HIPAA Privacy and Security Policy

Legal Documents

Terms & Conditions

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

This HIPAA Privacy and Security Policy for Upvio (“we”, “us”, or “our”) supplements our Privacy Policy and describes how and why we collect, store, use and share protected health information (‘PHI’) of individuals who reside in the USA in compliance with the Health Insurance Portability and Accountability Act (‘HIPAA’).

We collect, use and are responsible for certain personal data and PHI in accordance with this policy and our Privacy Policy (as updated from time-to-time).

Members of Upvio’s workforce may have access to PHI of its Customers. Upvio intends to fully comply with the requirements of HIPAA, as administered by the United States Department of Health and Human Services (HHS), including HIPAA’s Privacy Rule and Security Rule. HIPAA restricts Upvio’s use and disclosure of PHI it obtains from its customers in the course of providing services to its customers.

We are happy to answer your questions about any of the above – please send them to [email protected]

In this Policy, we use the following references:

Term	Meaning
We, us, our	Upvio Healthtech Pty Ltd of Level 8, 905 Hay Street, Perth, WA, 6000, Australia with company number ACN 657 030 192.
PHI	means protected health information that is created or received by the Customer and shared with Upvio relating to the past, present, or future physical or mental health or condition of an individual.

Data Protection Officer

We are required to appoint a data protection officer to monitor our compliance with HIPAA.

The details of our appointed data protection officers are set out in Schedule 2.

Persons with Access and Workforce Training

It is Upvio’s policy to limit access to PHI to those who have need it to perform their duties, and to train employees who have access to PHI on its privacy and security policies and procedures. Upvio will develop training schedules and programs so that employees who have access to PHI receive the training necessary and appropriate to permit them to carry out their functions.

Technical and Physical Safeguards and Firewall

An analysis of all the Upvio’s information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats—internal or external, natural, or artificial, electronic, and non-electronic—that affect the ability to manage the information resource.

Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

All computer equipment and network systems are assets of Upvio and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based on the following:

Installed Software: All software packages that reside on computers and networks within Upvio must comply with applicable licensing agreements and restrictions.

Virus Protection: Virus checking systems approved by the Data Protection Officer must be deployed on all computer systems that ensures all electronic files are appropriately scanned for viruses.

Access Controls: Physical and electronic access to PHI is controlled. To ensure appropriate levels of access by internal employees, a variety of security measures will be instituted as recommended by and approved by Upvio.

Authorization: Access will be user-based access whereby users of a system gain access based upon the identity of the users.

Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI.

Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks.

Remote Access: Access into the Company’s network from outside will be granted using the Company approved devices and pathways on an individual user and application basis. All remote access to systems which may access electronic PHI shall be made using a “virtual private network”. All other network access options to these systems are strictly prohibited.

Physical Address: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.

Security Updates: The Company will provide periodic updates as appropriate, including security reminders regarding access security, virus protection and maintaining password protection.

Complaints

The Data Protection Officer is responsible for administering complaints.

To make a complaint, please contact our Data Protection Officer on the details provided at Schedule

Sanctions for Violations of this HIPAA Privacy and Security Policy

Sanctions for using or disclosing PHI in violation of this HIPAA Privacy and Security Policy will be imposed in accordance with Upvio’s discipline policy.

Mitigation of Inadvertent Disclosures of Protected Health Information

Upvio shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy.

As a result, if an employee becomes aware of a disclosure of PHI that violates this Policy, the employee must contact the Data Protection Officer so that the appropriate steps can be taken to mitigate the harm to the participant.

Breach Notification Requirements

Upvio will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and its implementing regulations with respect to notifications in the event of a breach of unsecured PHI, and the relevant sections of HIPAA as required.

As a result, if an employee becomes aware of a potential breach of unsecured PHI, the employee shall contact the Data Protection Officer promptly following a suspected breach of unsecured PHI.

The Data Protection Officer shall direct and undertake an investigation and risk assessment to determine if a breach of unsecured PHI occurred and the scope of such breach. There is a reportable breach only if all of the following have occurred, as determined by the Data Protection Officer:

There is a violation of the HIPAA Privacy Rules involving “unsecured” PHI.
The violation involved unauthorized access, use, acquisition, or disclosure of unsecured PHI.
The violation resulted in a compromise of the security or privacy of the PHI.
No exception applies under applicable law.

If the Data Protection Officer determines that there is a low probability that the PHI was compromised, they will document the determination in writing and keep the documentation on file.

Upvio shall, following the discovery of a breach of unsecured PHI that is required to be reported, notify each individual whose unsecured PHI has been, or is reasonably believed by Upvio to have been, accessed, acquired, used, or disclosed as a result of such breach (as well, if required, the Secretary of the U.S. Department of Health and Human Services).

Use of PHI by Upvio

Upvio shall not use or further disclose PHI, other than as permitted by the terms of our Privacy Policy and as agreed with our Customer under the Master SaaS Terms, and in all cases as required and restricted by law.

Upvio shall ensure that any agents or subcontractors to whom it provides PHI received from Customers agree to the same restrictions and conditions that apply to Upvio.

Upvio shall not use or disclose PHI for employment-related actions or in connection with any other employee benefit plan (except as permitted within any “organized health care arrangement” or among the affiliated companies, as required for workers’ compensation purposes);

Upvio employees shall report to the Data Protection Officer any use or disclosure of the information that is inconsistent with the permitted uses or disclosures.

Upvio shall make PHI available to its Customers and individuals of its Customers as required by law, and consider their amendments and, upon request, provide them with an account of PHI disclosures.

Upvio shall (if feasible) return or destroy all PHI received from its Customers that Upvio still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Upvio may disclose PHI for the purposes of its own operations, or to carry out any of its obligations under the Master SaaS Terms, and in addition, any disclosure so outlined within Upvio’s Privacy Policy (as updated and amended from time-to-time).

Documentation and Document Retention

Policies and procedures regarding document retention and retention of PHI will be changed as necessary by Upvio in order to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures will promptly be documented.

If a change in law impacts the use of PHI by Upvio, it shall update this Policy and any other policy as required and make such updates available to the necessary parties.

Upvio must maintain such documentation about the activities it carries out with PHI for at least six years.

Access to PHI is Limited to Certain Employees

Only the employees with access to PHI (who are required to access it to carry out their duties) and in order for Upvio to carry out its obligations under the Master SaaS Terms Upvio shall permit its employees to access and use PHI who shall have regular and recurring access to and use of PHI.

Employees with access may use and disclose PHI to the Customer who provided such PHI in order to carry out administrative functions, and they may disclose PHI to other employees with access to complete administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the obligations of Upvio).

Employees with access may not generally disclose PHI to employees who do not have access to PHI unless authorised by the Data Protection Officer, or as is otherwise in compliance with this Policy.