DriveBoss Business Associate Agreement

DriveBoss LLC · Effective Date: April 21, 2026 · Last Updated: April 21, 2026

This Business Associate Agreement ("BAA") is entered into by and between DriveBoss LLC, a Delaware limited liability company with its registered corporate address at 254 Chapman Road, Suite 208 #703, Newark, Delaware 19702, United States ("DriveBoss"), and the customer accepting this BAA electronically, signing an order form that references this BAA, or using the Services under the DriveBoss Master Services Agreement ("Customer"). DriveBoss and Customer may be referred to individually as a "Party" and collectively as the "Parties."

1. Purpose and Relationship

This BAA applies when DriveBoss creates, receives, maintains, or transmits Protected Health Information ("PHI") for or on behalf of Customer in connection with the DriveBoss non-emergency medical transportation software platform and related services.

Depending on the applicable data flow, Customer may be a Covered Entity, a Business Associate, a subcontractor Business Associate, or another organization authorized to process PHI through brokers, payers, facilities, transportation providers, or other healthcare participants. To the extent required by HIPAA, DriveBoss acts as Customer's Business Associate or subcontractor Business Associate for PHI processed through the Services.

This BAA supplements the DriveBoss Master Services Agreement, applicable order forms, the Acceptable Use Policy, and any other agreement between the Parties. If this BAA conflicts with another agreement, this BAA controls for PHI and HIPAA-regulated obligations.

2. Definitions

Capitalized terms not defined in this BAA have the meanings given to them by the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, including 45 CFR Parts 160 and 164, as amended (collectively, "HIPAA").

"Services" means the DriveBoss software-as-a-service platform and related services, including dispatch, routing, scheduling, broker-feed integrations, driver GPS and trip-status tools, billing and reconciliation workflows, patient SMS and IVR communications, facility visibility, reporting, support, security, and related platform operations.

"Subcontractor" means a person or entity to whom DriveBoss delegates a function, activity, or service involving PHI, other than a member of DriveBoss's workforce.

3. Permitted Uses and Disclosures by DriveBoss

DriveBoss may Use and Disclose PHI only as permitted or required by this BAA, the Master Services Agreement, Customer's documented instructions, or applicable law.

DriveBoss may Use and Disclose PHI as reasonably necessary to provide, secure, maintain, support, bill for, audit, and improve the Services, including:

• ingesting, normalizing, and processing broker, payer, facility, transportation provider, and customer trip data;
• scheduling, dispatching, routing, assigning, tracking, and reconciling trips;
• processing driver GPS, trip-status, pickup, drop-off, and completion information;
• sending and receiving authorized patient SMS, IVR, and operational communications;
• supporting broker, payer, facility, customer, and transportation-provider visibility;
• supporting billing, reconciliation, claims support, reporting, customer support, and audit workflows;
• detecting, preventing, and responding to fraud, abuse, security incidents, service misuse, and system errors;
• maintaining backups, audit logs, compliance records, and security logs as permitted by this BAA.

DriveBoss may Use PHI for its proper management and administration and to carry out its legal responsibilities. DriveBoss may Disclose PHI for those purposes only if the Disclosure is Required by Law or DriveBoss obtains reasonable assurances from the recipient that the PHI will be held confidentially, Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed, and that the recipient will notify DriveBoss of any breach of confidentiality.

DriveBoss may Use PHI to provide Data Aggregation services relating to Customer's healthcare operations where permitted by HIPAA and Customer's instructions.

4. Prohibited Uses and Disclosures

DriveBoss will not:

• Use or Disclose PHI other than as permitted or required by this BAA, the Master Services Agreement, Customer's documented instructions, or applicable law;
• Use or Disclose PHI in a manner that would violate HIPAA if done by Customer, except to the extent HIPAA permits DriveBoss to Use or Disclose PHI for DriveBoss's proper management and administration, legal responsibilities, or Data Aggregation;
• sell PHI;
• Use PHI for advertising or marketing unrelated to the Services unless expressly permitted by HIPAA and authorized in writing by Customer;
• Use PHI to train public or third-party artificial intelligence models; or
• re-identify de-identified information except as permitted by HIPAA and Customer's written instructions.

5. Safeguards and Security Rule

DriveBoss will use appropriate administrative, physical, and technical safeguards to prevent Uses or Disclosures of PHI not permitted by this BAA.

With respect to Electronic PHI, DriveBoss will comply with the HIPAA Security Rule requirements applicable to Business Associates, including Subpart C of 45 CFR Part 164. DriveBoss's safeguards will include, as appropriate to the Services:

• role-based access controls and authentication;
• workforce access restrictions and training;
• encryption in transit;
• encryption at rest where supported by the service architecture;
• audit logging and security monitoring;
• backup, disaster recovery, and secure disposal controls;
• incident response procedures;
• vendor and Subcontractor controls; and
• reasonable policies and procedures designed to protect PHI.

Customer remains responsible for managing its own users, credentials, devices, broker access, role assignments, and instructions to DriveBoss.

6. Minimum Necessary

DriveBoss will make reasonable efforts to request, Use, and Disclose only the minimum PHI necessary to perform the Services or comply with applicable law, except where HIPAA does not require a minimum necessary limitation.

Customer is responsible for limiting PHI submitted to the Services to the PHI reasonably needed for authorized NEMT, billing, reporting, broker, facility, SMS, IVR, support, and related workflows.

7. Reporting of Impermissible Uses, Disclosures, Breaches, and Security Incidents

DriveBoss will report to Customer any Use or Disclosure of PHI not permitted by this BAA of which DriveBoss becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410.

For a confirmed Breach of Unsecured PHI, DriveBoss will notify Customer without unreasonable delay and in no event later than 60 calendar days after discovery. To the extent available, DriveBoss's notice will include:

• the nature of the incident;
• the date or estimated date of the incident and date of discovery;
• the types of PHI involved;
• the identity of affected Individuals or a reasonable method to identify them;
• mitigation steps taken or planned;
• corrective actions taken or planned; and
• information reasonably needed by Customer to satisfy its notification obligations.

DriveBoss will report successful unauthorized access, Use, Disclosure, modification, destruction, or interference involving Electronic PHI. The Parties agree that routine unsuccessful security events, such as blocked scans, pings, unsuccessful login attempts, and similar background events, are deemed reported through DriveBoss's general security controls and are not separately reportable unless DriveBoss determines they indicate a material threat to PHI.

8. Subcontractors

DriveBoss may use Subcontractors to provide the Services, including hosting, storage, security, communications, SMS, IVR, payment, analytics, support, and broker-integration providers.

DriveBoss will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of DriveBoss agrees in writing to restrictions, conditions, and safeguards at least as protective as those that apply to DriveBoss under this BAA, as required by 45 CFR 164.504(e). DriveBoss will remain responsible for Subcontractor performance as required by HIPAA and the Master Services Agreement.

DriveBoss will maintain a current list of PHI-capable Subcontractors or provide Subcontractor information to Customer upon reasonable written request. Current known PHI-related vendors include AWS and the broker, communications, and infrastructure vendors authorized for DriveBoss PHI workflows.

9. Access, Amendment, and Individual Rights Assistance

To the extent PHI maintained by DriveBoss is part of a Designated Record Set and Customer requires DriveBoss's assistance, DriveBoss will make PHI available to Customer as reasonably necessary for Customer to respond to an Individual's request for access under 45 CFR 164.524.

DriveBoss will make PHI available for amendment and incorporate amendments as reasonably directed by Customer under 45 CFR 164.526.

DriveBoss is not required to respond directly to Individuals unless Customer authorizes DriveBoss to do so in writing or applicable law requires DriveBoss to do so.

10. Accounting of Disclosures

DriveBoss will document Disclosures of PHI as required for Customer to respond to an Individual's request for an accounting of disclosures under 45 CFR 164.528. Upon Customer's reasonable written request, DriveBoss will provide information about accountable Disclosures in DriveBoss's possession within a commercially reasonable period.

Disclosures made for treatment, payment, healthcare operations, and other disclosures excluded from accounting under HIPAA are not required to be included unless applicable law changes or Customer's written instructions require otherwise.

11. Restrictions and Confidential Communications

DriveBoss will comply with Customer's reasonable written instructions regarding restrictions on Uses or Disclosures of PHI and requests for confidential communications, to the extent Customer has agreed to such restrictions or requests and the instructions are technically feasible within the Services.

12. HHS Access

DriveBoss will make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created, received, maintained, or transmitted on behalf of, Customer available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

13. De-Identification and Aggregated Analytics

DriveBoss may create de-identified information from PHI only in accordance with HIPAA de-identification standards and applicable Customer instructions. DriveBoss may use de-identified or aggregated information for analytics, benchmarking, product improvement, reliability, security, and business purposes, provided the information does not identify Customer, Individuals, patients, riders, or other persons and does not violate broker, payer, or facility restrictions.

14. Return or Destruction of PHI

Upon termination of the applicable Services, DriveBoss will return or destroy PHI in its possession if feasible and as directed by Customer.

If return or destruction is infeasible, DriveBoss will extend the protections of this BAA to the retained PHI and limit further Uses and Disclosures to the purposes that make return or destruction infeasible, including backup retention, legal compliance, audit, dispute resolution, security logging, and broker, payer, or regulatory requirements.

Customer may export available active-account reports and PDF/CSV records through the DriveBoss interface before termination takes effect, subject to the Master Services Agreement, Customer's permissions, broker restrictions, and applicable law.

15. Mitigation

DriveBoss will mitigate, to the extent practicable, harmful effects known to DriveBoss of a Use or Disclosure of PHI by DriveBoss in violation of this BAA.

16. Term and Termination

This BAA begins when Customer accepts this BAA electronically, signs an order form that references this BAA, or first uses the Services after this BAA is presented or made available, and remains in effect while DriveBoss creates, receives, maintains, or transmits PHI for or on behalf of Customer.

Customer may terminate the affected Services if DriveBoss materially breaches this BAA and fails to cure the breach within 30 days after written notice. If cure is not feasible and termination is required by HIPAA, Customer may terminate the affected Services sooner as required by law.

DriveBoss may suspend or terminate PHI-related processing if Customer's instructions would violate HIPAA, applicable law, broker or payer requirements, this BAA, or the Master Services Agreement.

17. Order of Precedence

For PHI and HIPAA-regulated obligations, this BAA controls over the Master Services Agreement, order forms, Acceptable Use Policy, Privacy Policy, support terms, and any other agreement between the Parties. For non-PHI matters, the Master Services Agreement and applicable order form control.

18. No Third-Party Beneficiaries

This BAA is for the benefit of the Parties and does not create rights for any third party except as required by HIPAA or applicable law.

19. Governing Law

This BAA is governed by the laws of the State of Delaware, without regard to conflict-of-laws rules, except to the extent preempted by HIPAA or other applicable federal law. Venue for disputes is as stated in the Master Services Agreement unless HIPAA or applicable law requires otherwise.

20. Electronic Acceptance

Customer accepts this BAA by clicking or checking an acceptance box, signing an order form that references this BAA, or using the Services after this BAA is presented or made available. Electronic acceptance and electronic signatures are intended to be binding to the maximum extent permitted by law.