicable, Customer's covered entity principal) under 42 CFR Part 2 and HIPAA.

d. Subcontractors and Contract Agents

FortaTech Security, LLC may engage Subcontractors and Contract Agents to assist in performing the Services described in this Part 2 Addendum, subject to the following framework, which applies according to the status of the Customer from which the relevant Part 2 Records originated:

(i) Records From Part 2 Program Customers

FortaTech Security, LLC may redisclose Part 2 Records only to Contract Agents who assist FortaTech Security, LLC in providing the Services described in this Part 2 Addendum, and only to the extent such Contract Agents further disclose Part 2 Records solely back to FortaTech Security, LLC or to the originating Part 2 Program Customer. This is consistent with SAMHSA's longstanding interpretation that a QSO may redisclose Part 2 Records to contract agents performing services on the QSO's behalf, and with the limits on such redisclosure described in 42 CFR Part 2 and SAMHSA guidance. The Parties acknowledge that any such Contract Agent is bound by 42 CFR Part 2 by operation of regulation and the agent doctrine when it receives, stores, processes, or otherwise deals with Part 2 Records on FortaTech Security, LLC's behalf.

(ii) Records From HIPAA Lawful Holder Customers

Redisclosure of Part 2 Records from FortaTech Security, LLC to its Subcontractors and Contract Agents that are HIPAA business associates is governed by HIPAA pursuant to 42 CFR § 2.33(b)(1) and, where a BAA is in effect, by the BAA's subcontractor flow-down provisions, supplemented by the Part 2-specific protections set out in this Section 4(d)(iv). The § 2.33(c) contractor framework does not govern this redisclosure pathway.

(iii) Records From Non-HIPAA Lawful Holder Customers

FortaTech Security, LLC may redisclose Part 2 Records to its Subcontractors and Contract Agents only as necessary for such Subcontractors and Contract Agents to assist FortaTech Security, LLC in carrying out the payment, health care operations, and related activities described in this Part 2 Addendum, consistent with 42 CFR § 2.33(b)(3) and (c). FortaTech Security, LLC shall not permit such Subcontractors or Contract Agents to redisclose Part 2 Records to any third party unless that third party is itself a contract agent of the Subcontractor that is helping the Subcontractor provide services described in its contract with FortaTech Security, LLC, and only so long as the agent further discloses Part 2 Records solely back to the Subcontractor, FortaTech Security, LLC, or the originating Non-HIPAA Lawful Holder.

(iv) Flow-Down Contractual Requirements (All Paths)

FortaTech Security, LLC shall not engage any Subcontractor or Contract Agent to create, receive, maintain, or transmit Part 2 Records on its behalf unless the Subcontractor or Contract Agent is bound by a written agreement (which may be the Subcontractor's or Contract Agent's standard customer agreement, business associate agreement, data protection addendum, or equivalent) that, taken as a whole and read together with the Subcontractor's or Contract Agent's obligations under 42 CFR Part 2 by operation of regulation, provides substantively equivalent protection to Part 2 Records as this Part 2 Addendum provides, including:

1. Acknowledgment that the Subcontractor or Contract Agent is bound by 42 CFR Part 2 with respect to Part 2 Records it handles on FortaTech Security, LLC's behalf;
2. Confidentiality, security, and permitted-use restrictions on Part 2 Records that are at least as protective as those imposed on FortaTech Security, LLC under this Part 2 Addendum, including safeguards satisfying 42 CFR § 2.16;
3. A restriction limiting the Subcontractor's or Contract Agent's use of Part 2 Records to the performance of services for FortaTech Security, LLC and prohibiting redisclosure except as permitted by 42 CFR Part 2 or back to FortaTech Security, LLC or the originating Part 2 Program or Lawful Holder;
4. Inclusion of a § 2.32 Statement (and, where applicable, a copy or scope explanation of the underlying patient consent) with any permitted further disclosure, consistent with Section 3(d) and the applicable redisclosure pathway;
5. A requirement that the Subcontractor or Contract Agent promptly report any unauthorized uses, disclosures, or breaches of Part 2 Records to FortaTech Security, LLC; and
6. Commitments by the Subcontractor or Contract Agent with respect to compulsory legal process seeking customer data that, at a minimum, require the Subcontractor or Contract Agent to (A) notify FortaTech Security, LLC before disclosure where legally permitted, (B) limit any disclosure to the minimum legally required, and (C) reasonably cooperate with efforts by FortaTech Security, LLC or Customer to challenge, quash, or narrow the request, which together with the Subcontractor's or Contract Agent's independent obligations under 42 CFR Part 2 are intended to satisfy the resistance-to-judicial-proceedings element of 42 CFR § 2.11 where applicable.

FortaTech Security, LLC remains responsible to Customer for its Subcontractors' and Contract Agents' compliance with this Part 2 Addendum with respect to Part 2 Records, and shall maintain a list of Subcontractors and Contract Agents that handle Part 2 Records, which it will make available to Customer upon reasonable written request.

e. Notice of Civil and Criminal Penalties

FortaTech Security, LLC acknowledges that violations of 42 CFR Part 2 may subject the violator to civil and criminal penalties under 42 U.S.C. § 290dd-2 and the enforcement provisions of 42 CFR Part 2, as amended by the 2024 Final Rule aligning Part 2 enforcement with HIPAA. FortaTech Security, LLC shall inform its workforce members and Subcontractors and Contract Agents who handle Part 2 Records of these penalties.

f. Accounting of Disclosures and Intermediary Lists

At Customer's written request, FortaTech Security, LLC shall make available to Customer such information about Disclosures of Part 2 Records made by FortaTech Security, LLC as is reasonably required for Customer to comply with:

1. Intermediary list requirements under 42 CFR § 2.24, to the extent applicable to Customer. FortaTech Security, LLC shall respond to such requests within thirty (30) days of receipt.
2. The accounting of disclosures requirements under 42 CFR § 2.25, if and when those requirements become applicable to Customer following the establishment by HHS of a compliance date for § 2.25. The Parties acknowledge that, under the 2024 Final Rule, the effective and compliance dates for § 2.25 are tolled pending revisions to the corresponding HIPAA accounting-of-disclosures rule at 45 CFR § 164.528, and that until those revisions take effect and a § 2.25 compliance date is set, this Section 4(f)(2) does not impose a live regulatory obligation.
3. The accounting of disclosures requirements under 45 CFR § 164.528, where a BAA is in effect and the BAA's accounting provisions apply. FortaTech Security, LLC shall respond to such requests within the timeframe set by the BAA or, absent such a timeframe, within sixty (60) days of receipt.

g. Patient Requests Received Directly

If FortaTech Security, LLC receives a request directly from an individual concerning Part 2 Records (including a request for access, accounting, amendment, restriction, or revocation of consent), FortaTech Security, LLC shall forward the request to Customer within ten (10) business days and shall not respond substantively to the request except at Customer's written direction.

h. No Use for Model Training

For the avoidance of doubt, FortaTech Security, LLC shall not Use Part 2 Records, or any data derived from Part 2 Records, to train, fine-tune, evaluate, or develop any artificial intelligence or machine learning model maintained by FortaTech Security, LLC or any third party, including any third party model provider. This commitment aligns with the more general no-training commitment that FortaTech Security, LLC makes to all Customers with respect to Customer Data, as reflected in the Agreement and FortaTech Security, LLC's published privacy commitments. To the extent any narrow exception to this prohibition could be construed under 42 CFR Part 2, FortaTech Security, LLC will not engage in such use absent a valid written patient consent meeting the requirements of 42 CFR § 2.31 and Customer's express written authorization.

SECTION 05Customer Responsibilities

a. Lawful Source of Part 2 Records

Customer represents and warrants that it is a Part 2 Program, a Lawful Holder of Part 2 Records, or is otherwise lawfully entitled under 42 CFR Part 2 to disclose Part 2 Records to FortaTech Security, LLC for the purposes contemplated by this Part 2 Addendum.

b. Patient Consents and Authorizations

Customer is solely responsible for obtaining, documenting, maintaining, and where required revoking all patient consents, authorizations, and court orders necessary to permit the Disclosures contemplated by this Part 2 Addendum and Customer's use of the Services, including any consent required under 42 CFR § 2.31 and the redisclosure pathway under 42 CFR § 2.33(b) applicable to Customer's status.

c. Compliance with Documentation

Customer shall use the Services in accordance with FortaTech Security, LLC's then-current published documentation, including any documentation describing recommended practices for handling Part 2 Records. Customer shall not store, process, or transmit Part 2 Records through any feature or integration that FortaTech Security, LLC has documented as not supported for Part 2 Records.

d. Notice and Consent Documentation on Outbound Disclosures

Customer is responsible for ensuring that any Disclosure of Part 2 Records that Customer initiates through the Services pursuant to a patient's written consent under 42 CFR § 2.31 is accompanied by both a § 2.32 Statement and a copy of the patient's consent or a clear explanation of the scope of the consent provided, as required by 42 CFR § 2.32. For Disclosures permitted under 42 CFR Part 2 on bases other than written consent, Customer is responsible for satisfying the notice and documentation requirements specific to those Disclosures.

e. No Impermissible Requests

Customer shall not request FortaTech Security, LLC to Use or Disclose Part 2 Records in any manner that would not be permissible under 42 CFR Part 2 if done by Customer.

f. Status Notification

Customer is strongly encouraged to notify FortaTech Security, LLC in writing at legal@bastionintelligence.com if Customer is or becomes a Part 2 Program, a HIPAA Lawful Holder, or a Non-HIPAA Lawful Holder, and to notify FortaTech Security, LLC of any change in such status. As described in Section 6(b), while such notification is not a prerequisite to the application of this Part 2 Addendum, it is necessary in practice for FortaTech Security, LLC to perform several operational workflows that depend on identification of Part 2 Records or Customer status.

g. No Part 2 Records in Support or Community Channels

Customer shall not submit, transmit, or otherwise include Part 2 Records (or any data that may reasonably constitute Part 2 Records) in (i) support requests, support tickets, chat sessions, or other support communications with FortaTech Security, LLC, except where expressly authorized in writing in connection with a professional services engagement; (ii) community forums, discussion boards, beta program channels, or similar shared channels; or (iii) any feature, integration, or channel that FortaTech Security, LLC has documented as not supported for Part 2 Records. Customer shall instruct its workforce members and other authorized users of the Services accordingly. This Section 5(g) applies to Part 2 Records regardless of whether a BAA is in effect, and is intended to mirror corresponding restrictions on the handling of Protected Health Information in the BAA (where in effect).

SECTION 06Applicability of Addendum

a. Scope

This Part 2 Addendum applies only to Part 2 Records that Customer transmits, makes available, or otherwise provides to FortaTech Security, LLC through the Services, or that FortaTech Security, LLC creates, receives, maintains, or transmits on behalf of Customer through the Services. Where a BAA is in effect, the BAA continues to govern all other Protected Health Information not subject to 42 CFR Part 2. Where information is subject to both HIPAA and 42 CFR Part 2, the Agreement, the BAA (where in effect), and this Part 2 Addendum apply concurrently, and the more protective provision controls.

b. Application of Addendum and the Practical Necessity of Customer Notice

The contractual protections of this Part 2 Addendum apply by operation of the Agreement and 42 CFR Part 2, without any requirement that Customer attest to, designate, or otherwise affirmatively identify itself as a Part 2 Program or Lawful Holder. Customer's status as a Part 2 Program, HIPAA Lawful Holder, or Non-HIPAA Lawful Holder is determined by applicable law and the facts of Customer's operations.

Customer should understand, however, that the following operational workflows under this Part 2 Addendum cannot be fully performed by FortaTech Security, LLC without Customer's written notification of status under Section 5(f):

1. Part 2-specific flagging of records in response to compulsory legal process, as contemplated by Section 4(b);
2. Part 2-specific breach notification content (as distinct from the generally applicable breach notification practices that FortaTech Security, LLC applies under Section 6(d)(i)(3)), as contemplated by Section 4(c);
3. Intermediary list support under 42 CFR § 2.24 and, if and when applicable, accounting of disclosures under 42 CFR § 2.25, as contemplated by Section 4(f);
4. Appropriate inclusion of § 2.32 Statements and consent documentation in outbound redisclosures, as contemplated by Section 3(d); and
5. Forwarding and Part 2-appropriate handling of direct patient requests under Section 4(g).

For Customers for whom these workflows are operationally important — which will, in practice, include most Part 2 Programs and Lawful Holders — written notification under Section 5(f) is effectively required, even though it is not a contractual prerequisite to the application of this Part 2 Addendum. FortaTech Security, LLC will not assume Customer's status from data content alone, and Customer should not assume that operational handling tailored to Part 2 will occur without notification.

c. Uniform Safeguards

FortaTech Security, LLC maintains administrative, physical, and technical safeguards designed to comply with 42 CFR § 2.16 across the Services as a whole, without regard to whether a particular Customer is a Part 2 Program or Lawful Holder. These safeguards include, without limitation: encryption of Customer Data in transit and at rest; access controls and audit logging; restrictions on subcontractor and third-party model provider use of Customer Data; and prohibition on the use of Customer Data to train, fine-tune, evaluate, or develop any artificial intelligence or machine learning model, consistent with Sections 3(c)(3), 4(h), and FortaTech Security, LLC's general no-training commitment to its customers as reflected in the Agreement and FortaTech Security, LLC's published privacy commitments. Customer acknowledges that FortaTech Security, LLC's compliance posture is uniform and that no Customer-specific designation is required to engage these uniform safeguards.

d. Operational Handling and Customer Notification

FortaTech Security, LLC's contractual obligations under this Part 2 Addendum, and its independent obligations under 42 CFR Part 2 with respect to Part 2 Records it handles, apply at all times to all Part 2 Records actually received, created, maintained, or transmitted by FortaTech Security, LLC on Customer's behalf. These obligations are not deferred, conditioned upon, or limited by Customer's notification of status under Section 5(f) or by FortaTech Security, LLC's awareness of which specific Customer Data constitutes Part 2 Records. As a practical matter, the limitations on data-specific identification described in Section 6(b) are addressed through a combination of uniform compliance practices and customer-specific operational handling, as follows:

(i) Uniform Baseline Practices

Without regard to any Customer notification or designation, FortaTech Security, LLC applies the following baseline practices to all Customer Data, which together are designed to discharge FortaTech Security, LLC's obligations under 42 CFR Part 2 with respect to Part 2 Records that may be present in Customer Data:

1. Safeguards. The uniform safeguards described in Section 6(c) apply to all Customer Data;
2. Compulsory process. FortaTech Security, LLC applies uniform compulsory-process response practices to all Customer Data, including challenge of overbroad legal process, notification to Customer, and disclosure limited to the minimum legally required, consistent with the resistance-to-judicial-proceedings standard of 42 CFR § 2.11 and Section 4(b);
3. Breach notification. FortaTech Security, LLC applies its breach notification practices to all incidents involving Customer Data, providing prompt notification to Customer to enable Customer's own reporting obligations under 42 CFR § 2.16(b), the HIPAA Breach Notification Rule (as aligned by the 2024 Final Rule), and other applicable law. Part 2-specific notification content is provided where the records affected are known or reasonably appear to be Part 2 Records;
4. Escalation. FortaTech Security, LLC escalates promptly upon receipt of any indication that specific Customer Data may constitute Part 2 Records — including contextual signals in the data, references in legal process or third-party communications, or direct communications from Customer or patients — to engage the enhanced handling described in Section 6(d)(ii); and
5. Direct patient requests. FortaTech Security, LLC forwards to Customer any direct patient request that reasonably appears to involve Part 2 Records, in accordance with Section 4(g).

(ii) Enhanced Customer-Specific Handling Following Notification

Where Customer has notified FortaTech Security, LLC in writing under Section 5(f) of Customer's status as a Part 2 Program, HIPAA Lawful Holder, or Non-HIPAA Lawful Holder, FortaTech Security, LLC will, in addition to the baseline practices described in Section 6(d)(i), treat all of that Customer's Customer Data as Part 2 Records for purposes of the operational workflows described in Section 6(b). This enhanced handling continues until Customer notifies FortaTech Security, LLC in writing that Customer no longer holds such status, in which case FortaTech Security, LLC will continue to apply enhanced handling to all Customer Data received during the period of notified status.

(iii) No Limitation on Underlying Duties

Nothing in this Section 6(d) defers, conditions, or limits any contractual obligation under this Part 2 Addendum or any independent obligation of FortaTech Security, LLC under 42 CFR Part 2 with respect to Part 2 Records actually handled. Customer's failure to notify FortaTech Security, LLC of Customer's status does not relieve Customer of its obligations as a Part 2 Program or Lawful Holder under 42 CFR Part 2 and this Part 2 Addendum.

SECTION 07Term and Termination

a. Term

This Part 2 Addendum becomes effective on the date Customer first becomes subject to it under the introduction to this Part 2 Addendum, and continues in effect until the earlier of (i) termination by a Party for material breach under Section 7(b) or (ii) expiration or termination of the Agreement. Notwithstanding the foregoing, this Part 2 Addendum, and all obligations of FortaTech Security, LLC hereunder with respect to Part 2 Records, shall survive expiration or termination of the Agreement and, where applicable, of any BAA between the Parties, for so long as FortaTech Security, LLC continues to maintain any Part 2 Records received from, created for, or held on behalf of Customer, and shall terminate only upon the return or destruction of all such Part 2 Records in accordance with Section 7(c). The Term shall not lapse merely because Customer ceases to transmit Part 2 Records through the Services, provided that FortaTech Security, LLC continues to maintain any Part 2 Records on Customer's behalf.

b. Termination for Breach

Either Party may terminate this Part 2 Addendum, and where applicable the Agreement and the BAA, upon written notice if the other Party is in material breach or default of any obligation under this Part 2 Addendum and fails to cure such breach within thirty (30) calendar days after receiving written notice from the non-breaching Party describing the breach in reasonable detail. Material breaches that are incapable of being cured permit immediate termination upon written notice, without a cure period.

c. Return, Destruction, or Retention of Part 2 Records Upon Termination

Upon expiration or termination of this Part 2 Addendum, FortaTech Security, LLC shall return or destroy all Part 2 Records in its possession in accordance with the requirements of 42 CFR Part 2 and the corresponding return and destruction provisions of the BAA (where in effect) or the Agreement, and shall retain no copies of such Part 2 Records, except as required by law. If FortaTech Security, LLC determines that returning or destroying any portion of the Part 2 Records is infeasible, FortaTech Security, LLC shall: (1) provide Customer with written notification describing the categories of Part 2 Records at issue and the basis for the determination of infeasibility; (2) extend the protections of this Part 2 Addendum to such Part 2 Records and limit any further Use or Disclosure to those purposes that make the return or destruction infeasible, for so long as FortaTech Security, LLC retains the Part 2 Records; and (3) return or destroy the Part 2 Records promptly upon, and to the extent that, return or destruction becomes feasible. The obligations in this Section 7(c) shall survive termination.

SECTION 08Miscellaneous

a. Relationship to Agreement and BAA

This Part 2 Addendum is incorporated into and forms part of the Agreement. Where a BAA is in effect between the Parties, this Part 2 Addendum also supplements the BAA. Except as expressly modified by this Part 2 Addendum, all terms and conditions of the Agreement and, where applicable, the BAA remain in full force and effect. In any conflict between this Part 2 Addendum and the Agreement or the BAA with respect to Part 2 Records, this Part 2 Addendum controls. The application of this Part 2 Addendum does not depend on the existence of a BAA, and this Part 2 Addendum applies in full to Non-HIPAA Lawful Holder Customers and any other Customer with respect to whom no BAA is in effect.

b. Interpretation

The Parties intend that this Part 2 Addendum be interpreted consistently with their intent to comply with 42 CFR Part 2, HIPAA, and other applicable federal and state law. Section captions and headings are for the convenience of the Parties and shall not affect interpretation.

c. Amendments; Waiver

This Part 2 Addendum may not be modified or amended except in a writing duly signed by authorized representatives of the Parties or as expressly permitted under the modification provisions of the Agreement. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

d. No Third-Party Beneficiaries

Nothing express or implied in this Part 2 Addendum is intended to confer, nor shall anything in this Part 2 Addendum confer, upon any person other than the Parties any rights, remedies, obligations, or liabilities, except that patients whose Part 2 Records are subject to this Part 2 Addendum shall have such rights as are afforded to them by 42 CFR Part 2.

e. Severability

If any provision of this Part 2 Addendum is held invalid or unenforceable, the remainder of this Part 2 Addendum shall not be affected, and the invalid provision shall be reformed to the minimum extent necessary to make it enforceable while preserving the Parties' intent to comply with 42 CFR Part 2.

f. No Agency Relationship

It is not intended that an agency relationship be created between Customer and FortaTech Security, LLC under 42 CFR Part 2, HIPAA, or any other law. No terms or conditions of this Part 2 Addendum shall be construed to make or render FortaTech Security, LLC an agent of Customer for purposes of HIPAA's business associate or agency provisions, although nothing in this Section 8(f) limits FortaTech Security, LLC's status as a Qualified Service Organization under 42 CFR § 2.11 or as a contractor under 42 CFR § 2.33 as expressly acknowledged in Section 2.