HIPAA Business Associate Agreement

This HIPAA Business Associate Agreement ("BAA") is entered into as of May 6, 2026 by and between UPStandards LLC, a California limited liability company ("Business Associate" or "UPStandards"), and the covered entity customer identified in the applicable Order Form ("Covered Entity" or "Customer"). This BAA supplements and is incorporated into the Master Subscription Agreement or other services agreement between the Parties (the "Services Agreement").

The Parties intend this BAA to satisfy the business associate contract requirements of HIPAA and to address the specific UPStandards data model: a limited accreditation workflow data set, not a full EHR, treatment-planning database, billing record, or complete clinical record repository.

1. Definitions

Capitalized terms not defined in this BAA have the meanings given in HIPAA or the Services Agreement. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and its implementing Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended. "Protected Health Information" or "PHI" has the meaning in HIPAA and includes electronic PHI. "Security Incident," "Breach," "Unsecured PHI," "Subcontractor," "Secretary," "Required by Law," "Use," and "Disclosure" have the meanings in HIPAA.

2. Relationship of the Parties

2.1 Covered Entity is a HIPAA covered entity or otherwise has authority to disclose PHI to UPStandards for the Services. UPStandards is a business associate only to the extent it creates, receives, maintains, or transmits PHI on behalf of Covered Entity through the Services.

2.2 UPStandards provides a SaaS platform for accreditation audit workflows, facility compliance rounds, policy library management, risk scoring, reviewer notes, and survey-readiness reporting. Covered Entity remains responsible for its provider, treatment, clinical documentation, patient-notice, authorization, consent, recordkeeping, and legal compliance obligations.

3. Limited PHI Scope; Excluded Data Categories

3.1 Permitted PHI scope. The Parties expect the Services to process a limited subset of PHI consisting of the limited data elements used for accreditation, safety, audit, and compliance workflows. The Parties expect the Services may process case numbers, initials, names or other patient identifiers where required for specific compliance workflows, admission and discharge or program enrollment dates, Q15 patient safety observation logs, restraint and seclusion documentation, chart-audit fields, accreditation-standard audit findings, yes/no/partial compliance results, timestamps, reviewer notes, risk scores derived from audit workflows, treating clinician names and credentials, facility rounds information, environment-of-care inspection findings, and policy library content. The presence of named-patient identifiers in these specific workflows does not convert UPStandards into an EHR, full clinical record repository, treatment-planning system, billing platform, or source of truth for Customer medical records.

3.2 Excluded data. Covered Entity shall not submit diagnoses, SUD diagnoses, treatment plan goals, interventions, treatment modalities, progress notes, psychotherapy notes, SUD counseling notes, complete medical records, lab results, imaging, prescription details, billing PHI, financial PHI, or other non-required clinical data unless expressly authorized by UPStandards in a written addendum or product workflow designed for that purpose.

3.3 Effect of limited data scope. UPStandards obligations under this BAA apply to PHI actually created, received, maintained, or transmitted by UPStandards through the Services. UPStandards is not responsible for PHI retained only in Covered Entity EHR, systems, devices, local files, unauthorized third-party tools, or workflows outside UPStandards control.

3.4 Customer configuration responsibility. Covered Entity shall configure the Services and train Authorized Users to follow the minimum necessary standard and avoid unnecessary PHI submission. Covered Entity shall promptly notify UPStandards if Covered Entity discovers that excluded data categories were submitted.

4. Permitted Uses and Disclosures by UPStandards

UPStandards may use and disclose PHI only as permitted by this BAA, the Services Agreement, the applicable Order Form, Covered Entity written instructions, or as Required by Law. Permitted purposes include:

providing, hosting, operating, maintaining, securing, supporting, troubleshooting, and improving the Services for Covered Entity;

creating reports, audit summaries, risk scores, dashboard outputs, and related platform outputs requested by Covered Entity;

performing customer support, account administration, security monitoring, backup, logging, and incident response;

using PHI for UPStandards proper management and administration or to carry out its legal responsibilities, subject to HIPAA limits;

disclosing PHI to subcontractors that create, receive, maintain, or transmit PHI on UPStandards behalf only if they agree to the same restrictions, conditions, and requirements applicable to UPStandards;

de-identifying PHI in accordance with 45 CFR 164.514, where applicable, and using de-identified information as permitted by law and the Services Agreement.

5. Restrictions on UPStandards

UPStandards shall not use or disclose PHI other than as permitted by this BAA or Required by Law; shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as permitted for UPStandards management and administration or legal responsibilities; shall not sell PHI; shall not use PHI for marketing without authorization if authorization is required; shall request, use, and disclose only the minimum necessary PHI for the permitted purpose; and shall not transmit PHI to Anthropic, external AI providers, or other non-BAA vendors unless the Parties amend the Services architecture and contractual terms to permit that processing.

6. Safeguards

UPStandards shall implement administrative, physical, and technical safeguards designed to protect PHI against use or disclosure not permitted by this BAA and to protect electronic PHI in accordance with the HIPAA Security Rule. Safeguards may include workforce confidentiality obligations, access controls, role-based permissions, authentication, encryption in transit, encryption at rest where supported, logging, backup and recovery processes, vendor review, vulnerability management, and incident response procedures.

7. Reporting Security Incidents, Unauthorized Uses, and Breaches

7.1 UPStandards shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which UPStandards becomes aware. UPStandards shall report a Breach of Unsecured PHI without unreasonable delay and in no event later than 10 business days after discovery, except to the extent a law-enforcement delay applies or more urgent notice is required by law.

7.2 The notice will include, to the extent known at the time: a description of the incident; the types of PHI involved; affected individuals or records if known; mitigation steps taken or planned; recommended actions; and a contact for follow-up. UPStandards may supplement notice as additional information becomes available.

7.3 The Parties acknowledge that routine, unsuccessful security events such as pings, blocked scans, failed login attempts, denial-of-service attempts, or firewall events that do not result in unauthorized access to PHI are not required to be reported individually, but may be reported in aggregate upon reasonable request if operationally feasible.

8. Subcontractors

UPStandards may use subcontractors and vendors to provide the Services, including hosting, authentication, storage, email, infrastructure, security, and support providers. To the extent a subcontractor creates, receives, maintains, or transmits PHI on behalf of UPStandards, UPStandards shall ensure the subcontractor agrees in writing to substantially the same restrictions, conditions, and requirements that apply to UPStandards with respect to PHI. Current expected vendors include Supabase for managed database/authentication/storage under a HIPAA tier and BAA; Postmark for transactional email only under a no-PHI email-content architecture; Netlify for frontend hosting not intended to store PHI; Stripe for payment processing not intended to process PHI; and Anthropic for non-PHI aggregate/de-identified AI inputs only. Postmark, Stripe, Netlify, and Anthropic should not receive PHI unless the applicable agreement, workflow, and vendor compliance posture are separately reviewed and approved in writing.

9. Access, Amendment, Accounting, and Restrictions

9.1 Covered Entity is responsible for responding to individual requests for access, amendment, accounting of disclosures, restrictions, confidential communications, and related rights. UPStandards will reasonably assist Covered Entity, to the extent the requested PHI is maintained in the Services and is accessible to UPStandards, within commercially reasonable timeframes.

9.2 If UPStandards receives a direct request from an individual concerning PHI, UPStandards may direct the individual to Covered Entity and will not respond substantively unless Required by Law or authorized by Covered Entity.

9.3 If Covered Entity informs UPStandards of restrictions, revocations, or special instructions that affect UPStandards use or disclosure of PHI, Covered Entity shall provide timely written notice. UPStandards is not responsible for restrictions not communicated in a manner allowing operational implementation.

10. HHS Access

UPStandards shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by UPStandards on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity compliance with HIPAA, as required by HIPAA.

11. Covered Entity Obligations

Covered Entity shall:

not request UPStandards to use or disclose PHI in a manner not permitted by HIPAA if done by Covered Entity;

provide notice of privacy practices limitations, authorizations, revocations, restrictions, or confidential communication requirements that may affect UPStandards processing;

submit only the minimum necessary PHI needed for the accreditation workflow;

maintain the official designated record set and underlying medical record outside UPStandards unless otherwise agreed;

obtain all patient consents, authorizations, and legal permissions required for use and disclosure of PHI and Part 2 Records;

not upload excluded data categories without written authorization;

remain responsible for clinical, accreditation, provider, facility, and patient-care obligations.

12. 42 CFR Part 2

12.1 If Covered Entity is a Part 2 program, or if Customer Data includes Part 2 Records, Schedule A applies. Covered Entity is responsible for identifying Part 2 Records and ensuring that use and disclosure through the Services is supported by patient consent or another applicable permission. UPStandards will not independently determine whether data is subject to Part 2.

12.2 UPStandards shall not use Part 2 Records for civil, criminal, administrative, or legislative proceedings against a patient except as permitted by 42 CFR Part 2 and applicable law. UPStandards shall not condition Services availability on receiving SUD counseling notes and does not intend to process SUD counseling notes.

13. California CMIA and State Law

For California medical information and California customers, UPStandards shall not intentionally share, sell, use for marketing, or otherwise use medical information for a purpose unrelated to providing the Services except as permitted by applicable law and this BAA. To the extent CMIA or another state medical privacy law is more protective than HIPAA and applies to UPStandards as a contractor, UPStandards will comply with the applicable more protective requirement, provided Covered Entity remains responsible for its own provider and patient-notice obligations.

14. De-Identification; Aggregated Data

UPStandards may de-identify PHI in accordance with HIPAA. Properly de-identified information is not PHI and may be used for analytics, benchmarking, product improvement, security, reporting, research, and business purposes, provided it does not identify Covered Entity, patients, or individuals unless separately permitted. UPStandards may use aggregated operational metrics that do not identify patients and do not constitute PHI.

15. Termination

15.1 Covered Entity may terminate the Services Agreement or this BAA if Covered Entity determines that UPStandards has violated a material term of this BAA and UPStandards fails to cure within 30 days after written notice, unless immediate termination is required by law or the violation is incapable of cure.

15.2 Upon termination, UPStandards shall return or destroy PHI received from, or created or received by UPStandards on behalf of, Covered Entity, if feasible and as provided in the Services Agreement. If return or destruction is infeasible, UPStandards shall extend the protections of this BAA to retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

15.3 The obligations of UPStandards regarding PHI retained after termination survive termination for as long as UPStandards maintains the PHI.

16. Liability; Narrow PHI Footprint

The Parties agree that the Services are priced and architected based on a limited PHI footprint. Nothing in this BAA expands UPStandards liability for PHI not actually created, received, maintained, or transmitted by UPStandards, or for PHI submitted contrary to this BAA, the Services Agreement, Documentation, or Customer configuration instructions. The limitation of liability in the Services Agreement applies to this BAA except to the extent prohibited by law or expressly modified in an enterprise Order Form. Covered Entity remains responsible for data minimization, lawful instructions, user conduct, patient consents, and content submitted to the Services.

17. Order of Precedence

If this BAA conflicts with the Services Agreement regarding PHI, HIPAA, Part 2 Records, breach notification, subcontractor PHI obligations, return/destruction of PHI, or individual rights support, this BAA controls. If a signed Part 2 Addendum imposes stricter obligations for Part 2 Records, that addendum controls for Part 2 Records.

18. Miscellaneous

This BAA may be amended only in writing or as necessary to comply with changes in HIPAA, Part 2, CMIA, or other applicable law. Any ambiguity will be resolved to permit compliance with applicable privacy and security laws. Electronic signatures are valid. This BAA binds and benefits permitted successors and assigns.

Execution

Schedule A - Substance Use Disorder Records / 42 CFR Part 2 Addendum

This Schedule A applies only if Customer is a Part 2 program, a lawful holder of Part 2 Records, or submits patient identifying information subject to 42 CFR Part 2 to the Services.

A.1 Customer determination and consent. Customer is responsible for determining whether information submitted to the Services is subject to Part 2 and for obtaining, documenting, and maintaining any patient consent or other legal authority required for disclosure to and processing by UPStandards. UPStandards is entitled to rely on Customer instructions and representations unless UPStandards has actual knowledge that a requested use or disclosure is unlawful.

A.2 Permitted Part 2 processing. UPStandards may use and disclose Part 2 Records solely to provide the Services, for treatment, payment, and health care operations if permitted by Customer consent and applicable law, to comply with law, to manage and administer UPStandards legal responsibilities where permitted, and as otherwise authorized by Part 2.

A.3 Redisclosure notice. Where UPStandards makes a disclosure of Part 2 Records that requires a Part 2 notice, UPStandards will include one of the notices permitted by 42 CFR 2.32, such as: "42 CFR part 2 prohibits unauthorized use or disclosure of these records." For higher-risk workflows, Customer may require the longer Part 2 notice language in writing.

A.4 Proceedings against patient. UPStandards shall not use or disclose Part 2 Records in any civil, criminal, administrative, or legislative proceeding against a patient except as permitted by Part 2, including patient consent for that purpose or a court order meeting Part 2 requirements.

A.5 SUD counseling notes excluded. Customer shall not submit SUD counseling notes to the Services unless the Parties execute a specific written addendum. UPStandards standard platform is not intended to store SUD counseling notes.

A.6 Contractors and subprocessors. To the extent UPStandards discloses Part 2 Records to a contractor or subcontractor as permitted by law, UPStandards shall require appropriate confidentiality, security, redisclosure, and breach-reporting obligations consistent with Part 2 and HIPAA.

A.7 Customer controls. Customer shall configure access permissions to restrict Part 2 Records to Authorized Users with a need to know. Customer shall not use general-purpose notes fields to add unnecessary substance use disorder treatment content.

A.8 No consent management. UPStandards does not maintain Customer Part 2 consent forms, expiration logic, revocation workflow, or consent scope validation unless expressly agreed in an Order Form or SOW.

Schedule B - Expected Vendors, Subprocessors, and Data Roles