Deer Oaks HIPAA Resolution Agreement and Corrective Action Plan

RA/CAP Page 1 of 13 RESOLUTION AGREEMENT I. Recitals1. Parties. The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy ofindividually identifiable health information (45 C.F.R. Part 160 and Subparts A andE of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 andSubparts A and C of Part 164, the “Security Rule”), and the Federal standards fornotification in the case of breach of unsecured protected health information (45C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “BreachNotification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, andBreach Notification Rules (the “HIPAA Rules”) by covered entities and businessassociates, and covered entities and business associates must cooperate with HHScompliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and160.310(b).B. “Deer Oaks – The Behavioral Health Solution” (Deer Oaks) is an AffiliatedCovered Entity, as defined at 45 C.F.R. §§ 160.103 and 164.105, and, therefore, isrequired to comply with the HIPAA Rules.HHS and Deer Oaks shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct. On December 6, 2021, HHS received a complaint alleging that Deer Oaks Geriatric Services PC d/b/a Deer Oaks ConsultationServices (DOCS), a member of the Deer Oaks Affiliated Covered Entity, impermissiblydisclosed protected health information (PHI), including patient names, dates of birth,patient identification numbers, facilities, and diagnoses, by making patient discharge formspublicly accessible online. The PHI was secured in May 2023.In addition, Deer Oaks experienced a breach on August 29, 2023, when a threat actorexploited a vulnerability in Deer Oaks’ network. The threat actor claimed to haveexfiltrated data and demanded payment to prevent posting the PHI on the dark web. The health care entities set forth in Appendix A, attached hereto and incorporated by reference, have been designated as Deer Oaks – the Behavioral Health Solution, an Affiliated Covered Entity pursuant, to 45 C.F.R. § 164.105(b).

RA/CAP Page 2 of 13 HHS’ investigations into these matters indicated that the following conduct occurred (“Covered Conduct”): a. Deer Oaks disclosed PHI in a manner not required or permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a). b. Deer Oaks has not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information that it holds. See 45 C.F.R. § 164.308(a)(1)(ii)(A). 3. No Admission. This Agreement is not an admission of liability by Deer Oaks. 4. No Concession. This Agreement is not a concession by HHS that Deer Oaks is not in violation of the HIPAA Rules and not liable for civil money penalties (“CMPs”). 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR Transaction Numbers 22-457843 and 24-585373 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 6. Payment. HHS has agreed to accept, and Deer Oaks has agreed to pay HHS, the amount of $__________ (“Resolution Amount”). Deer Oaks agrees to pay the Resolution Amount in one lump-sum on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS. 7. Corrective Action Plan. Deer Oaks has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix B, which is incorporated into this Agreement by reference. If Deer Oaks breaches the CAP and fails to cure the breach as set forth in the CAP, then Deer Oaks will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement. 8. Release by HHS. In consideration of and conditioned upon Deer Oaks’ performance of its obligations under this Agreement, HHS releases Deer Oaks from any actions it may have against Deer Oaks under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release Deer Oaks from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.

RA/CAP Page 3 of 13 9. Agreement by Released Party. Deer Oaks shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. Deer Oaks waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160, Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 10. Binding on Successors. This Agreement is binding on Deer Oaks and its successors, heirs, transferees, and assigns. 11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity. 13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”). 15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six (6) years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, Deer Oaks agrees that the time between the Effective Date of this Agreement (as set forth in Paragraph 14) and the date the Agreement may be terminated by reason of Deer Oaks’ breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. Deer Oaks waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement. 16. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either Party. 17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.

RA/CAP Page 4 of 13 18. Authorizations. The individual(s) signing this Agreement on behalf of Deer Oaks represent and warrant that they are authorized by Deer Oaks to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement. For Deer Oaks – The Behavioral Health Solution /s____________________________ Susan Norris, PhD Chief Executive Officer Deer Oaks – The Behavioral Health Solution _3/19/2025___________________________ Date For the United States Department of Health and Human Services /s____________________________ _ ___________________________ Michael Leoz Regional Manager Office for Civil Rights, Southwest Region 3/19/2025Date

RA/CAP Page 5 of 13 Appendix A DEER OAKS—THE BEHAVIORAL HEALTH SOLUTION (DEER OAKS) Deer Oaks, the affiliated covered entity includes, without limitation, the following operations and components owned or operated directly by Deer Oaks. AFFILIATED COVERED ENTITIES OF DEER OAKS 1. Deer Oaks Consultation Services PC (DOCS) 2. Deer Oaks Mental Health Associates (DOMHA) 3. Deer Oaks West LLC (Deer Oaks Illinois) 4. Deer Oaks Minnesota LLC 5. Deer Oaks Arkansas LLC 6. Deer Oaks Midwest 7. Deer Oaks Southeast 8. Deer Oaks Med Management LLC 9. Med Management Associates 10. Med Management Associates of Colorado LLC 11. Med Management Associates of Iowa PC 12. Med Management Associates of Virginia LLC 13. Med Management Indiana PC 14. Med Management of Kansas LLC

RA/CAP Page 6 of 13 Appendix B CORRECTIVE ACTION PLAN BETWEEN THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES AND DEER OAKS – THE BEHAVIORAL HEALH SOLUTION I. PreambleDeer Oaks – the Behavioral Health Solution, an Affiliated Cover Entity, hereby entersinto this Corrective Action Plan (“CAP”) with the United States Department of Healthand Human Services, Office for Civil Rights (“HHS”). Contemporaneously with thisCAP, Deer Oaks is entering into a Resolution Agreement (“Agreement”) with HHS, andthis CAP is incorporated by reference into the Agreement as Appendix B. Deer Oaksenters into this CAP as part of the consideration for the release set forth in paragraph II.8of the Agreement.II. Contact Persons and SubmissionsA. Contact Persons.Deer Oaks has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Susan Norris, Ph.D., CEO REDACTED | REDACTED Michael Rouse, Senior Director of IT REDACTED | REDACTED Brittany Velebil, CMCO, Senior Director of Quality and Compliance REDACTED | REDACTED HHS has identified the following individual as its authorized representative and contact person with whom Deer Oaks is to report information regarding the implementation of this CAP: Lan Hua Equal Opportunity Specialist Office for Civil Rights, Pacific Region The health care entities set forth in Appendix A, attached hereto and incorporated by reference, have been designated as Deer Oaks – the Behavioral Health Solution, an Affiliated Covered Entity pursuant to 45 C.F.R. § 164.105(b).

RA/CAP Page 7 of 13 U.S. Department of Health and Human Services 90 7th Street, Suite 4-100 San Francisco, CA 94103 REDACTED Voice Phone: REDACTED Deer Oaks and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above. B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt. III. Effective Date and Term of CAP The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by Deer Oaks under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified Deer Oaks under section VIII hereof of its determination that Deer Oaks has breached this CAP. In the event of such a notification by HHS under section VIII hereof, the Compliance Term shall not end until HHS notifies Deer Oaks that it has determined that the breach has been cured. After the Compliance Term ends, Deer Oaks shall still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify Deer Oaks’ obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j). IV. Time In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days. V. Corrective Action Obligations Deer Oaks agrees to the following: A. Risk Analysis 1. Deer Oaks shall conduct and complete an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data

RA/CAP Page 8 of 13 systems, programs and applications controlled, administered, owned, or shared by Deer Oaks that contain, store, transmit or receive Deer Oaks electronic protected health information (ePHI). As part of this process, Deer Oaks shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its risk analysis. See 45 C.F.R. § 164.308 (a)(l)(ii)(A). 2. Within thirty (30) calendar days of the Effective Date, Deer Oaks shall submit to HHS the scope and methodology by which it proposes to conduct the risk analysis. HHS shall notify Deer Oaks whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A). 3. Deer Oaks shall provide the risk analysis to HHS within ninety (90) calendar days of HHS’ approval of the scope and methodology for HHS’ review. 4. Upon submission by Deer Oaks, HHS shall review and recommend changes to the aforementioned risk analysis. Upon receiving HHS’ recommended changes, Deer Oaks shall have sixty (60) calendar days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis. 5. Deer Oaks shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Deer Oaks, affiliates that are owned, controlled, or managed by Deer Oaks. Subsequent risk analyses shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP. B. Risk Management 1. Deer Oaks shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis specified in section V.A.1 above. The risk management plan shall include a process and timeline for Deer Oaks’ implementation, evaluation, and revision of its risk remediation activities. See 45 C.F.R. § 164.308(a)(l)(ii)(B). 2. Within ninety (90) calendar days of HHS’ final approval of the risk analysis described in section V.A.1 above, Deer Oaks shall submit a risk management plan to HHS for HHS’ review and approval. HHS shall approve, or, if necessary, require revisions to Deer Oaks’ risk management plan. 3. Upon receiving HHS’ notice of required revisions, if any, Deer Oaks shall have sixty (60) calendar days to revise the risk management plan accordingly and forward for review and approval. This process shall continue until HHS approves the risk management plan. 4. Within sixty (60) calendar days of HHS’ approval of the risk management plan,

RA/CAP Page 9 of 13 Deer Oaks shall finalize and officially adopt the risk management plan in accordance with its applicable administrative procedures. 5. For the duration of this CAP and pursuant to each risk analysis conducted, Deer Oaks shall document the security measures Deer Oaks implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. C. Policies and Procedures 1. Deer Oaks shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Parts 160 and 164, Subpart E of 45 C.F.R. Part 164) to address any threats and vulnerabilities to the ePHI identified in the risk analysis and risk management plan required by Section V.A and Section V.B. 2. Deer Oaks shall develop, maintain, and revise, as necessary, its written policies and procedures to perform periodic technical and nontechnical evaluations, based initially upon the standards implemented under the Security Rule and, subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes the extent to which Deer Oaks policies and procedures are sufficient to prevent, detect, contain, and correct security violations. See 45 C.F.R. § 164.308(a)(8). 3. Within sixty (60) calendar days following HHS’ approval of the risk management plan, Deer Oaks shall provide such policies and procedures, consistent with Section V.C.1 and V.C.2 above, to HHS for review and approval. Upon receiving any required revisions to such policies and procedures from HHS, Deer Oaks shall have thirty (30) calendar days to revise the policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. This process shall continue until HHS approves such policies and procedures. D. Distribution and Updating of Policies and Procedures 1. Deer Oaks shall distribute the policies and procedures identified in Section V.C to members of its workforce responsible for implementation and enforcement of those policies within thirty (30) calendar days of HHS' approval of such policies and to new members of its workforce responsible for implementation and enforcement of those policies within thirty (30) calendar days of the beginning of service. 2. Deer Oaks shall require, at the time of distribution of the policies and procedures, a signed written or electronic initial compliance certification from all members of its workforce identified in Section V.D.1 , stating that the workforce members have read, understand, and shall abide by such policies and procedures.

RA/CAP Page 10 of 13 3. Deer Oaks shall assess, update, and revise, as necessary, the policies and procedures at least annually. Deer Oaks shall provide the revised policies and procedures to HHS for review and approval. Within thirty (30) calendar days of receipt of any approved substantive revisions by HHS, Deer Oaks shall distribute such revised policies and procedures to its workforce identified in Section V.D.1 and shall require new compliance certifications. 4. Deer Oaks shall not provide any member of its workforce identified in Section V.D.1 with access to PHI if that workforce member has not signed or provided the written or electronic certification required by paragraphs 2 and 3 of this section. E. Reportable Events 1. During the Compliance Term, Deer Oaks shall, upon learning that a workforce member likely failed to comply with its policies and procedures described in Section V.C, promptly investigate this matter. If Deer Oaks, after review and investigation, determines that a member of its workforce has failed to comply with its policies and procedures, Deer Oaks shall report such events to HHS as provided in Section VI.B.1.c on a quarterly basis. Such violations shall be known as Reportable Events. The report to HHS shall include the following: a. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the policies and procedures implicated; and b. A description of the actions taken and any further steps Deer Oaks plans to take to address the matter, to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures. c. If no Reportable Events occur during the Compliance Term, Deer Oaks shall so inform HHS in the Annual Report(s) as specified in Section VI below. F. Training 1. Deer Oaks shall provide HHS with training materials on the privacy and security of ePHI to all members of its workforce who have access to ePHI, including specific training related to the policies and procedures required in Section V.C as necessary and appropriate for workforce members to perform their job duties, within thirty (30) calendar days of receiving HHS’ final approval of policies and procedures described in Section V.C.

RA/CAP Page 11 of 13 2. Upon receiving notice from HHS specifying any required changes, Deer Oaks shall make the required changes and provide revised training materials to HHS within thirty (30) calendar days. 3. Upon receiving approval from HHS of the training materials, Deer Oaks shall provide training for each workforce member who has access to PHI within thirty (30) calendar days of HHS’ approval and annually thereafter. Deer Oaks shall also provide such training to each new member of its workforce within thirty (30) calendar days of their beginning of service. 4. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All course materials shall be retained in compliance with Section VII. 5. Deer Oaks shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments. VI. Implementation Report, and Annual Reports A. Implementation Report 1. Within ninety (90) calendar days of receipt of HHS’ approval of the training required by section V.F.1, Deer Oaks shall submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include: a. An attestation signed by an owner or officer of Deer Oaks attesting that the policies and procedures approved by HHS in Section V.C are being implemented; b. An attestation signed by an owner or officer of Deer Oaks attesting that all members of the workforce have completed the initial training required by Section V.F; c. An attestation signed by an owner or officer of Deer Oaks stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. B. Annual Reports. 1. The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within sixty (60) calendar days after the close of each corresponding Reporting Period, Deer Oaks shall submit a report to HHS regarding Deer Oaks’

RA/CAP Page 12 of 13 compliance with this CAP for each corresponding Reporting Period (“Annual Report”). The Annual Report shall include: a. An attestation signed by an owner or officer of Deer Oaks attesting that all members of the workforce have completed the training required by section V.F during the Reporting Period; b. An attestation signed by an officer or director of Deer Oaks attesting that any revision(s) to the policies and procedures required by Section V.C were finalized and adopted within thirty (30) calendar days of HHS’ approval of the revision(s), which shall include a statement affirming that Deer Oaks distributed the revised policies and procedures to all appropriate members of Deer Oaks’ workforce within sixty (60) calendar days of HHS’ approval of the revision(s); c. A summary of Reportable Events (defined in Section V.E), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an officer or director of Deer Oaks stating that no Reportable Events occurred during the Compliance Term. d. An attestation signed by an owner or officer of Deer Oaks attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. VII. Document Retention Deer Oaks shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date. VIII. Requests for Extensions and Breach Provisions A. Timely Written Requests for Extensions. Deer Oaks may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) calendar days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only. B. Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by Deer Oaks constitutes a breach of the Agreement. Upon a determination by HHS that Deer Oaks has breached this CAP, HHS may notify Deer Oaks of: (1) Deer Oaks’ breach; and (2) HHS’ intent to impose a CMP, pursuant to 45 C.F.R. Part 160, or other remedies, for the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy, Security, and Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).

RA/CAP Page 13 of 13 C. Deer Oaks’ Response. Deer Oaks shall have thirty (30) calendar days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that: 1. Deer Oaks is in compliance with the obligations of the CAP that HHS cited as the basis for the breach; 2. The alleged breach has been cured; or 3. The alleged breach cannot be cured within the 30-day period, but that: (a) Deer Oaks has begun to take action to cure the breach; (b) Deer Oaks is pursuing such action with due diligence; and (c) Deer Oaks has provided to HHS a reasonable timetable for curing the breach. D. Imposition of CMP. If at the conclusion of the 30-day period, Deer Oaks fails to meet the requirements of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against Deer Oaks pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth i paragraph 1.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS shall notify Deer Oaks in writing of its determination to proceed with the imposition of the CMP. For Deer Oaks – The Behavioral Health Solution _ /s____________________________ Susan Norris, PhD Chief Executive Officer Deer Oaks – The Behavioral Health Solution 3/19/2025____________________________ Date For the United States Department of Health and Human Services /s________________________ _ ___________________________ Michael Leoz Regional Manager Office for Civil Rights Southwest Region 3/19/2025_Date