1. Services

RxGranted provides clinical documentation and administrative support services related to prior authorization, including:

• Preparation of prior authorization (PA) letters with clinical justification
• Clinical documentation supporting medical necessity
• Appeal letters for denied prior authorization requests
• Administrative submission of PA requests to payers (Full Service plan only)
• Status tracking and payer follow-up (Full Service plan only)

2. Service Plans and Pricing

Core Plan — $299/month: Up to 8 PA letters per month, all medical specialties covered, appeal support included, PharmD-reviewed clinical documentation, 24-hour turnaround guaranteed, client submits completed letters to payer.

Full Service Plan — $799/month: Up to 15 PA cases per month, everything in Core plus direct submission to payer, real-time tracking and follow-up, appeal filing and payer communication included, dedicated PharmD support.

Additional Cases: Core: $35/letter. Full Service: $50/case (includes submission).

Free Trial: First two (2) PA letters at no cost, no credit card required.

3. Turnaround and Delivery

• Standard requests: Completed within 24 hours of receipt of all required clinical information
• Urgent requests: Same-day completion when feasible; prioritized on Full Service plan
• Turnaround begins when RxGranted receives complete and accurate patient information, clinical documentation, and insurance details

4. Client Responsibilities

Client agrees to:

• Provide accurate and complete patient demographics, clinical data, insurance information, and supporting documentation
• Maintain all provider-patient relationships and clinical decision-making authority
• Submit completed PA letters to the appropriate payer (Core plan)
• Grant and maintain necessary system access for RxGranted to perform submissions (Full Service plan)
• Execute a HIPAA Business Associate Agreement prior to sharing any Protected Health Information
• Notify RxGranted promptly of any changes to patient information, payer requirements, or access credentials

5. Access Authorization (Full Service Plan)

For Full Service clients, Client may authorize RxGranted to access: EMR/EHR system, Availity portal, CoverMyMeds portal, payer-specific portals, or secure fax. RxGranted acts strictly as an authorized administrative delegate. Access credentials remain Client's property and are used solely for PA-related services.

6. Payment Terms

• All plans are billed monthly in advance
• Payment is due upon receipt of invoice
• No long-term contract required — Client may cancel at any time
• No refunds for completed work or partial months
• Additional PA cases beyond plan limits invoiced monthly in arrears
• RxGranted reserves the right to suspend services for accounts more than 30 days past due

7. Liability and Disclaimers

• RxGranted is not responsible for payer coverage decisions
• RxGranted does not guarantee that any PA request will be approved
• Not liable for delays caused by incomplete or inaccurate information provided by Client
• Total liability capped at aggregate fees paid in the 12 months preceding the event (except for gross negligence, willful misconduct, or breach of PHI)
• Client acknowledges RxGranted's role is limited to documentation and administrative support

8. HIPAA Compliance

The Parties agree to execute a Business Associate Agreement ("BAA") prior to the exchange of any Protected Health Information. The BAA is incorporated into this Agreement by reference. Both Parties shall comply with all applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

9. Confidentiality

Each Party agrees to maintain the confidentiality of the other Party's proprietary information, business methods, pricing, and operational procedures. This obligation survives termination for two (2) years.

10. Term and Termination

• Month-to-month basis until terminated
• Either Party may terminate at any time with written notice
• Upon termination, RxGranted completes in-progress PAs and returns/destroys all PHI per the BAA
• All system access revoked immediately upon termination
• Sections 7, 8, 9, and 10 survive termination

11. Governing Law

Governed by the laws of the State of New Jersey, without regard to conflict of law principles, to the extent not preempted by federal law.

12. Entire Agreement

This Agreement, together with the BAA, constitutes the entire agreement between the Parties. No modification effective unless in writing and signed by both Parties.

ASKARX LLC | d/b/a RxGranted | 100 Fellowship Road, Moorestown, NJ 08057 | NPI: 1114651510 | NJ License: 28RI04246700

Article I — Definitions

Terms used in this Agreement have the same meaning as in the HIPAA Rules (45 C.F.R. Parts 160 and 164), including: Breach, Designated Record Set, ePHI, Individual, Minimum Necessary, PHI, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Services (prior authorization clinical documentation services).

Article II — Obligations of Business Associate

• 2.1 Permitted Uses: PHI used only for performing Services, proper management, data aggregation, or de-identification as permitted by HIPAA Rules
• 2.2 Minimum Necessary: Limit use, disclosure, and request of PHI to the minimum necessary
• 2.3 Safeguards: Implement administrative, physical, and technical safeguards including AES-256 encryption, role-based access controls, audit logs, annual risk assessments, HIPAA training, and compliant communication channels
• 2.4 Reporting: Report any unauthorized use or disclosure, including Breaches and Security Incidents
• 2.5 Subcontractors: Ensure subcontractors agree to same restrictions via written agreement
• 2.6 Access to PHI: Make PHI available within 15 business days of request
• 2.7 Amendment: Make amendments within 15 business days as directed
• 2.8 Accounting: Document disclosures, available within 30 days of request
• 2.9 Government Access: Make records available to the Secretary for compliance determination
• 2.10 No Sale of PHI without prior written authorization
• 2.11 No Marketing without prior written authorization

Article III — Obligations of Covered Entity

• Provide Notice of Privacy Practices and any changes
• Notify of changes in Individual permissions affecting PHI use
• Notify of restrictions on PHI use or disclosure
• Provide only minimum necessary PHI for Services

Article IV — Breach Notification

• 4.1: Report Breaches of Unsecured PHI within 30 calendar days of discovery
• 4.2: Notification includes: affected Individuals, description, PHI types, protective steps, investigation/mitigation actions
• 4.3: Report Security Incidents within 5 business days (unsuccessful attempts need not be individually reported)
• 4.4: Cooperate with Covered Entity in investigation
• 4.5: Take prompt corrective action to mitigate and prevent recurrence

Article V — Term and Termination

• Effective as of Effective Date, continuing for duration of service relationship
• Either Party may terminate for material breach with 30-day cure period
• Upon termination: return or destroy all PHI within 30 days, certify destruction in writing
• Articles IV and V survive termination

Article VI — Data Security Specifications

• TLS 1.2+ in transit, AES-256 at rest
• Role-based access controls, unique user IDs, MFA where feasible
• HIPAA-compliant intake portal with session timeouts, HTTPS, input validation, access logging
• PHI stored only on systems with appropriate safeguards
• All personnel complete HIPAA training before access and annually thereafter; records maintained 6 years
• All devices: encryption, password/biometric protection, auto-lock, remote wipe
• PHI disposed per NIST SP 800-88 (electronic) or shredded (paper)
• Business continuity plan including backup, disaster recovery, emergency mode operation

Article VII — Indemnification and Liability

• BA indemnifies CE from claims arising from BA's breach or negligent/willful handling of PHI
• CE indemnifies BA from claims arising from CE's breach or failure to perform Article III obligations
• Liability capped at 12 months of fees (except willful misconduct, gross negligence, or PHI breach)
• BA maintains professional liability (E&O) insurance

Article VIII — General Provisions

Regulatory references as in effect or amended. Amendment requires writing by both Parties. Ambiguity interpreted for HIPAA compliance. No third-party beneficiaries. Governed by New Jersey law (except federal preemption). Entire agreement as to HIPAA compliance. Severability. Waiver of one provision does not waive others.

ASKARX LLC | d/b/a RxGranted | 100 Fellowship Road, Moorestown, NJ 08057 | NPI: 1114651510 | NJ License: 28RI04246700