This Annex A applies (and is incorporated into our Agreement) where the Customer is a Covered Entity or Business Associate and the Customer’s use of the Services involves the creation, receipt, maintenance or transmission of Protected Health Information. If the Customer is not using the Services in connection with Protected Health Information, this Annex A does not apply.

RECITALS

1. This HIPAA Business Associate Agreement contained within this Annex A constitutes a business associate relationship under HIPAA and its implementing privacy and security regulations at 45 C.F.R. Parts 160 and 164 (the “HIPAA regulations"). It is entered into by the Parties in addition to the Master Software as a Service (SaaS) Terms and is intended to form a legally binding agreement between the Parties.
2. Customer wishes to disclose to Upvio certain information pursuant to the terms of this Annex A, some of which may constitute Protected Health Information ("PHI") and confidential information protected by federal and/or state laws.
3. As set forth in this Annex A, Upvio is the Business Associate of Customer and provides services, arranges, performs, or assists in the performance of functions or activities on behalf of the Customer and creates, receives, maintains, transmits, uses, or discloses PHI.
4. Customer and Upvio desire to protect the privacy and provide for the security of PHI and confidential information created, received, maintained, transmitted, used, or disclosed pursuant to this Annex A, in compliance with HIPAA and HIPAA regulations and other applicable laws.
5. The terms used in this Annex A, but not otherwise defined, shall have the same meanings as those terms in the HIPAA regulations.

1. DEFINITIONS AND INTERPRETATION

1. In this Annex A:

HIPAA	means the Health Insurance Portability and Accountability Act;
Master SaaS Terms	means the Master Software as a Service Terms entered into between the Customer and Upvio which governs the terms and conditions of the services provided by Upvio to the Customer;
Protected Health Information or PHI	means any information, whether oral or recorded in any form or medium that relates to the past, present, or future physical or mental condition of an individual, the provision of health and dental care to an individual, or the past, present, or future payment for the provision of health and dental care to an individual;
Secretary	means the Secretary of the U.S. Department of Health and Human Services; and
Security Incident	means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI, or confidential information that is essential to the ongoing operation of the Business Associate’s organization and intended for internal use; or interference with system operations in an information system.

2. Permitted Uses and Disclosures of PHI by Upvio

1. Except as otherwise indicated in this Annex A, Upvio may use or disclose PHI only to perform functions, activities or services specified in the Master SaaS Terms, for, or on behalf of the Customer, provided that such use or disclosure would not violate HIPAA.

2. Except as otherwise indicated in this Annex A, Upvio may use and disclose PHI for:

1. the proper management and administration of Upvio;
2. to carry out its obligations under the Master SaaS Terms;
3. to carry out the legal responsibilities and duties of Upvio;
4. to carry out data aggregation in combining PHI created or received by Upvio to permit data analysis that relate to the health care operations of the Customer.

3. Responsibilities of Upvio

1. Upvio agrees:

1. not to use or disclose PHI other than as permitted or required by this Annex A or as required by law;
2. to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI, that it creates, receives, maintains, uses, or transmits on behalf of the Customer;
3. to prevent use or disclosure of PHI other than as provided for by this Annex A;
4. develop and maintain a written information privacy and security policy that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Upvio’s operations and the nature and scope of its activities;
5. to take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI;
6. to mitigate, to the extent practicable, any harmful effects known to Upvio of a use or disclosure of PHI by Upvio or its subcontractors in violation of the requirements of this Annex A;
7. to ensure that any agents, including subcontractors, to whom Upvio provides PHI received from or created or received by Upvio on behalf of the Customer, agree to the same restrictions and conditions that apply to Upvio with respect to such PHI, including implementation of reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI;
8. to provide the Customer access as it may require, in the timely manner upon reasonable notice, to the PHI provided by the Customer, or as directed by the Customer to an individual, in accordance with 45 C.F.R. § 164.524;
9. to notify the Customer as soon as it becomes aware of a Security Incident and take prompt and corrective actions to mitigate any risks or damages involved with the Security Incident and protect the operating environment; and
10. take any action required by applicable federal and state laws and regulations to prevent unauthorised disclosure of PHI.

4. Investigation of a Security Incident

1. The Customer shall immediately investigate any Security Incident or suspected Security Incident and identify, as soon as reasonably possible:

1. what data elements were involved, and the extent of the data involved in the breach;
2. a description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI;
3. a description of where the PHI is believed to have been improperly transmitted, sent, or utilized;
4. a description of the probable causes of the improper use or disclosure; and
5. whether Civil Code § 1798.29 or § 1798.82 or any other federal or state laws requiring individual notifications of breaches are triggered.

2. Upvio shall notify any affected individuals following a Security Incident when such notification is required under federal or state laws or regulations.

5. Training

1. Upvio shall use reasonable endeavours to train its employees regarding the use of PHI in accordance with HIPAA requirements.

6. Obligations of Customer

1. The Customer shall:

2. at all times comply with HIPAA and any other applicable federal and state laws and regulations in its operations and in its collection of PHI.

1. provide Upvio with the Notice of Privacy Practices that the Customer produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice;
2. provide Upvio with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Upvio’s permitted or required uses and disclosures;
3. notify Upvio of any restriction to the use or disclosure of PHI that the Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Upvio’s use or disclosure of PHI;
4. notify Upvio (within 2 days of request) of any patient (or patient’s representative) preferences (or changes to) regarding method of or how to communicate with the patient; and
5. not request Upvio to use or disclose PHI in any manner that would not be permissible under HIPAA or the HIPAA regulations.

7. Indemnity

1. THE CUSTOMER SHALL INDEMNIFY, KEEP INDEMNIFIED AND HOLD HARMLESS UPVIO FROM AND AGAINST ANY LOSSES, CLAIMS, DAMAGES, LIABILITY, COSTS (INCLUDING LEGAL AND OTHER PROFESSIONAL FEES) AND EXPENSES INCURRED BY IT (OR ANY OF ITS AFFILIATES) AS A RESULT OF THE CUSTOMER’S BREACH OF THIS ANNEX A OR ANY USE OF THE PHI PROVIDED BY THE CUSTOMER.

THIS CLAUSE 7 SHALL SURVIVE TERMINATION OR EXPIRY OF OUR ANNEX A.

8. Confidentiality and Security of PHI

1. Upvio shall maintain the confidentiality of all PHI provided to it by the Customer.

2. Upvio shall implement technical and organisational security measures in accordance with its Information Security Addendum and HIPAA Privacy and Security Policy.

3. Upvio undertakes to disclose the PHI only to those of its officers, employees, agents, contractors, and direct and indirect sub-contractors to whom, and to the extent to which, such disclosure is necessary for the purposes contemplated under our Annex A or as otherwise reasonably necessary for the provision or receipt of the services under the Master SaaS Terms.

9. Audit Inspections and Enforcement

1. Upvio shall, upon two months’ prior written notice, permit the Customer to carry out an inspection of its facilities, books, and records to monitor compliance with this Annex A.

2. The Customer shall only be entitled to carry out the inspection rights contained within clause 9.1 above once in any 12-month period.

3. Upvio shall promptly remedy any violation of any provision of this Annex A and certify the same.

10. Termination

1. Upvio may terminate our Annex A immediately at any time by giving notice in writing to the Customer if:

1. the Customer commits a material breach of this Annex A, or the Master SaaS Terms and such breach is not remediable; or
2. the Customer has failed to pay any amount due under the Master SaaS Terms on the due date and such amount remains unpaid within 14 Business Days after the other party has received notification that the payment is overdue.

11. Consequences of Termination

1. Immediately on termination of this Annex A (for any reason), the rights granted by Upvio to the Customer shall terminate and the Customer shall (and shall procure that each Authorised User and Authorised Affiliate shall):

1. stop using the services and stop sharing PHI with Upvio;
2. Upvio shall destroy and delete or, if requested by the Customer or if required under HIPAA or applicable federal or state laws or regulations, return PHI to the Customer.

End.