What personal information does Quilt Health collect?

Quilt Health collects contact details such as company name, first and last name, email address, state, and phone number when provided. They also collect communications exchanged with users, marketing preferences, device data including operating system and browser type, and usage data such as pages viewed and browsing history.

How does Quilt Health use personal information?

Quilt Health uses personal information to provide and improve services, respond to inquiries, administer and operate services, communicate with users, analyze service usage, create aggregated statistics, and for business promotion and compliance purposes.

How can I opt out of marketing communications?

Users can unsubscribe from marketing communications, block cookies in their browser, use privacy plug-ins or browsers with privacy features, and opt out of Google Analytics by installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout.

Business Associate Addendum

Last Updated : December 10, 2025

This Business Associate Agreement (“BAA”) forms an integral part of the Terms and Conditions between the party named as “Customer” in the Terms (“Customer” or “Covered Entity”) and Quilt Health, Inc. (“Company” or “Business Associate”) involving the provision of Company’s Services or other agreement between Customer and Company governing Customer’s use of Company’ Services (as applicable, the “Terms”) and is hereby incorporated into the Terms. In this BAA, Covered entity and Business Associate are each a “Party” and collectively are the “Parties.”

I. GENERAL PROVISIONS

Section I.1. Status of Parties Under HIPAA.

The parties acknowledge and agree that Customer (“Covered Entity”) is a Covered Entity (as defined by HIPAA) and Company is a Business Associate of Covered Entity when Company creates, receives, maintains, transmits, uses or discloses Protected Health Information on behalf of Covered Entity (“PHI”).

Section I.2. Effect.

To the extent that Company receives PHI perform Business Associate activities, the terms and provisions of this Addendum shall supersede any other conflicting or inconsistent terms and provisions in this Agreement to the extent of such conflict or inconsistency.

Section I.3. Defined Term`s`.

Capitalized terms used in this Agreement (including this Addendum) without definition shall have the respective meanings assigned to such terms by the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).

Section I.4. No Third-Party Beneficiaries.

The parties have not created and do not intend to create by this Agreement any third-party rights, including, but not limited to, third party rights for Covered Entity’s patients.

Section I.5. HIPAA Amendments.

Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this Addendum as if set forth in this Addendum in their entirety, effective on the later of the effective date of this Addendum or such subsequent date as may be specified by HIPAA.

Section I.6. Regulatory References.

A reference in this Addendum to a section in HIPAA means the section as it may be amended from time-to-time.

Section I.7. Independent Contractor Status.

The parties acknowledge and agree that Company is at all times acting as an independent contractor of Covered Entity and not as an agent or employee of Covered Entity under this Agreement. For clarity, individual physicians may access the Services either (i) in their own capacity (e.g., as an independent contractor/solo practice) or (ii) as a workforce member of a designated Covered Entity; in each case, all PHI processed while that capacity is selected is deemed processed on behalf of—and under the BAA with—that designated party. Users may maintain multiple organizational profiles and toggle between them, but such use does not create any employment, partnership, or agency with Company, and Company may rely on the user’s designation for attribution of obligations and compliance.

Section I.8. Scope of Covered Entity PHI.

“Covered Entity PHI” means only the PHI that Company receives from Covered Entity or creates, receives, maintains, or transmits on Covered Entity’s behalf in performing the Services for Covered Entity (including referral artifacts, eligibility assessments, and reports delivered to Covered Entity). PHI or other data that an Individual submits directly to Company outside Covered Entity’s workflow is not Covered Entity PHI unless and until (i) Covered Entity instructs Company to process such data on its behalf, or (ii) the Individual executes a HIPAA-compliant authorization permitting Company to disclose such data to Covered Entity, in which case Company’s processing/disclosure for Covered Entity shall be Covered Entity PHI. Company will segregate Covered Entity PHI from consumer-account data and will not disclose Covered Entity PHI to third parties (including other providers or sponsors) absent Covered Entity’s instruction or a valid authorization.

II. OBLIGATIONS OF THE COMPANY

Section II.1. Use and Disclosure of PHI.

Company may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any PHI. Company shall not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent Company carries out any of Covered Entity’s obligations under the HIPAA privacy standards, Company shall comply with the requirements of the HIPAA privacy standards that apply to Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, Company is permitted to use or disclose PHI as set forth below:

a) Company may use PHI internally for Company’s proper management and administration or to carry out its legal responsibilities;

b) Company may disclose PHI to a third party for Company’s proper management and administration, provided that the disclosure is Required by Law or Company obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Covered Entity of any instances of which the third party is aware in which the confidentiality of the PHI has been breached;

c) Company may use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under this Agreement; and

(d) Company may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Company use and may disclose de-identified health information to support research, analytics, and to provide and improve the Services.

Section II.2. Safeguards.

Company shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted or required by this Addendum. In addition, Company shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Covered Entity. Company shall comply with the HIPAA Security Rule with respect to EPHI.

Section II.3. Minimum Necessary Standard.

To the extent required by the “minimum necessary” requirements of HIPAA, Company shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

Section II.4. Mitigation.

Company shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Company) of a use or disclosure of PHI by Company in violation of this Addendum.

Section II.5. Subcontractors.

Company shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Company. Company shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Company under this Addendum.

Section II.6. Reporting Requirements.

a) If Company becomes aware of a use or disclosure of PHI in violation of this Agreement by Company or a third party to which Company disclosed PHI, Company shall report the use or disclosure to Covered Entity without unreasonable delay.

b) Company shall report any Security Incident involving EPHI of which it becomes aware in the following manner: (a) any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay, and (b) any attempted, unsuccessful Security Incident of which Company becomes aware will be reported to Covered Entity orally or in writing on a reasonable basis, as requested by Covered Entity. If the HIPAA security regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.

c) Company shall, following the discovery of a Breach of Unsecured PHI, notify Covered Entity of the Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 7 days after discovery of the Breach.

Section II.7. Access to PHI.

Within 15 business days of a request by Covered Entity for access to PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Company, Company shall make available to Covered Entity such PHI for so long as Company maintains such information in the Designated Record Set. If Company receives a request for access to PHI directly from an Individual, Company shall forward such request to Covered Entity within ten business days. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for access to PHI.

Section II.8. Availability of PHI for Amendment.

Within 15 business days of receipt of a request from Covered Entity for the amendment of an Individual’s PHI contained in any Designated Record Set of Covered Entity maintained by Company, Company shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI (for so long as Company maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Company receives a request for amendment to PHI directly from an Individual, Company shall forward such request to Covered Entity within ten business days. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.

Section II.9. Accounting of Disclosures.

Within 15 business days of notice by Covered Entity to Company that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Company shall make available to Covered Entity such information as is in Company’s possession and is required for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. If Company receives a request for an accounting directly from an Individual, Company shall forward such request to Covered Entity within ten business days. Covered Entity shall have the sole responsibility to provide an accounting of disclosures to the Individual.

Section II.10. Availability of Books and Records.

Company shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Company on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity’s and Company’s compliance with HIPAA.

III. OBLIGATIONS OF THE COVERED ENTITY

Section III.1. Permissible Requests.

Covered Entity shall not request Company to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity (except as provided in Sections 2.1 a), b) and c) of this Addendum).

Section III.2. Minimum Necessary PHI.

When Covered Entity discloses PHI to Company, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Company’s purpose.

Section III.3. Permissions; Restrictions.

Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Company. Covered Entity shall notify Company of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Company’s use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Company’s use or disclosure of PHI under this Agreement unless such restriction is Required By Law or Company grants its written consent, which consent shall not be unreasonably withheld.

Section III.4. Notice of Privacy Practices.

Except as Required By Law, with Company’s consent or as set forth in this Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Company’s use or disclosure of PHI under this Agreement.

Section III.5. Minors; Parental/Guardian Consent; Proxy Access

a) Allocation of Responsibility. Covered Entity is responsible for obtaining, documenting, and communicating to Business Associate all consents, authorizations, and legal permissions required to process a minor’s PHI under HIPAA and applicable federal and state law (including laws that allow minors to consent to certain services without parental involvement and any restrictions on parental access). Covered Entity will promptly notify Business Associate of any limitations, revocations, or changes to such permissions.

b) Business Associate Obligations. Business Associate will process a minor’s PHI solely per Covered Entity’s documented instructions and will (i) implement technical/administrative controls to enforce parent/guardian or proxy access as designated by Covered Entity; (ii) withhold disclosures or access to parents/guardians where Covered Entity indicates such access is restricted by law; and (iii) maintain logs sufficient to support Covered Entity’s HIPAA compliance, including accounting of disclosures.

c) Direct Communications with Minors. Business Associate will not send marketing communications to minors or contact a minor or parent/guardian except as necessary to provide the Services on Covered Entity’s behalf or as expressly directed by Covered Entity. Business Associate will provide opt-out/STOP functionality for non marketing operational texts consistent with law and Covered Entity’s instructions. (d) COPPA. The Parties acknowledge that minors may access the Services online. Covered Entity is responsible for obtaining verifiable parental consent for any online collection of personal information from children under 13 where required by law and for instructing Business Associate on the scope of such consent. At Covered Entity’s request, Business Associate will provide reasonable mechanisms to capture, record, and honor parental consent signals and revocations within the Service.

e) 42 C.F.R. Part 2 and Other Special Protections. Business Associate will not knowingly process PHI subject to 42 C.F.R. Part 2 (substance use disorder records) or other specially protected categories for minors unless Covered Entity has confirmed that all legally required consents/authorizations and redisclosure restrictions apply and has provided corresponding instructions. Business Associate will include any required Part 2 redisclosure notices on Covered Entity-directed disclosures.

f) Age-of-Majority Transitions. Upon notice from Covered Entity that a minor has reached the age of majority or that proxy access should change, Business Associate will adjust access rights and account controls accordingly and, at Covered Entity’s direction, terminate parental/proxy access.

g) No Sale/Ads to Minors. Business Associate will not sell, license, “share,” or use minors’ PHI for advertising or marketing and will use such PHI only to perform the Services for Covered Entity as set forth in this BAA and the underlying agreement.

h) Deactivation/Deletion on Revocation. Upon Covered Entity’s instruction that parental or minor consent has been revoked or is otherwise legally insufficient, Business Associate will disable account access as directed and delete PHI from production systems in accordance with this BAA, subject to permitted backups/retention and legal holds

i) Precedence. In the event of a conflict between this Section and any public facing terms or privacy notices, the b with respect to PHI.

IV. TERMINATION OF THIS AGREEMENT

Section IV.1. Termination Upon Breach of this Addendum.

Any other provision of this Agreement notwithstanding, either party (the “Non-Breaching Party”) may terminate this Agreement upon 30 days advance written notice to the other party (the “Breaching Party”) in the event that the Breaching Party materially breaches this Addendum and such breach is not cured to the reasonable satisfaction of the Non-Breaching Party within such 30-day period..

Section IV.2. Return, Destruction, and Limited Retention; Patient Continuity.

Upon expiration or earlier termination of this Agreement, Company shall, within 30 days, return to Covered Entity (in industry-standard format) or destroy all PHI received from, or created or received by Company on behalf of, Covered Entity that Company then maintains in any form, in each case as instructed by Covered Entity. If Covered Entity instructs Company to retain PHI to satisfy a period Required by Law (e.g., medical-record retention), Company will retain such PHI solely on Covered Entity’s behalf under this Addendum for the instructed period and for no other purpose, after which Company will destroy it and provide a certificate of destruction upon request. Notwithstanding the foregoing, (i) PHI contained in routine backups may be retained for up to 180 days in non-production, access-controlled storage and will be purged in the ordinary course, and (ii) Company may retain and use De-Identified Data (per 45 C.F.R. §164.514) and Service/Derived Data (usage, telemetry, logs that do not identify any individual or Covered Entity) for security, compliance, and product improvement, subject to a no re-identification covenant.

Section IV.3. Consumer Accounts.

To the extent an Individual maintains a direct consumer account with Company and affirmatively authorizes Company (via a HIPAA-compliant authorization or other lawful consent) to host the Individual’s records outside the Covered Entity relationship, Company may continue to provide such consumer services to the Individual after Covered Entity terminates; any such consumer-hosted records are not “PHI on behalf of Covered Entity,” and Company’s obligations for those records are governed by Company’s consumer terms and privacy policy. Absent such Individual authorization and Covered Entity’s instruction to the contrary, Company will disable Individual access to Covered Entity PHI in the consumer app upon termination and handle such PHI per the first paragraph. Nothing herein shifts Covered Entity’s independent medical-record retention obligations to Company.

V. LIMITATION OF LIABILITY

Section V.1. Limitation of Liability.

In no event shall Company’s and its present and former affiliates’, directors’, officers’, employees’, and agents’ aggregate liability arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, exceed the amounts actually paid by and due from Covered Entity under the Agreement during the one year period immediately preceding the date the cause of action arose.

Section V.2. Exclusion of Consequential and Related Damages.

In no event shall Company or its present and former affiliates, directors, officers, employees, or agents have any liability to Covered Entity or any third party for any lost profits, loss of data, loss of use, costs of procurement of substitute good or services, or for any indirect, special, incidental, punitive, or consequential damages however caused and, whether in contract, tort, or under any other theory of liability whether or not Company has been advised of the possibility of such damage. Because some states or jurisdictions do not allow the exclusion or the limitation of liability for consequential or incidental damages, in such states or jurisdictions, Company’s and its present and former subsidiaries’, affiliates’, directors’, officers’, employees’, and agents’ liability shall be limited to the maximum extent permitted by law.

Section V.3. Survival.

This Section 5 shall survive the expiration or earlier termination of this Agreement.